2009-10-12 17:46:50 -04:00
|
|
|
# CA configuration file template
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the CA configuration to use
|
|
|
|
[ ca ]
|
|
|
|
default_ca = ca_scripts
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines our CA configuration
|
|
|
|
[ ca_scripts ]
|
|
|
|
# interpolation variables defining the directories to use
|
|
|
|
dir = %CA_HOME% # root data directory of CA
|
|
|
|
db_dir = $dir/db # database files are kept here
|
|
|
|
csr_dir = $dir/csr # generated CSRs are kept here
|
|
|
|
crt_dir = $dir/crt # signed CRTs are kept here
|
|
|
|
key_dir = $dir/key # generated KEYs are kept here
|
|
|
|
crl_dir = $dir/crl # generated CRL is kept here
|
|
|
|
new_certs_dir = $dir/idx # default place for new CRTs
|
|
|
|
|
|
|
|
# required settings
|
|
|
|
database = $db_dir/index.txt # database index file
|
|
|
|
serial = $db_dir/serial # serial number index file
|
|
|
|
certificate = $crt_dir/%CA_NAME%.ca.crt # CA certificate
|
|
|
|
private_key = $key_dir/%CA_NAME%.ca.key # CA private key
|
|
|
|
crl = $crl_dir/%CA_NAME%.ca.crl # current CRL
|
|
|
|
RANDFILE = $db_dir/.rand # private random number file
|
|
|
|
|
|
|
|
# these two CA directives can be commented out so that v1 CRLs are created
|
|
|
|
crlnumber = $db_dir/crlnumber # crlnumber index file
|
|
|
|
crl_extensions = ca_crl_extensions # extensions in v2 CRL
|
|
|
|
|
|
|
|
# x509v3 certificate extensions and certificate signing policy
|
|
|
|
x509_extensions = ca_x509_default_extensions
|
|
|
|
copy_extensions = copy # copy extensions from CSR to CRT
|
|
|
|
policy = ca_extension_policy # policy on required CSR attributes
|
|
|
|
|
|
|
|
# leave these defaults
|
|
|
|
name_opt = oneline # Subject Name options - x509(1)
|
|
|
|
cert_opt = ca_default # Certificate field options - x509(1)
|
2010-02-14 04:14:35 -05:00
|
|
|
default_days = %CA_CRT_DAYS% # how long to certify for
|
|
|
|
default_crl_days= %CA_CRT_DAYS% # how long before next CRL
|
2009-10-12 17:46:50 -04:00
|
|
|
default_md = sha1 # which md to use.
|
|
|
|
preserve = no # keep passed DN ordering
|
|
|
|
unique_subject = no # recommended
|
|
|
|
email_in_dn = no # remove email from CSR DN when signing
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the CA's policy on required CSR attributes.
|
|
|
|
# It requires:
|
|
|
|
# the country [C] to be supplied in the CSR and match the CA
|
|
|
|
# the state or province [ST] to be supplied in the CSR
|
|
|
|
# the locality [L] to be supplied in the CSR
|
|
|
|
# the organisation name [O] to be supplied in the CSR and match the CA
|
|
|
|
# the organisational unit [OU] to be supplied in the CSR
|
|
|
|
# the server common name [CN] to be supplied in the CSR
|
|
|
|
# ... and an [emailAddress] may optionally be supplied in the CSR
|
|
|
|
# XXX: is this too restrictive or not restrictive enough?
|
|
|
|
# should options for ca-create-cert to change "match" values even exist?
|
|
|
|
[ ca_extension_policy ]
|
|
|
|
countryName = match
|
|
|
|
stateOrProvinceName = supplied
|
|
|
|
localityName = supplied
|
|
|
|
organizationName = match
|
|
|
|
organizationalUnitName = supplied
|
|
|
|
commonName = supplied
|
|
|
|
emailAddress = optional
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the default x509 extensions present in a cert signed by the CA.
