-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenssl.conf
executable file
·217 lines (176 loc) · 8.5 KB
/
openssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# ------------------------------------------------------------------------
# X509-Tool OpenSSL Configuration File
# ------------------------------------------------------------------------
HOME = $ENV::CA_DIR
RANDFILE = $ENV::CA_DIR/.rnd
openssl_conf = openssl_init
# Init
# ------------------------------------------------------------------------
[ openssl_init ]
oid_section = new_oids
[ new_oids ]
# Default CA Settings
# ------------------------------------------------------------------------
[ ca ]
default_ca = CA_default
# Default CA Settings
# ------------------------------------------------------------------------
[ CA_default ]
dir = $ENV::CA_DIR
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/db.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = client_cert # The extentions to add to the cert
default_days = 3650 # how long to certify for
default_crl_days = 3650 # how long before next CRL
default_md = sha384 # use public key default MD
preserve = no # keep passed DN ordering
unique_subject = yes # to allow multiple certs with same parameters set to "no"
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# Request Settings
# ------------------------------------------------------------------------
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = utf8only
# The extensions to add to a certificate request
req_extensions = v3_req
# Certificate Request Settings
# ------------------------------------------------------------------------
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = critical, CA:FALSE
# Key Usage
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
# Pass cert names via env
# ------------------------------------------------------------------------
[ req_distinguished_name ]
countryName = $ENV::KEY_COUNTRY
stateOrProvinceName = $ENV::KEY_PROVINCE
localityName = $ENV::KEY_CITY
organizationName = $ENV::KEY_ORG
organizationalUnitName = $ENV::KEY_OU
commonName = $ENV::KEY_CN
emailAddress = $ENV::KEY_EMAIL
# Client Certificate Settings
# ------------------------------------------------------------------------
[ client_cert ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = critical, CA:FALSE
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Key Usage
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth
# Server Certificate Settings
# ------------------------------------------------------------------------
[ server_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Key Usage
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
# alt name
subjectAltName = DNS:${ENV::KEY_CN}
# Host Certificate Settings
# ------------------------------------------------------------------------
[ host_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Key Usage
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
# alt name
subjectAltName = DNS:${ENV::KEY_CN}
# Code Signing Certificate Settings
# ------------------------------------------------------------------------
[ codesigning_cert ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = critical, CA:FALSE
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Key Usage
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, codeSigning, clientAuth
# S/MIME Signing Certificate Settings
# ------------------------------------------------------------------------
[ smime_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Key Usage
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
# alt name
subjectAltName = email:${ENV::KEY_EMAIL}
# CA Settings
# ------------------------------------------------------------------------
[ v3_ca ]
# This is what PKIX recommends but some broken software chokes on critical extensions.
basicConstraints = critical, CA:true
# Extensions for a typical CA PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Key Usage
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
# Intermediate CA Settings
# ------------------------------------------------------------------------
[ ica_cert ]
# This is what PKIX recommends but some broken software chokes on critical extensions.
basicConstraints = critical, CA:true, pathlen:3
# Extensions for a typical CA PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Key Usage
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
# Revocation List Settings
# ------------------------------------------------------------------------
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always