scripts/pki/xos-pki.cnf - helm-charts - Gitiles

 # Copyright 2017-present Open Networking Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 [ ca ]
 default_ca  = CA_default

 [ CA_default ]
 dir               = ./root_ca
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial

 private_key       = $dir/private/ca_key.pem
 certificate       = xos-CA.pem

 # Make new requests easier to sign - allow two subjects with same name
 # (Or revoke the old certificate first.)
 unique_subject    = no
 preserve          = no

 # for CA that signs client certs
 policy            = policy_loose

 [ policy_loose ]
 # Allow the to sign more types of certs
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 [ req ]
 default_bits         = 2048
 default_days         = 366
 default_md           = sha256
 distinguished_name   = req_distinguished_name
 string_mask          = utf8only
 x509_extensions      = v3_ca

 [ req_distinguished_name ]
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 emailAddress                    = Email Address

 # Defaults DN
 countryName_default             = US
 stateOrProvinceName_default     = California
 localityName_default            = Menlo Park
 0.organizationName_default      = ONF
 organizationalUnitName_default  = Testing Only
 commonName                      = CORD Testing
 emailAddress_default            = do-not-reply@opencord.org

 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:TRUE
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

 # Extensions for certificates (`man x509v3_config`).
 [ xos-core ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 basicConstraints = CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = 'DNS:xos-core, DNS:xos-core.default, DNS:xos-core.default.svc.cluster.local'
	# Copyright 2017-present Open Networking Foundation
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = ./root_ca
	certs = $dir/certs
	crl_dir = $dir/crl
	new_certs_dir = $dir/newcerts
	database = $dir/index.txt
	serial = $dir/serial

	private_key = $dir/private/ca_key.pem
	certificate = xos-CA.pem

	# Make new requests easier to sign - allow two subjects with same name
	# (Or revoke the old certificate first.)
	unique_subject = no
	preserve = no

	# for CA that signs client certs
	policy = policy_loose

	[ policy_loose ]
	# Allow the to sign more types of certs
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	default_bits = 2048
	default_days = 366
	default_md = sha256
	distinguished_name = req_distinguished_name
	string_mask = utf8only
	x509_extensions = v3_ca

	[ req_distinguished_name ]
	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
	countryName = Country Name (2 letter code)
	stateOrProvinceName = State or Province Name
	localityName = Locality Name
	0.organizationName = Organization Name
	organizationalUnitName = Organizational Unit Name
	commonName = Common Name
	emailAddress = Email Address

	# Defaults DN
	countryName_default = US
	stateOrProvinceName_default = California
	localityName_default = Menlo Park
	0.organizationName_default = ONF
	organizationalUnitName_default = Testing Only
	commonName = CORD Testing
	emailAddress_default = do-not-reply@opencord.org

	[ v3_ca ]
	# Extensions for a typical CA (`man x509v3_config`).
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:TRUE
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	# Extensions for certificates (`man x509v3_config`).
	[ xos-core ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	basicConstraints = CA:FALSE
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = 'DNS:xos-core, DNS:xos-core.default, DNS:xos-core.default.svc.cluster.local'