roles/pki-cert/templates/client.cnf.j2 - platform-install - Gitiles

 {#
 Copyright 2017-present Open Networking Foundation

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 #}
 # Created by client.cnf.j2, configured by ansible

 [ ca ]
 default_ca  = CA_default

 [ CA_default ]
 dir               = {{ pki_dir }}/{{ site_name }}_im_ca
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/private/.randfile

 private_key       = $dir/private/im_key.pem
 certificate       = $dir/certs/im_cert.pem

 crlnumber         = $dir/crl/crlnumber
 crl               = $dir/crl/im_crl.pem
 crl_extensions    = crl_ext
 default_crl_days  = 30

 # Make new requests easier to sign - allow two subjects with same name
 # (Or revoke the old certificate first.)
 unique_subject    = no

 default_md        = {{ ca_digest }}

 name_opt          = ca_default
 cert_opt          = ca_default
 default_days      = {{ ca_im_days }}
 preserve          = no

 # for CA that signs client certs
 policy            = policy_loose

 [ policy_loose ]
 # Allow the intermediate CA to sign more types of certs
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 [ req ]
 default_bits         = {{ ca_size }}
 default_md           = {{ ca_digest }}
 distinguished_name   = req_distinguished_name
 string_mask          = utf8only
 x509_extensions      = client_cert

 [ req_distinguished_name ]
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 emailAddress                    = Email Address

 # Some defaults
 countryName_default             = US
 stateOrProvinceName_default     = California
 localityName_default            = Menlo Park
 0.organizationName_default      = ON.Lab
 organizationalUnitName_default  = {{ site_humanname }}
 emailAddress_default            = privateca@opencord.org

 [ client_cert ]
 # Extensions for client certificates (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 basicConstraints = CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
 extendedKeyUsage = clientAuth, emailProtection
 subjectAltName = {{ item.altnames | join(', ') }}
	{#
	Copyright 2017-present Open Networking Foundation

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	#}
	# Created by client.cnf.j2, configured by ansible

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = {{ pki_dir }}/{{ site_name }}_im_ca
	certs = $dir/certs
	crl_dir = $dir/crl
	new_certs_dir = $dir/newcerts
	database = $dir/index.txt
	serial = $dir/serial
	RANDFILE = $dir/private/.randfile

	private_key = $dir/private/im_key.pem
	certificate = $dir/certs/im_cert.pem

	crlnumber = $dir/crl/crlnumber
	crl = $dir/crl/im_crl.pem
	crl_extensions = crl_ext
	default_crl_days = 30

	# Make new requests easier to sign - allow two subjects with same name
	# (Or revoke the old certificate first.)
	unique_subject = no

	default_md = {{ ca_digest }}

	name_opt = ca_default
	cert_opt = ca_default
	default_days = {{ ca_im_days }}
	preserve = no

	# for CA that signs client certs
	policy = policy_loose

	[ policy_loose ]
	# Allow the intermediate CA to sign more types of certs
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	default_bits = {{ ca_size }}
	default_md = {{ ca_digest }}
	distinguished_name = req_distinguished_name
	string_mask = utf8only
	x509_extensions = client_cert

	[ req_distinguished_name ]
	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
	countryName = Country Name (2 letter code)
	stateOrProvinceName = State or Province Name
	localityName = Locality Name
	0.organizationName = Organization Name
	organizationalUnitName = Organizational Unit Name
	commonName = Common Name
	emailAddress = Email Address

	# Some defaults
	countryName_default = US
	stateOrProvinceName_default = California
	localityName_default = Menlo Park
	0.organizationName_default = ON.Lab
	organizationalUnitName_default = {{ site_humanname }}
	emailAddress_default = privateca@opencord.org

	[ client_cert ]
	# Extensions for client certificates (`man x509v3_config`).
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	basicConstraints = CA:FALSE
	keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
	extendedKeyUsage = clientAuth, emailProtection
	subjectAltName = {{ item.altnames \| join(', ') }}