Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / 667334f396ecdc9078b088ebbf44597818cfa3b3 / . / roles / pki-root-ca / templates / openssl_root.cnf.j2
blob: a7ffcedd30cce53e3ce8052d7d82eb5c13f00eae [file] [log] [blame]
Zack Williamsc047c872017-01-11 08:38:15 -0700[diff] [blame]1# Created by openssl_root.cnf.j2, configured by ansible
2
3[ ca ]
4default_ca = CA_default
5
6[ CA_default ]
7dir = {{ pki_dir }}/root_ca
8certs = $dir/certs
9crl_dir = $dir/crl
10new_certs_dir = $dir/newcerts
11database = $dir/index.txt
12serial = $dir/serial
13RANDFILE = $dir/private/.randfile
14
15private_key = $dir/private/ca_key.pem
16certificate = $dir/certs/ca_cert.pem
17
18crlnumber = $dir/crl/crlnumber
19crl = $dir/crl/ca_crl.pem
20crl_extensions = crl_ext
21default_crl_days = 30
22
23# Make new requests easier to sign - allow two subjects with same name
24# (Or revoke the old certificate first.)
25unique_subject = no
26
27default_md = {{ ca_digest }}
28name_opt = ca_default
29cert_opt = ca_default
30default_days = {{ ca_root_days }}
31preserve = no
32
33# for CA that only signs intermediate CA certs
34policy = policy_strict
35
36[ policy_strict ]
37# Used by root CA to sign intermediate CA's, should match
38countryName = match
39stateOrProvinceName = match
40organizationName = match
41organizationalUnitName = optional
42commonName = supplied
43emailAddress = optional
44
45[ req ]
46default_bits = {{ ca_size }}
47default_md = {{ ca_digest }}
48distinguished_name = req_distinguished_name
49string_mask = utf8only
50x509_extensions = v3_ca
51
52[ req_distinguished_name ]
53# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
54countryName = Country Name (2 letter code)
55stateOrProvinceName = State or Province Name
56localityName = Locality Name
570.organizationName = Organization Name
58organizationalUnitName = Organizational Unit Name
59commonName = Common Name
60emailAddress = Email Address
61
62# Some defaults
63countryName_default = US
64stateOrProvinceName_default = California
65localityName_default = Menlo Park
660.organizationName_default = ON.Lab
67organizationalUnitName_default = Test Deployment
68emailAddress_default = privateca@opencord.org
69
70[ v3_ca ]
71# Extensions for a typical CA (`man x509v3_config`).
72subjectKeyIdentifier = hash
73authorityKeyIdentifier = keyid:always,issuer
74basicConstraints = critical, CA:TRUE
75keyUsage = critical, digitalSignature, cRLSign, keyCertSign
76
77[ v3_intermediate_ca ]
78# Extensions for a typical intermediate CA (`man x509v3_config`).
79subjectKeyIdentifier = hash
80authorityKeyIdentifier = keyid:always,issuer
81basicConstraints = critical, CA:TRUE, pathlen:0
82keyUsage = critical, digitalSignature, cRLSign, keyCertSign
83
84[ crl_ext ]
85# Extension for CRLs (`man x509v3_config`).
86authorityKeyIdentifier=keyid:always
87
88[ ocsp ]
89# Extension for OCSP signing certificates (`man ocsp`).
90basicConstraints = CA:FALSE
91subjectKeyIdentifier = hash
92authorityKeyIdentifier = keyid,issuer
93keyUsage = critical, digitalSignature
94extendedKeyUsage = critical, OCSPSigning
95