| # Created by openssl_root.cnf.j2, configured by ansible |
| |
| [ ca ] |
| default_ca = CA_default |
| |
| [ CA_default ] |
| dir = {{ pki_dir }}/root_ca |
| certs = $dir/certs |
| crl_dir = $dir/crl |
| new_certs_dir = $dir/newcerts |
| database = $dir/index.txt |
| serial = $dir/serial |
| RANDFILE = $dir/private/.randfile |
| |
| private_key = $dir/private/ca_key.pem |
| certificate = $dir/certs/ca_cert.pem |
| |
| crlnumber = $dir/crl/crlnumber |
| crl = $dir/crl/ca_crl.pem |
| crl_extensions = crl_ext |
| default_crl_days = 30 |
| |
| # Make new requests easier to sign - allow two subjects with same name |
| # (Or revoke the old certificate first.) |
| unique_subject = no |
| |
| default_md = {{ ca_digest }} |
| name_opt = ca_default |
| cert_opt = ca_default |
| default_days = {{ ca_root_days }} |
| preserve = no |
| |
| # for CA that only signs intermediate CA certs |
| policy = policy_strict |
| |
| [ policy_strict ] |
| # Used by root CA to sign intermediate CA's, should match |
| countryName = match |
| stateOrProvinceName = match |
| organizationName = match |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| [ req ] |
| default_bits = {{ ca_size }} |
| default_md = {{ ca_digest }} |
| distinguished_name = req_distinguished_name |
| string_mask = utf8only |
| x509_extensions = v3_ca |
| |
| [ req_distinguished_name ] |
| # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. |
| countryName = Country Name (2 letter code) |
| stateOrProvinceName = State or Province Name |
| localityName = Locality Name |
| 0.organizationName = Organization Name |
| organizationalUnitName = Organizational Unit Name |
| commonName = Common Name |
| emailAddress = Email Address |
| |
| # Some defaults |
| countryName_default = US |
| stateOrProvinceName_default = California |
| localityName_default = Menlo Park |
| 0.organizationName_default = ON.Lab |
| organizationalUnitName_default = Test Deployment |
| emailAddress_default = privateca@opencord.org |
| |
| [ v3_ca ] |
| # Extensions for a typical CA (`man x509v3_config`). |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer |
| basicConstraints = critical, CA:TRUE |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
| |
| [ v3_intermediate_ca ] |
| # Extensions for a typical intermediate CA (`man x509v3_config`). |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer |
| basicConstraints = critical, CA:TRUE, pathlen:0 |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
| |
| [ crl_ext ] |
| # Extension for CRLs (`man x509v3_config`). |
| authorityKeyIdentifier=keyid:always |
| |
| [ ocsp ] |
| # Extension for OCSP signing certificates (`man ocsp`). |
| basicConstraints = CA:FALSE |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer |
| keyUsage = critical, digitalSignature |
| extendedKeyUsage = critical, OCSPSigning |
| |