| # SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org> |
| #SPDX-License-Identifier: Apache-2.0 |
| |
| |
| [ default ] |
| ca = $ENV::CA_NAME |
| dir = $ENV::BASE_DIR |
| default_ca = default_ca |
| name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters |
| config_diagnostics = 1 |
| |
| [ req ] |
| default_bits = 2048 |
| default_days = 1825 |
| default_md = sha256 |
| encrypt_key = yes |
| default_md = sha256 |
| distinguished_name = ca_dn |
| utf8 = yes |
| string_mask = utf8only |
| |
| [ default_ca ] |
| certificate = $dir/$ca/ca.pem |
| private_key = $dir/$ca/private/ca_key.pem |
| policy = match_pol |
| name_opt = $name_opt |
| preserve = no |
| email_in_dn = no |
| copy_extensions = copy |
| |
| new_certs_dir = $dir/$ca/certs |
| serial = $dir/$ca/db/ca.srl |
| rand_serial = no |
| database = $dir/$ca/db/ca.db |
| |
| # crl |
| crl_dir = $dir/$ca/crl |
| crlnumber = $dir/$ca/crl/db/ca.crl.srl |
| default_md = sha256 |
| default_crl_days = 365 |
| crl_extensions = crl_ext |
| |
| # Extensions for a typical CA (`man x509v3_config`). |
| [ root_ca_ext ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer |
| basicConstraints = critical, CA:true |
| keyUsage = critical, keyCertSign, cRLSign |
| |
| # Extensions for a typical intermediate CA (`man x509v3_config`). |
| [ im_ca_ext ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer |
| basicConstraints = critical, CA:true, pathlen:0 |
| keyUsage = critical, keyCertSign, cRLSign |
| |
| # Extensions for server certificates (`man x509v3_config`). |
| [ server_cert_ext ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer:always |
| basicConstraints = critical, CA:FALSE |
| keyUsage = critical, digitalSignature, keyEncipherment |
| extendedKeyUsage = serverAuth |
| |
| # Extensions for client certificates (`man x509v3_config`). |
| [ client_cert_ext ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer:always |
| basicConstraints = critical, CA:FALSE |
| keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation |
| extendedKeyUsage = clientAuth, emailProtection |
| |
| [ crl_ext ] |
| authorityKeyIdentifier = keyid:always |
| |
| # The root CA should only sign intermediate certificates that match. |
| # See the POLICY FORMAT section of `man ca`. |
| [ match_pol ] |
| countryName = match |
| stateOrProvinceName = match |
| localityName = match |
| organizationName = match |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| # Allow intermediate CA's to sign more types of certs |
| [ any_pol ] |
| domainComponent = optional |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| |
| [ ca_dn ] |
| # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. |
| countryName = Country Name (2 letter code) |
| stateOrProvinceName = State or Province Name |
| localityName = Locality Name |
| 0.organizationName = Organization Name |
| organizationalUnitName = Organizational Unit Name |
| commonName = Common Name |
| emailAddress = Email Address |
| |
| # Defaults DN |
| countryName_default = US |
| stateOrProvinceName_default = California |
| localityName_default = Menlo Park |
| 0.organizationName_default = ONF |
| organizationalUnitName_default = Infra |
| commonName = Testing |
| emailAddress_default = do-not-reply@opennetworking.org |
| |