ca-scripts/tpl/ca-config.tpl

# CA configuration file template

# ---------------------------------------------------------------------------- #
# This defines the CA configuration to use
[ ca ]
default_ca = ca_scripts

# ---------------------------------------------------------------------------- #
# This defines our CA configuration
[ ca_scripts ]
# interpolation variables defining the directories to use
dir             = %CA_HOME%                     # root data directory of CA
db_dir          = $dir/db                       # database files are kept here
csr_dir         = $dir/csr                      # generated CSRs are kept here
crt_dir         = $dir/crt                      # signed CRTs are kept here
key_dir         = $dir/key                      # generated KEYs are kept here
crl_dir         = $dir/crl                      # generated CRL is kept here
new_certs_dir   = $dir/idx                      # default place for new CRTs

# required settings
database        = $db_dir/index.txt             # database index file
serial          = $db_dir/serial                # serial number index file
certificate     = $crt_dir/%CA_NAME%.ca.crt     # CA certificate
private_key     = $key_dir/%CA_NAME%.ca.key     # CA private key
crl             = $crl_dir/%CA_NAME%.ca.crl     # current CRL
RANDFILE        = $db_dir/.rand                 # private random number file

# these two CA directives can be commented out so that v1 CRLs are created
crlnumber       = $db_dir/crlnumber             # crlnumber index file
crl_extensions  = ca_crl_extensions             # extensions in v2 CRL

# x509v3 certificate extensions and certificate signing policy
x509_extensions = ca_x509_default_extensions
copy_extensions = copy                          # copy extensions from CSR to CRT
policy          = ca_extension_policy           # policy on required CSR attributes

# leave these defaults
name_opt        = oneline               # Subject Name options - x509(1)
cert_opt        = ca_default            # Certificate field options - x509(1)
default_days    = %CA_CRT_DAYS%         # how long to certify for
default_crl_days= %CA_CRL_DAYS%         # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering
unique_subject  = no                    # recommended
email_in_dn     = no                    # remove email from CSR DN when signing

# ---------------------------------------------------------------------------- #
# This defines the CA's policy on required CSR attributes.
# It requires:
#   the country [C] to be supplied in the CSR and match the CA
#   the state or province [ST] to be supplied in the CSR
#   the locality [L] to be supplied in the CSR
#   the organisation name [O] to be supplied in the CSR and match the CA
#   the organisational unit [OU] to be supplied in the CSR
#   the server common name [CN] to be supplied in the CSR
# ... and an [emailAddress] may optionally be supplied in the CSR
# XXX: is this too restrictive or not restrictive enough?
#      should options for ca-create-cert to change "match" values even exist?
[ ca_extension_policy ]
countryName             = match
stateOrProvinceName     = supplied
localityName            = supplied
organizationName        = match
organizationalUnitName  = supplied
commonName              = supplied
emailAddress            = optional

# ---------------------------------------------------------------------------- #
# This defines the default x509 extensions present in a cert signed by the CA.
# These should be replaced by a specific set of extensions per certificate.
[ ca_x509_default_extensions ]

# certificates signed by this CA by default are not CA certificates themselves
basicConstraints        = CA:FALSE

# old netscape certificate attributes
nsCertType              = server
nsComment               = "%CA_DESC% Certificate"
nsRevocationUrl         = %CA_CRL_URI%

# key usage restrictions
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage        = serverAuth

issuerAltName           = issuer:copy
subjectAltName          = URI:%CA_CRT_URI%
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
crlDistributionPoints   = URI:%CA_CRL_URI%

# ---------------------------------------------------------------------------- #
# This defines the x509 extensions present in the generated CA certificate.
[ ca_x509_extensions ]

# this certificate is authoritative and allowed to sign other certificates
# pathlen=1 implies there may be up to one intermediate CA in the chain
# that leads to this root CA certificate.
basicConstraints        = critical,CA:TRUE,pathlen:%CA_PATHLEN%

# old netscape certificate attributes
nsCertType              = objsign, sslCA, emailCA, objCA
nsComment               = "%CA_DESC%"
nsRevocationUrl         = %CA_CRL_URI%
nsCaRevocationUrl       = %CA_CRL_URI%

# key usage restrictions
keyUsage                = critical, cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping

issuerAltName           = @ca_altname
subjectAltName          = @ca_altname
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
crlDistributionPoints   = URI:%CA_CRL_URI%

# ---------------------------------------------------------------------------- #
# This is a separate section defining the attributes in the CA's subjectAltName.
[ ca_altname ]
URI=%CA_CRT_URI%
DNS.1=%CA_DOMAIN%
DNS.2=*.%CA_DOMAIN%
email=%CA_EMAIL%

# ---------------------------------------------------------------------------- #
# This defines the extensions present in the CRLs generated by this CA.
[ ca_crl_extensions ]
issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always, issuer:always
# the below is only supported in the very latest releases of openssl
# issuingDistributionPoint= URI:%CA_CRL_URI%

# ---------------------------------------------------------------------------- #
# This defines the extensions present in the CSRs created by this CA.
[ ca_req_extensions ]
basicConstraints        = critical, CA:FALSE
keyUsage                = critical, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage        = serverAuth

# ---------------------------------------------------------------------------- #
# This defines default settings for certificate requests and CA cert creation.
[ req ]
default_bits            = %CA_CRT_BITS%
default_md              = sha1
distinguished_name      = ca_req_dn
x509_extensions         = ca_x509_extensions
req_extensions          = ca_req_extensions
string_mask             = nombstr
prompt                  = no

# ---------------------------------------------------------------------------- #
# This defines the DN of the CA certificate.
[ ca_req_dn ]
C                       = %CA_DN_C%
ST                      = %CA_DN_ST%
L                       = %CA_DN_L%
O                       = %CA_DN_O%
OU                      = %CA_DN_OU%
CN                      = %CA_DN_CN%