X-Git-Url: https://git.distorted.org.uk/~mdw/distorted-ansible/blobdiff_plain/3f1ea36d39993a86f47ec5658455305d38f08f37..5fc6de272c4e1d6b41a8c24b6ff5116548ac12c5:/roles/common/files/pki/openssl.conf?ds=sidebyside

diff --git a/roles/common/files/pki/openssl.conf b/roles/common/files/pki/openssl.conf
new file mode 100644
index 0000000..1accc80
--- /dev/null
+++ b/roles/common/files/pki/openssl.conf
@@ -0,0 +1,114 @@
+### -*-conf-*-
+###
+### OpenSSL configuration for distorted.org.uk CA.
+
+###--------------------------------------------------------------------------
+### Defaults.
+
+RANDFILE = /dev/random
+db_suffix =
+
+###--------------------------------------------------------------------------
+### Certificate request configuration.
+
+[req]
+default_bits = 3072
+encrypt_key = no
+default_md = sha256
+utf8 = yes
+x509_extensions = ca-extensions
+distinguished_name = req-dn
+prompt = yes
+
+[req-dn]
+
+countryName = "Country name"
+countryName_default = "GB"
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = "State, province, or county"
+stateOrProvinceName_default = "Cambridgeshire"
+stateOrProvinceName_max = 64
+
+localityName = "Locality (e.g., city)"
+localityName_default = "Cambridge"
+localityName_max = 64
+
+organizationName = "Organization"
+organizationName_default = "distorted.org.uk"
+organizationName_max = 64
+organizationalUnitName = "Organizational unit"
+organizationalUnitName_max = 64
+
+commonName = "Common name"
+commonName_max = 64
+
+emailAddress = "Email address"
+emailAddress_max = 64
+
+###--------------------------------------------------------------------------
+### CA configuration.
+
+[ca]
+default_ca = distorted-ca
+preserve = yes
+
+[distorted-ca]
+default_days = 1825
+default_md = sha256
+unique_subject = no
+email_in_dn = no
+private_key = private/ca.key
+certificate = ca.cert
+database = state/db$ENV::db_suffix
+serial = state/serial
+crlnumber = state/crlnumber
+default_crl_hours = 28
+x509_extensions = tls-server-extensions
+crl_extensions = crl-extensions
+policy = distorted-policy
+name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
+cert_opt = no_header, ext_parse, no_pubkey
+copy_extensions = copy
+
+[distorted-policy]
+countryName = supplied
+stateOrProvinceName = optional
+localityName = optional
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[crl-extensions]
+issuerAltName = email:ca@distorted.org.uk
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[ca-extensions]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, keyCertSign
+subjectKeyIdentifier = hash
+subjectAltName = email:ca@distorted.org.uk
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[tls-server-extensions]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+issuerAltName = issuer:copy
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+[tls-client-extensions]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+issuerAltName = issuer:copy
+subjectAltName = email:copy
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
+
+###----- That's all, folks --------------------------------------------------