| Brian Waters | 13d9601 | 2017-12-08 16:53:31 -0600 | [diff] [blame^] | 1 | # Note: for this file to be working, an environment var CA_ROOT_DIR = directory |
| 2 | # must be defined and pointing to the CA top-level directory. |
| 3 | |
| 4 | HOME = . |
| 5 | RANDFILE = $ENV::HOME/.rnd |
| 6 | |
| 7 | oid_section = new_oids |
| 8 | |
| 9 | [ new_oids ] |
| 10 | |
| 11 | |
| 12 | #################################################################### |
| 13 | [ req ] |
| 14 | default_bits = 1024 |
| 15 | # default_keyfile = privkey.pem |
| 16 | string_mask = utf8only |
| 17 | |
| 18 | distinguished_name = req_distinguished_name |
| 19 | attributes = req_attributes |
| 20 | req_extensions = v3_req # overwrite with -reqexts |
| 21 | x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only |
| 22 | |
| 23 | [ req_distinguished_name ] |
| 24 | countryName = Country Name (2 letter code) |
| 25 | countryName_default = JP |
| 26 | countryName_min = 2 |
| 27 | countryName_max = 2 |
| 28 | stateOrProvinceName = State or Province Name (full name) |
| 29 | stateOrProvinceName_default = Tokyo |
| 30 | localityName = Locality Name (eg, city) |
| 31 | localityName_default = Koganei |
| 32 | 0.organizationName = Organization Name (eg, company) |
| 33 | 0.organizationName_default = WIDE |
| 34 | 1.organizationName = Second Organization Name (eg, company) |
| 35 | 1.organizationName_default = NICT |
| 36 | organizationalUnitName = Organizational Unit Name (eg, section) |
| 37 | organizationalUnitName_default = AAA WG testbed |
| 38 | |
| 39 | [ req_attributes ] |
| 40 | challengePassword = A challenge password |
| 41 | challengePassword_min = 0 |
| 42 | challengePassword_max = 20 |
| 43 | unstructuredName = An optional company name |
| 44 | |
| 45 | [ v3_req ] |
| 46 | # Extensions to add to a certificate request |
| 47 | basicConstraints = CA:FALSE |
| 48 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| 49 | |
| 50 | [ v3_req_ca ] |
| 51 | # Extensions to add to a certificate request for CA |
| 52 | basicConstraints = CA:TRUE |
| 53 | |
| 54 | |
| 55 | #################################################################### |
| 56 | [ ca ] |
| 57 | default_ca = CA_default # The default ca section |
| 58 | |
| 59 | [ CA_default ] |
| 60 | |
| 61 | dir = $ENV::CA_ROOT_DIR # Where everything is kept |
| 62 | certs = $dir/public # Where the issued certs are kept |
| 63 | crl_dir = $dir/public # Where the issued crl are kept |
| 64 | database = $dir/index.txt # database index file. |
| 65 | #unique_subject = no # Set to 'no' to allow creation of |
| 66 | # several ctificates with same subject. |
| 67 | new_certs_dir = $dir/public # default place for new certs. |
| 68 | |
| 69 | certificate = $dir/public/cacert.pem # The CA certificate |
| 70 | serial = $dir/serial # The current serial number |
| 71 | crlnumber = $dir/crlnumber # the current crl number |
| 72 | crl = $dir/public/local.pem # The current CRL |
| 73 | private_key = $dir/private/cakey.pem # The private key |
| 74 | x509_extensions = usr_cert # The extentions to add to the cert |
| 75 | # overwrite with -extensions |
| 76 | name_opt = ca_default # Subject Name options |
| 77 | cert_opt = ca_default # Certificate field options |
| 78 | crl_extensions = crl_ext |
| 79 | |
| 80 | default_days = 3650 # how long to certify for |
| 81 | default_crl_days= 365 # how long before next CRL |
| 82 | default_md = sha1 # which md to use. |
| 83 | preserve = no # keep passed DN ordering |
| 84 | |
| 85 | # We accept to sign anything, but a real deployment would limit to proper domain etc... |
| 86 | policy = policy_anything |
| 87 | |
| 88 | [ policy_anything ] |
| 89 | countryName = optional |
| 90 | stateOrProvinceName = optional |
| 91 | localityName = optional |
| 92 | organizationName = optional |
| 93 | organizationalUnitName = optional |
| 94 | commonName = supplied |
| 95 | emailAddress = optional |
| 96 | |
| 97 | [ usr_cert ] |
| 98 | basicConstraints=CA:FALSE |
| 99 | # This is typical in keyUsage for a client certificate. |
| 100 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| 101 | subjectKeyIdentifier=hash |
| 102 | authorityKeyIdentifier=keyid,issuer |
| 103 | |
| 104 | [ ca_cert ] |
| 105 | # Extensions for a typical CA |
| 106 | subjectKeyIdentifier=hash |
| 107 | authorityKeyIdentifier=keyid:always,issuer:always |
| 108 | basicConstraints = critical,CA:true # Remove "critical," in case of problems |
| 109 | keyUsage = cRLSign, keyCertSign |
| 110 | # subjectAltName=email:copy |
| 111 | # Copy issuer details |
| 112 | # issuerAltName=issuer:copy |
| 113 | |
| 114 | [ crl_ext ] |
| 115 | # CRL extensions. |
| 116 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
| 117 | # issuerAltName=issuer:copy |
| 118 | authorityKeyIdentifier=keyid:always,issuer:always |
| 119 | |
| 120 | |