src/net/data/ssl/scripts/ca.cnf

   1 # Defaults in the event they're not set in the environment
   2 CA_DIR    = out
   3 KEY_SIZE  = 2048
   4 ALGO      = sha256
   5 CERT_TYPE = root
   6 CA_NAME   = req_env_dn
   7
   8 [ca]
   9 default_ca = CA_root
  10 preserve   = yes
  11
  12 # The default test root, used to generate certificates and CRLs.
  13 [CA_root]
  14 dir           = $ENV::CA_DIR
  15 key_size      = $ENV::KEY_SIZE
  16 algo          = $ENV::ALGO
  17 cert_type     = $ENV::CERT_TYPE
  18 type          = $key_size-$algo-$cert_type
  19 database      = $dir/$type-index.txt
  20 new_certs_dir = $dir
  21 serial        = $dir/$type-serial
  22 certificate   = $dir/$type.pem
  23 private_key   = $dir/$type.key
  24 RANDFILE      = $dir/.rand
  25 default_days     = 3650
  26 default_crl_days = 30
  27 default_md       = sha256
  28 policy           = policy_anything
  29 unique_subject   = no
  30 copy_extensions  = copy
  31
  32 [user_cert]
  33 # Extensions to add when signing a request for an EE cert
  34 basicConstraints       = critical, CA:false
  35 subjectKeyIdentifier   = hash
  36 authorityKeyIdentifier = keyid:always
  37 extendedKeyUsage       = serverAuth,clientAuth
  38
  39 [name_constraint_bad]
  40 # A leaf cert that will violate the root's imposed name constraints
  41 basicConstraints       = critical, CA:false
  42 subjectKeyIdentifier   = hash
  43 authorityKeyIdentifier = keyid:always
  44 extendedKeyUsage       = serverAuth,clientAuth
  45 subjectAltName         = @san_name_constraint_bad
  46
  47 [name_constraint_good]
  48 # A leaf cert that will match the root's imposed name constraints
  49 basicConstraints       = critical, CA:false
  50 subjectKeyIdentifier   = hash
  51 authorityKeyIdentifier = keyid:always
  52 extendedKeyUsage       = serverAuth,clientAuth
  53 subjectAltName         = @san_name_constraint_good
  54
  55 [san_name_constraint_bad]
  56 DNS.1 = test.ExAmPlE.CoM
  57 DNS.2 = test.ExAmPlE.OrG
  58
  59 [san_name_constraint_good]
  60 DNS.1 = test.ExAmPlE.CoM
  61 DNS.2 = example.notarealtld
  62
  63 [ca_cert]
  64 # Extensions to add when signing a request for an intermediate/CA cert
  65 basicConstraints       = critical, CA:true
  66 subjectKeyIdentifier   = hash
  67 #authorityKeyIdentifier = keyid:always
  68 keyUsage               = critical, keyCertSign, cRLSign
  69
  70 [crl_extensions]
  71 # Extensions to add when signing a CRL
  72 authorityKeyIdentifier = keyid:always
  73
  74 [policy_anything]
  75 # Default signing policy
  76 countryName            = optional
  77 stateOrProvinceName    = optional
  78 localityName           = optional
  79 organizationName       = optional
  80 organizationalUnitName = optional
  81 commonName             = optional
  82 emailAddress           = optional
  83
  84 [req]
  85 # The request section used to generate the root CA certificate. This should
  86 # not be used to generate end-entity certificates. For certificates other
  87 # than the root CA, see README to find the appropriate configuration file
  88 # (ie: openssl_cert.cnf).
  89 default_bits       = $ENV::KEY_SIZE
  90 default_md         = sha256
  91 string_mask        = utf8only
  92 prompt             = no
  93 encrypt_key        = no
  94 distinguished_name = $ENV::CA_NAME
  95 x509_extensions    = req_ca_exts
  96
  97 [req_ca_dn]
  98 C  = US
  99 ST = California
 100 L  = Mountain View
 101 O  = Test CA
 102 CN = Test Root CA
 103
 104 [req_intermediate_dn]
 105 C  = US
 106 ST = California
 107 L  = Mountain View
 108 O  = Test CA
 109 CN = Test Intermediate CA
 110
 111 [req_env_dn]
 112 CN = $ENV::CA_COMMON_NAME
 113
 114 [req_ca_exts]
 115 basicConstraints       = critical, CA:true
 116 keyUsage               = critical, keyCertSign, cRLSign
 117 subjectKeyIdentifier   = hash