roles/pki-root-ca/templates/openssl_root.cnf.j2

{#
Copyright 2017-present Open Networking Foundation

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
#}


# Created by openssl_root.cnf.j2, configured by ansible

[ ca ]
default_ca  = CA_default

[ CA_default ]
dir               = {{ pki_dir }}/root_ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.randfile

private_key       = $dir/private/ca_key.pem
certificate       = $dir/certs/ca_cert.pem

crlnumber         = $dir/crl/crlnumber
crl               = $dir/crl/ca_crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject    = no

default_md        = {{ ca_digest }}
name_opt          = ca_default
cert_opt          = ca_default
default_days      = {{ ca_root_days }}
preserve          = no

# for CA that only signs intermediate CA certs
policy            = policy_strict

[ policy_strict ]
# Used by root CA to sign intermediate CA's, should match
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits         = {{ ca_size }}
default_md           = {{ ca_digest }}
distinguished_name   = req_distinguished_name
string_mask          = utf8only
x509_extensions      = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Some defaults
countryName_default             = US
stateOrProvinceName_default     = California
localityName_default            = Menlo Park
0.organizationName_default      = ON.Lab
organizationalUnitName_default  = Test Deployment
emailAddress_default            = privateca@opencord.org

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning