pki.cnf

# SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
#SPDX-License-Identifier: Apache-2.0


[ default ]
ca                   = $ENV::CA_NAME
dir                  = $ENV::BASE_DIR
default_ca           = default_ca
name_opt             = multiline,-esc_msb,utf8  # Display UTF-8 characters
config_diagnostics   = 1

[ req ]
default_bits         = 2048
default_days         = 1825
default_md           = sha256
encrypt_key          = yes
default_md           = sha256
distinguished_name   = ca_dn
utf8                 = yes
string_mask          = utf8only

[ default_ca ]
certificate          = $dir/$ca/ca.pem
private_key          = $dir/$ca/private/ca_key.pem
policy               = match_pol
name_opt             = $name_opt
preserve             = no
email_in_dn          = no
copy_extensions      = copy

new_certs_dir        = $dir/$ca/certs
serial               = $dir/$ca/db/ca.srl
rand_serial          = no
database             = $dir/$ca/db/ca.db

# crl
crl_dir              = $dir/$ca/crl
crlnumber            = $dir/$ca/crl/db/ca.crl.srl
default_md           = sha256
default_crl_days     = 365
crl_extensions       = crl_ext

# Extensions for a typical CA (`man x509v3_config`).
[ root_ca_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical, CA:true
keyUsage                = critical, keyCertSign, cRLSign

# Extensions for a typical intermediate CA (`man x509v3_config`).
[ im_ca_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical, CA:true, pathlen:0
keyUsage                = critical, keyCertSign, cRLSign

# Extensions for server certificates (`man x509v3_config`).
[ server_cert_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
basicConstraints        = critical, CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth

# Extensions for client certificates (`man x509v3_config`).
[ client_cert_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
basicConstraints        = critical, CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage        = clientAuth, emailProtection

[ crl_ext ]
authorityKeyIdentifier  = keyid:always

# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
[ match_pol ]
countryName             = match
stateOrProvinceName     = match
localityName            = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# Allow intermediate CA's to sign more types of certs
[ any_pol ]
domainComponent         = optional
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


[ ca_dn ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Defaults DN
countryName_default             = US
stateOrProvinceName_default     = California
localityName_default            = Menlo Park
0.organizationName_default      = ONF
organizationalUnitName_default  = Infra
commonName                      = Testing
emailAddress_default            = do-not-reply@opennetworking.org