|
|
|
|
# These should be replaced by a specific set of extensions per certificate.
|
|
|
|
[ ca_x509_default_extensions ]
|
|
|
|
|
|
|
|
# certificates signed by this CA by default are not CA certificates themselves
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
|
|
|
|
# old netscape certificate attributes
|
|
|
|
nsCertType = server
|
|
|
|
nsComment = "%CA_DESC% Certificate"
|
|
|
|
nsRevocationUrl = %CA_CRL_URI%
|
|
|
|
|
|
|
|
# key usage restrictions
|
|
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
|
|
|
|
extendedKeyUsage = serverAuth
|
|
|
|
|
|
|
|
issuerAltName = issuer:copy
|
|
|
|
subjectAltName = URI:%CA_CRT_URI%
|
|
|
|
subjectKeyIdentifier = hash
|
|
|
|
authorityKeyIdentifier = keyid,issuer:always
|
|
|
|
authorityInfoAccess = caIssuers;URI:%CA_CRT_URI%
|
|
|
|
crlDistributionPoints = URI:%CA_CRL_URI%
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the x509 extensions present in the generated CA certificate.
|
|
|
|
[ ca_x509_extensions ]
|
|
|
|
|
|
|
|
# this certificate is authoritative and allowed to sign other certificates
|
|
|
|
# pathlen=1 implies there may be up to one intermediate CA in the chain
|
|
|
|
# that leads to this root CA certificate.
|
|
|
|
basicConstraints = critical,CA:TRUE,pathlen:%CA_PATHLEN%
|
|
|
|
|
|
|
|
# old netscape certificate attributes
|
|
|
|
nsCertType = objsign, sslCA, emailCA, objCA
|
|
|
|
nsComment = "%CA_DESC%"
|
|
|
|
nsRevocationUrl = %CA_CRL_URI%
|
|
|
|
nsCaRevocationUrl = %CA_CRL_URI%
|
|
|
|
|
|
|
|
# key usage restrictions
|
|
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
|
|
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
|
|
|
|
|
|
|
|
issuerAltName = @ca_altname
|
|
|
|
subjectAltName = @ca_altname
|
|
|
|
subjectKeyIdentifier = hash
|
|
|
|
authorityKeyIdentifier = keyid,issuer:always
|
|
|
|
authorityInfoAccess = caIssuers;URI:%CA_CRT_URI%
|
|
|
|
crlDistributionPoints = URI:%CA_CRL_URI%
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This is a separate section defining the attributes in the CA's subjectAltName.
|
|
|
|
[ ca_altname ]
|
|
|
|
URI=%CA_CRT_URI%
|
|
|
|
DNS.1=%CA_DOMAIN%
|
|
|
|
DNS.2=*.%CA_DOMAIN%
|
|
|
|
email=%CA_EMAIL%
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the extensions present in the CRLs generated by this CA.
|
|
|
|
[ ca_crl_extensions ]
|
|
|
|
issuerAltName = issuer:copy
|
|
|
|
authorityKeyIdentifier = keyid:always, issuer:always
|
|
|
|
# the below is only supported in the very latest releases of openssl
|
|
|
|
# issuingDistributionPoint= URI:%CA_CRL_URI%
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the extensions present in the CSRs created by this CA.
|
|
|
|
[ ca_req_extensions ]
|
|
|
|
basicConstraints = critical, CA:FALSE
|
|
|
|
keyUsage = critical, nonRepudiation, keyEncipherment, keyAgreement
|
|
|
|
extendedKeyUsage = serverAuth
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines default settings for certificate requests and CA cert creation.
|
|
|
|
[ req ]
|
2010-02-14 04:14:35 -05:00
|
|
|
default_bits = %CA_CRT_BITS%
|
2009-10-12 17:46:50 -04:00
|
|
|
default_md = sha1
|
|
|
|
distinguished_name = ca_req_dn
|
|
|
|
x509_extensions = ca_x509_extensions
|
|
|
|
req_extensions = ca_req_extensions
|
|
|
|
string_mask = nombstr
|
|
|
|
prompt = no
|
|
|
|
|
|
|
|
# ---------------------------------------------------------------------------- #
|
|
|
|
# This defines the DN of the CA certificate.
|
|
|
|
[ ca_req_dn ]
|
|
|
|
C = %CA_DN_C%
|
|
|
|
ST = %CA_DN_ST%
|
|
|
|
L = %CA_DN_L%
|
|
|
|
O = %CA_DN_O%
|
|
|
|
OU = %CA_DN_OU%
|
|
|
|
CN = %CA_DN_CN%
|