| {# |
| Copyright 2017-present Open Networking Foundation |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| #} |
| # Created by client.cnf.j2, configured by ansible |
| |
| [ ca ] |
| default_ca = CA_default |
| |
| [ CA_default ] |
| dir = {{ pki_dir }}/{{ site_name }}_im_ca |
| certs = $dir/certs |
| crl_dir = $dir/crl |
| new_certs_dir = $dir/newcerts |
| database = $dir/index.txt |
| serial = $dir/serial |
| RANDFILE = $dir/private/.randfile |
| |
| private_key = $dir/private/im_key.pem |
| certificate = $dir/certs/im_cert.pem |
| |
| crlnumber = $dir/crl/crlnumber |
| crl = $dir/crl/im_crl.pem |
| crl_extensions = crl_ext |
| default_crl_days = 30 |
| |
| # Make new requests easier to sign - allow two subjects with same name |
| # (Or revoke the old certificate first.) |
| unique_subject = no |
| |
| default_md = {{ ca_digest }} |
| |
| name_opt = ca_default |
| cert_opt = ca_default |
| default_days = {{ ca_im_days }} |
| preserve = no |
| |
| # for CA that signs client certs |
| policy = policy_loose |
| |
| [ policy_loose ] |
| # Allow the intermediate CA to sign more types of certs |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| [ req ] |
| default_bits = {{ ca_size }} |
| default_md = {{ ca_digest }} |
| distinguished_name = req_distinguished_name |
| string_mask = utf8only |
| x509_extensions = client_cert |
| |
| [ req_distinguished_name ] |
| # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. |
| countryName = Country Name (2 letter code) |
| stateOrProvinceName = State or Province Name |
| localityName = Locality Name |
| 0.organizationName = Organization Name |
| organizationalUnitName = Organizational Unit Name |
| commonName = Common Name |
| emailAddress = Email Address |
| |
| # Some defaults |
| countryName_default = US |
| stateOrProvinceName_default = California |
| localityName_default = Menlo Park |
| 0.organizationName_default = ON.Lab |
| organizationalUnitName_default = {{ site_humanname }} |
| emailAddress_default = privateca@opencord.org |
| |
| [ client_cert ] |
| # Extensions for client certificates (`man x509v3_config`). |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer:always |
| basicConstraints = CA:FALSE |
| keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation |
| extendedKeyUsage = clientAuth, emailProtection |
| subjectAltName = {{ item.altnames | join(', ') }} |
| |