blob: 9ae150463c9f099e7a39a2242adddf0998568262 [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -07001# Created by openssl_im.cnf.j2, configured by ansible
2
3[ ca ]
4default_ca = CA_default
5
6[ CA_default ]
Zack Williams44845c62017-04-21 13:57:14 -07007dir = {{ pki_dir }}/{{ site_name }}_im_ca
Zack Williamsc047c872017-01-11 08:38:15 -07008certs = $dir/certs
9crl_dir = $dir/crl
10new_certs_dir = $dir/newcerts
11database = $dir/index.txt
12serial = $dir/serial
13RANDFILE = $dir/private/.randfile
14
15private_key = $dir/private/im_key.pem
16certificate = $dir/certs/im_cert.pem
17
18crlnumber = $dir/crl/crlnumber
19crl = $dir/crl/im_crl.pem
20crl_extensions = crl_ext
21default_crl_days = 30
22
23# Make new requests easier to sign - allow two subjects with same name
24# (Or revoke the old certificate first.)
25unique_subject = no
26
27default_md = {{ ca_digest }}
28
29name_opt = ca_default
30cert_opt = ca_default
31default_days = {{ ca_im_days }}
32preserve = no
33
34# for CA that signs client certs
35policy = policy_loose
36
37[ policy_loose ]
38# Allow the intermediate CA to sign more types of certs
39countryName = optional
40stateOrProvinceName = optional
41localityName = optional
42organizationName = optional
43organizationalUnitName = optional
44commonName = supplied
45emailAddress = optional
46
47[ req ]
48default_bits = {{ ca_size }}
49default_md = {{ ca_digest }}
50distinguished_name = req_distinguished_name
51string_mask = utf8only
52x509_extensions = v3_intermediate_ca
53
54[ req_distinguished_name ]
55# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
56countryName = Country Name (2 letter code)
57stateOrProvinceName = State or Province Name
58localityName = Locality Name
590.organizationName = Organization Name
60organizationalUnitName = Organizational Unit Name
61commonName = Common Name
62emailAddress = Email Address
63
64# Some defaults
65countryName_default = US
66stateOrProvinceName_default = California
67localityName_default = Menlo Park
680.organizationName_default = ON.Lab
Zack Williams44845c62017-04-21 13:57:14 -070069organizationalUnitName_default = {{ site_humanname }}
Zack Williamsc047c872017-01-11 08:38:15 -070070emailAddress_default = privateca@opencord.org
71
72[ v3_intermediate_ca ]
73# Extensions for a typical intermediate CA (`man x509v3_config`).
74subjectKeyIdentifier = hash
75authorityKeyIdentifier = keyid:always,issuer
76basicConstraints = critical, CA:TRUE, pathlen:0
77keyUsage = critical, digitalSignature, cRLSign, keyCertSign
78
79[ server_cert ]
80# Extensions for server certificates (`man x509v3_config`).
81subjectKeyIdentifier = hash
82authorityKeyIdentifier = keyid,issuer:always
83basicConstraints = CA:FALSE
84keyUsage = critical, digitalSignature, keyEncipherment
85extendedKeyUsage = serverAuth
86subjectAltName = ${ENV::KEY_ALTNAMES}
87
88[ user_cert ]
89# Extensions for client certificates (`man x509v3_config`).
90subjectKeyIdentifier = hash
91authorityKeyIdentifier = keyid,issuer:always
92basicConstraints = CA:FALSE
93keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
94extendedKeyUsage = clientAuth, emailProtection
95
96[ crl_ext ]
97# Extension for CRLs (`man x509v3_config`).
98authorityKeyIdentifier=keyid:always
99
100[ ocsp ]
101# Extension for OCSP signing certificates (`man ocsp`).
102basicConstraints = CA:FALSE
103subjectKeyIdentifier = hash
104authorityKeyIdentifier = keyid,issuer
105keyUsage = critical, digitalSignature
106extendedKeyUsage = critical, OCSPSigning
107