Initial onfca commit
Updated help target in Makefile
Reworked for IM CAs
Added CRL handling
Added docs/references
Change-Id: I2b1eb541464c157d3626bbe4a6cf7db78c2af533
diff --git a/pki.cnf b/pki.cnf
new file mode 100644
index 0000000..eb793cf
--- /dev/null
+++ b/pki.cnf
@@ -0,0 +1,117 @@
+# SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
+#SPDX-License-Identifier: Apache-2.0
+
+
+[ default ]
+ca = $ENV::CA_NAME
+dir = $ENV::BASE_DIR
+default_ca = default_ca
+name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters
+config_diagnostics = 1
+
+[ req ]
+default_bits = 2048
+default_days = 1825
+default_md = sha256
+encrypt_key = yes
+default_md = sha256
+distinguished_name = ca_dn
+utf8 = yes
+string_mask = utf8only
+
+[ default_ca ]
+certificate = $dir/$ca/ca.pem
+private_key = $dir/$ca/private/ca_key.pem
+policy = match_pol
+name_opt = $name_opt
+preserve = no
+email_in_dn = no
+copy_extensions = copy
+
+new_certs_dir = $dir/$ca/certs
+serial = $dir/$ca/db/ca.srl
+rand_serial = no
+database = $dir/$ca/db/ca.db
+
+# crl
+crl_dir = $dir/$ca/crl
+crlnumber = $dir/$ca/crl/db/ca.crl.srl
+default_md = sha256
+default_crl_days = 365
+crl_extensions = crl_ext
+
+# Extensions for a typical CA (`man x509v3_config`).
+[ root_ca_ext ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, keyCertSign, cRLSign
+
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+[ im_ca_ext ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+
+# Extensions for server certificates (`man x509v3_config`).
+[ server_cert_ext ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+# Extensions for client certificates (`man x509v3_config`).
+[ client_cert_ext ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = clientAuth, emailProtection
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+[ match_pol ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# Allow intermediate CA's to sign more types of certs
+[ any_pol ]
+domainComponent = optional
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+[ ca_dn ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Defaults DN
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default = Menlo Park
+0.organizationName_default = ONF
+organizationalUnitName_default = Infra
+commonName = Testing
+emailAddress_default = do-not-reply@opennetworking.org
+