blob: 0f8c481c4f28486a08cf08bd5cc4fb117306df1f [file] [log] [blame]
Matteo Scandolo3896c472017-08-01 13:31:42 -07001
2{#
3Copyright 2017-present Open Networking Foundation
4
5Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License.
7You may obtain a copy of the License at
8
9http://www.apache.org/licenses/LICENSE-2.0
10
11Unless required by applicable law or agreed to in writing, software
12distributed under the License is distributed on an "AS IS" BASIS,
13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14See the License for the specific language governing permissions and
15limitations under the License.
16#}
17
18
Zack Williamsc047c872017-01-11 08:38:15 -070019# Created by openssl_im.cnf.j2, configured by ansible
20
21[ ca ]
22default_ca = CA_default
23
24[ CA_default ]
Zack Williams44845c62017-04-21 13:57:14 -070025dir = {{ pki_dir }}/{{ site_name }}_im_ca
Zack Williamsc047c872017-01-11 08:38:15 -070026certs = $dir/certs
27crl_dir = $dir/crl
28new_certs_dir = $dir/newcerts
29database = $dir/index.txt
30serial = $dir/serial
31RANDFILE = $dir/private/.randfile
32
33private_key = $dir/private/im_key.pem
34certificate = $dir/certs/im_cert.pem
35
36crlnumber = $dir/crl/crlnumber
37crl = $dir/crl/im_crl.pem
38crl_extensions = crl_ext
39default_crl_days = 30
40
41# Make new requests easier to sign - allow two subjects with same name
42# (Or revoke the old certificate first.)
43unique_subject = no
44
45default_md = {{ ca_digest }}
46
47name_opt = ca_default
48cert_opt = ca_default
49default_days = {{ ca_im_days }}
50preserve = no
51
52# for CA that signs client certs
53policy = policy_loose
54
55[ policy_loose ]
56# Allow the intermediate CA to sign more types of certs
57countryName = optional
58stateOrProvinceName = optional
59localityName = optional
60organizationName = optional
61organizationalUnitName = optional
62commonName = supplied
63emailAddress = optional
64
65[ req ]
66default_bits = {{ ca_size }}
67default_md = {{ ca_digest }}
68distinguished_name = req_distinguished_name
69string_mask = utf8only
70x509_extensions = v3_intermediate_ca
71
72[ req_distinguished_name ]
73# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
74countryName = Country Name (2 letter code)
75stateOrProvinceName = State or Province Name
76localityName = Locality Name
770.organizationName = Organization Name
78organizationalUnitName = Organizational Unit Name
79commonName = Common Name
80emailAddress = Email Address
81
82# Some defaults
83countryName_default = US
84stateOrProvinceName_default = California
85localityName_default = Menlo Park
860.organizationName_default = ON.Lab
Zack Williams44845c62017-04-21 13:57:14 -070087organizationalUnitName_default = {{ site_humanname }}
Zack Williamsc047c872017-01-11 08:38:15 -070088emailAddress_default = privateca@opencord.org
89
90[ v3_intermediate_ca ]
91# Extensions for a typical intermediate CA (`man x509v3_config`).
92subjectKeyIdentifier = hash
93authorityKeyIdentifier = keyid:always,issuer
94basicConstraints = critical, CA:TRUE, pathlen:0
95keyUsage = critical, digitalSignature, cRLSign, keyCertSign
96
97[ server_cert ]
98# Extensions for server certificates (`man x509v3_config`).
99subjectKeyIdentifier = hash
100authorityKeyIdentifier = keyid,issuer:always
101basicConstraints = CA:FALSE
102keyUsage = critical, digitalSignature, keyEncipherment
103extendedKeyUsage = serverAuth
104subjectAltName = ${ENV::KEY_ALTNAMES}
105
106[ user_cert ]
107# Extensions for client certificates (`man x509v3_config`).
108subjectKeyIdentifier = hash
109authorityKeyIdentifier = keyid,issuer:always
110basicConstraints = CA:FALSE
111keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
112extendedKeyUsage = clientAuth, emailProtection
113
114[ crl_ext ]
115# Extension for CRLs (`man x509v3_config`).
116authorityKeyIdentifier=keyid:always
117
118[ ocsp ]
119# Extension for OCSP signing certificates (`man ocsp`).
120basicConstraints = CA:FALSE
121subjectKeyIdentifier = hash
122authorityKeyIdentifier = keyid,issuer
123keyUsage = critical, digitalSignature
124extendedKeyUsage = critical, OCSPSigning
125