roles/pki-intermediate-ca/templates/openssl_im.cnf.j2

{#
Copyright 2017-present Open Networking Foundation

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
#}


# Created by openssl_im.cnf.j2, configured by ansible

[ ca ]
default_ca  = CA_default

[ CA_default ]
dir               = {{ pki_dir }}/{{ site_name }}_im_ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.randfile

private_key       = $dir/private/im_key.pem
certificate       = $dir/certs/im_cert.pem

crlnumber         = $dir/crl/crlnumber
crl               = $dir/crl/im_crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject    = no

default_md        = {{ ca_digest }}

name_opt          = ca_default
cert_opt          = ca_default
default_days      = {{ ca_im_days }}
preserve          = no

# for CA that signs client certs
policy            = policy_loose

[ policy_loose ]
# Allow the intermediate CA to sign more types of certs
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits         = {{ ca_size }}
default_md           = {{ ca_digest }}
distinguished_name   = req_distinguished_name
string_mask          = utf8only
x509_extensions      = v3_intermediate_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Some defaults
countryName_default             = US
stateOrProvinceName_default     = California
localityName_default            = Menlo Park
0.organizationName_default      = ON.Lab
organizationalUnitName_default  = {{ site_humanname }}
emailAddress_default            = privateca@opencord.org

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = ${ENV::KEY_ALTNAMES}

[ user_cert ]
# Extensions for client certificates (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage = clientAuth, emailProtection

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning