mdw@git.distorted.org.uk Git - distorted-ansible/blob - roles/common/files/pki/openssl.conf

   1 ### -*-conf-*-
   2 ###
   3 ### OpenSSL configuration for distorted.org.uk CA.
   4
   5 ###--------------------------------------------------------------------------
   6 ### Defaults.
   7
   8 RANDFILE = /dev/random
   9 db_suffix =
  10
  11 ###--------------------------------------------------------------------------
  12 ### Certificate request configuration.
  13
  14 [req]
  15 default_bits = 3072
  16 encrypt_key = no
  17 default_md = sha256
  18 utf8 = yes
  19 x509_extensions = ca-extensions
  20 distinguished_name = req-dn
  21 prompt = yes
  22
  23 [req-dn]
  24
  25 countryName = "Country name"
  26 countryName_default = "GB"
  27 countryName_min = 2
  28 countryName_max = 2
  29
  30 stateOrProvinceName = "State, province, or county"
  31 stateOrProvinceName_default = "Cambridgeshire"
  32 stateOrProvinceName_max = 64
  33
  34 localityName = "Locality (e.g., city)"
  35 localityName_default = "Cambridge"
  36 localityName_max = 64
  37
  38 organizationName = "Organization"
  39 organizationName_default = "distorted.org.uk"
  40 organizationName_max = 64
  41 organizationalUnitName = "Organizational unit"
  42 organizationalUnitName_max = 64
  43
  44 commonName = "Common name"
  45 commonName_max = 64
  46
  47 emailAddress = "Email address"
  48 emailAddress_max = 64
  49
  50 ###--------------------------------------------------------------------------
  51 ### CA configuration.
  52
  53 [ca]
  54 default_ca = distorted-ca
  55 preserve = yes
  56
  57 [distorted-ca]
  58 default_days = 1825
  59 default_md = sha256
  60 unique_subject = no
  61 email_in_dn = no
  62 private_key = private/ca.key
  63 certificate = ca.cert
  64 database = state/db$ENV::db_suffix
  65 serial = state/serial
  66 crlnumber = state/crlnumber
  67 default_crl_hours = 28
  68 x509_extensions = tls-server-extensions
  69 crl_extensions = crl-extensions
  70 policy = distorted-policy
  71 name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
  72 cert_opt = no_header, ext_parse, no_pubkey
  73 copy_extensions = copy
  74
  75 [distorted-policy]
  76 countryName = supplied
  77 stateOrProvinceName = optional
  78 localityName = optional
  79 organizationName = supplied
  80 organizationalUnitName = optional
  81 commonName = supplied
  82 emailAddress = optional
  83
  84 [crl-extensions]
  85 issuerAltName = email:ca@distorted.org.uk
  86 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  87
  88 [ca-extensions]
  89 basicConstraints = critical, CA:TRUE
  90 keyUsage = critical, keyCertSign
  91 subjectKeyIdentifier = hash
  92 subjectAltName = email:ca@distorted.org.uk
  93 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  94
  95 [tls-server-extensions]
  96 basicConstraints = critical, CA:FALSE
  97 keyUsage = critical, digitalSignature, keyEncipherment
  98 extendedKeyUsage = serverAuth
  99 subjectKeyIdentifier = hash
 100 authorityKeyIdentifier = keyid:always, issuer:always
 101 issuerAltName = issuer:copy
 102 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 103
 104 [tls-client-extensions]
 105 basicConstraints = critical, CA:FALSE
 106 keyUsage = critical, digitalSignature
 107 extendedKeyUsage = clientAuth
 108 subjectKeyIdentifier = hash
 109 authorityKeyIdentifier = keyid:always,issuer:always
 110 issuerAltName = issuer:copy
 111 subjectAltName = email:copy
 112 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 113
 114 ###----- That's all, folks --------------------------------------------------