ca-scripts/tpl/ca-config.tpl

161 lines
7 KiB
Smarty
Raw Permalink Normal View History

# CA configuration file template
# ---------------------------------------------------------------------------- #
# This defines the CA configuration to use
[ ca ]
default_ca = ca_scripts
# ---------------------------------------------------------------------------- #
# This defines our CA configuration
[ ca_scripts ]
# interpolation variables defining the directories to use
dir = %CA_HOME% # root data directory of CA
db_dir = $dir/db # database files are kept here
csr_dir = $dir/csr # generated CSRs are kept here
crt_dir = $dir/crt # signed CRTs are kept here
key_dir = $dir/key # generated KEYs are kept here
crl_dir = $dir/crl # generated CRL is kept here
new_certs_dir = $dir/idx # default place for new CRTs
# required settings
database = $db_dir/index.txt # database index file
serial = $db_dir/serial # serial number index file
certificate = $crt_dir/%CA_NAME%.ca.crt # CA certificate
private_key = $key_dir/%CA_NAME%.ca.key # CA private key
crl = $crl_dir/%CA_NAME%.ca.crl # current CRL
RANDFILE = $db_dir/.rand # private random number file
# these two CA directives can be commented out so that v1 CRLs are created
crlnumber = $db_dir/crlnumber # crlnumber index file
crl_extensions = ca_crl_extensions # extensions in v2 CRL
# x509v3 certificate extensions and certificate signing policy
x509_extensions = ca_x509_default_extensions
copy_extensions = copy # copy extensions from CSR to CRT
policy = ca_extension_policy # policy on required CSR attributes
# leave these defaults
name_opt = oneline # Subject Name options - x509(1)
cert_opt = ca_default # Certificate field options - x509(1)
default_days = %CA_CRT_DAYS% # how long to certify for
default_crl_days= %CA_CRL_DAYS% # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
unique_subject = no # recommended
email_in_dn = no # remove email from CSR DN when signing
# ---------------------------------------------------------------------------- #
# This defines the CA's policy on required CSR attributes.
# It requires:
# the country [C] to be supplied in the CSR and match the CA
# the state or province [ST] to be supplied in the CSR
# the locality [L] to be supplied in the CSR
# the organisation name [O] to be supplied in the CSR and match the CA
# the organisational unit [OU] to be supplied in the CSR
# the server common name [CN] to be supplied in the CSR
# ... and an [emailAddress] may optionally be supplied in the CSR
# XXX: is this too restrictive or not restrictive enough?
# should options for ca-create-cert to change "match" values even exist?
[ ca_extension_policy ]
countryName = match
stateOrProvinceName = supplied
localityName = supplied
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
# ---------------------------------------------------------------------------- #
# This defines the default x509 extensions present in a cert signed by the CA.
# These should be replaced by a specific set of extensions per certificate.
[ ca_x509_default_extensions ]
# certificates signed by this CA by default are not CA certificates themselves
basicConstraints = CA:FALSE
# old netscape certificate attributes
nsCertType = server
nsComment = "%CA_DESC% Certificate"
nsRevocationUrl = %CA_CRL_URI%
# key usage restrictions
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth
issuerAltName = issuer:copy
subjectAltName = URI:%CA_CRT_URI%
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
authorityInfoAccess = caIssuers;URI:%CA_CRT_URI%
crlDistributionPoints = URI:%CA_CRL_URI%
# ---------------------------------------------------------------------------- #
# This defines the x509 extensions present in the generated CA certificate.
[ ca_x509_extensions ]
# this certificate is authoritative and allowed to sign other certificates
# pathlen=1 implies there may be up to one intermediate CA in the chain
# that leads to this root CA certificate.
basicConstraints = critical,CA:TRUE,pathlen:%CA_PATHLEN%
# old netscape certificate attributes
nsCertType = objsign, sslCA, emailCA, objCA
nsComment = "%CA_DESC%"
nsRevocationUrl = %CA_CRL_URI%
nsCaRevocationUrl = %CA_CRL_URI%
# key usage restrictions
keyUsage = critical, cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
issuerAltName = @ca_altname
subjectAltName = @ca_altname
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
authorityInfoAccess = caIssuers;URI:%CA_CRT_URI%
crlDistributionPoints = URI:%CA_CRL_URI%
# ---------------------------------------------------------------------------- #
# This is a separate section defining the attributes in the CA's subjectAltName.
[ ca_altname ]
URI=%CA_CRT_URI%
DNS.1=%CA_DOMAIN%
DNS.2=*.%CA_DOMAIN%
email=%CA_EMAIL%
# ---------------------------------------------------------------------------- #
# This defines the extensions present in the CRLs generated by this CA.
[ ca_crl_extensions ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always, issuer:always
# the below is only supported in the very latest releases of openssl
# issuingDistributionPoint= URI:%CA_CRL_URI%
# ---------------------------------------------------------------------------- #
# This defines the extensions present in the CSRs created by this CA.
[ ca_req_extensions ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth
# ---------------------------------------------------------------------------- #
# This defines default settings for certificate requests and CA cert creation.
[ req ]
default_bits = %CA_CRT_BITS%
default_md = sha1
distinguished_name = ca_req_dn
x509_extensions = ca_x509_extensions
req_extensions = ca_req_extensions
string_mask = nombstr
prompt = no
# ---------------------------------------------------------------------------- #
# This defines the DN of the CA certificate.
[ ca_req_dn ]
C = %CA_DN_C%
ST = %CA_DN_ST%
L = %CA_DN_L%
O = %CA_DN_O%
OU = %CA_DN_OU%
CN = %CA_DN_CN%