Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / c047c876306e8054b561493ba9f314c326eb7b0f^! / . / roles / pki-intermediate-ca / templates / openssl_im.cnf.j2
commitc047c876306e8054b561493ba9f314c326eb7b0f[log] [tgz]
authorZack Williams <zdw@cs.arizona.edu>Wed Jan 11 08:38:15 2017 -0700
committerZack Williams <zdw@cs.arizona.edu>Sun Jan 15 19:39:07 2017 -0800
treeff29b08429d39c5c12cea7b5b865b327c5c557c4
parent2a3c01ec513591036e22073787cdc75677e852cc [diff] [blame]
pki work, and keystone cert generated
ignore retry files
load variables for localhost as wel
split root/intermediate generation
use array for creating server certs
configure openstack with certs from server via lookup('file',...
move root CA cert to old location, testing
indent ssl info
more places where the CA cert is used
don't have juju self-manage certs
juju requires certs be base64 encoded (not documented)
install both root/intermediate CA certs, as juju/trusty apache is too old to support chaining
provide ca/im chain to juju keystone config
yaml error
updated name for onos source per jono
fixed the onos-fabric-install role
whitespace
copy CA certs to compute node
stop wasting time
diagnostically print contents of /usr/local/share/ca-certificates/ dir

Change-Id: Idbd4891736b07690a260bf3d117c547de1ae7424

diff --git a/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2 b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
new file mode 100644
index 0000000..6647d83
--- /dev/null
+++ b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2

@@ -0,0 +1,107 @@
+# Created by openssl_im.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca  = CA_default
+
+[ CA_default ]
+dir               = {{ pki_dir }}/intermediate_ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.randfile
+
+private_key       = $dir/private/im_key.pem
+certificate       = $dir/certs/im_cert.pem
+
+crlnumber         = $dir/crl/crlnumber
+crl               = $dir/crl/im_crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject    = no
+
+default_md        = {{ ca_digest }}
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = {{ ca_im_days }}
+preserve          = no
+
+# for CA that signs client certs
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign more types of certs
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits         = {{ ca_size }}
+default_md           = {{ ca_digest }}
+distinguished_name   = req_distinguished_name
+string_mask          = utf8only
+x509_extensions      = v3_intermediate_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Some defaults
+countryName_default             = US
+stateOrProvinceName_default     = California
+localityName_default            = Menlo Park
+0.organizationName_default      = ON.Lab
+organizationalUnitName_default  = Test Deployment
+emailAddress_default            = privateca@opencord.org
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = ${ENV::KEY_ALTNAMES}
+
+[ user_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = clientAuth, emailProtection
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+