Commit | Line | Data |
---|---|---|
b294f6b5 MW |
1 | ### -*-conf-*- |
2 | ### | |
3 | ### OpenSSL configuration for distorted.org.uk CA. | |
4 | ||
5 | ###-------------------------------------------------------------------------- | |
6 | ### Defaults. | |
7 | ||
c4e3d3a6 | 8 | RANDFILE = /dev/random |
69ab55f7 | 9 | db_suffix = |
b294f6b5 MW |
10 | |
11 | ###-------------------------------------------------------------------------- | |
12 | ### Certificate request configuration. | |
13 | ||
14 | [req] | |
15 | default_bits = 3072 | |
16 | encrypt_key = no | |
69ab55f7 | 17 | default_md = sha256 |
b294f6b5 MW |
18 | utf8 = yes |
19 | x509_extensions = ca-extensions | |
20 | distinguished_name = req-dn | |
21 | prompt = yes | |
22 | ||
23 | [req-dn] | |
24 | ||
25 | countryName = "Country name" | |
26 | countryName_default = "GB" | |
27 | countryName_min = 2 | |
28 | countryName_max = 2 | |
29 | ||
30 | stateOrProvinceName = "State, province, or county" | |
31 | stateOrProvinceName_default = "Cambridgeshire" | |
32 | stateOrProvinceName_max = 64 | |
33 | ||
34 | localityName = "Locality (e.g., city)" | |
35 | localityName_default = "Cambridge" | |
36 | localityName_max = 64 | |
37 | ||
38 | organizationName = "Organization" | |
39 | organizationName_default = "distorted.org.uk" | |
40 | organizationName_max = 64 | |
41 | organizationalUnitName = "Organizational unit" | |
42 | organizationalUnitName_max = 64 | |
43 | ||
44 | commonName = "Common name" | |
45 | commonName_max = 64 | |
46 | ||
47 | emailAddress = "Email address" | |
48 | emailAddress_max = 64 | |
49 | ||
50 | ###-------------------------------------------------------------------------- | |
51 | ### CA configuration. | |
52 | ||
53 | [ca] | |
54 | default_ca = distorted-ca | |
55 | preserve = yes | |
56 | ||
57 | [distorted-ca] | |
58 | default_days = 1825 | |
69ab55f7 | 59 | default_md = sha256 |
b294f6b5 MW |
60 | unique_subject = no |
61 | email_in_dn = no | |
62 | private_key = private/ca.key | |
63 | certificate = ca.cert | |
69ab55f7 | 64 | database = state/db$ENV::db_suffix |
b294f6b5 MW |
65 | serial = state/serial |
66 | crlnumber = state/crlnumber | |
69ab55f7 | 67 | default_crl_hours = 28 |
b294f6b5 MW |
68 | x509_extensions = tls-server-extensions |
69 | crl_extensions = crl-extensions | |
70 | policy = distorted-policy | |
71 | name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align | |
72 | cert_opt = no_header, ext_parse, no_pubkey | |
73 | copy_extensions = copy | |
74 | ||
75 | [distorted-policy] | |
76 | countryName = supplied | |
77 | stateOrProvinceName = optional | |
78 | localityName = optional | |
69ab55f7 | 79 | organizationName = supplied |
b294f6b5 MW |
80 | organizationalUnitName = optional |
81 | commonName = supplied | |
82 | emailAddress = optional | |
83 | ||
84 | [crl-extensions] | |
85 | issuerAltName = email:ca@distorted.org.uk | |
69ab55f7 | 86 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
b294f6b5 MW |
87 | |
88 | [ca-extensions] | |
89 | basicConstraints = critical, CA:TRUE | |
90 | keyUsage = critical, keyCertSign | |
91 | subjectKeyIdentifier = hash | |
92 | subjectAltName = email:ca@distorted.org.uk | |
69ab55f7 | 93 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
b294f6b5 MW |
94 | |
95 | [tls-server-extensions] | |
96 | basicConstraints = critical, CA:FALSE | |
97 | keyUsage = critical, digitalSignature, keyEncipherment | |
98 | extendedKeyUsage = serverAuth | |
99 | subjectKeyIdentifier = hash | |
100 | authorityKeyIdentifier = keyid:always, issuer:always | |
101 | issuerAltName = issuer:copy | |
69ab55f7 | 102 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
b294f6b5 MW |
103 | |
104 | [tls-client-extensions] | |
105 | basicConstraints = critical, CA:FALSE | |
fef9ff13 | 106 | keyUsage = critical, digitalSignature, keyEncipherment |
b294f6b5 MW |
107 | extendedKeyUsage = clientAuth |
108 | subjectKeyIdentifier = hash | |
109 | authorityKeyIdentifier = keyid:always,issuer:always | |
110 | issuerAltName = issuer:copy | |
111 | subjectAltName = email:copy | |
69ab55f7 | 112 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
b294f6b5 MW |
113 | |
114 | ###----- That's all, folks -------------------------------------------------- |