Commit | Line | Data |
---|---|---|
0f9f712c CE |
1 | # Minimal openssl configuration needed to be a CA for domtool |
2 | ||
3 | # intentionally not setting RANDFILE, because it is useless on modern | |
4 | # machines. | |
5 | ||
6 | [ ca ] | |
7 | default_ca = Domtool_CA | |
8 | ||
9 | [ Domtool_CA ] | |
10 | dir = ${Domtool_Defaults::ca_dir} | |
11 | ||
12 | certs = $dir/certs | |
13 | crl_dir = $dir/crl | |
14 | database = $dir/index | |
15 | ||
16 | # Needed because domtool does not revoke certs before | |
17 | # reissuing. Possibly bad behavior, if a private key were to leak. | |
18 | unique_subject = no | |
19 | ||
20 | new_certs_dir = $dir/newcerts | |
21 | ||
22 | certificate = $dir/ca-cert.pem | |
23 | serial = $dir/serial | |
24 | crlnumber = $dir/crlnumber | |
25 | ||
26 | crl = $dir/crl.pem | |
27 | private_key = $dir/private/ca-key.pem | |
28 | RANDFILE = $dir/private/.rand | |
29 | ||
30 | x509_extensions = usr_cert | |
31 | ||
32 | name_opt = ca_default | |
33 | cert_opt = ca_default | |
34 | ||
35 | crl_extensions = crl_ext | |
36 | ||
37 | default_days = 365 | |
38 | default_crl_days= 30 | |
39 | default_md = sha1 | |
40 | preserve = no | |
41 | ||
42 | policy = policy_domtool | |
43 | ||
44 | [ policy_domtool ] | |
45 | # Domtool doesn't care where you claim to live | |
46 | #countryName = optional | |
47 | #stateOrProvinceName = optional | |
48 | #localityName = optional | |
49 | organizationName = optional | |
50 | organizationalUnitName = optional | |
51 | commonName = supplied | |
52 | emailAddress = supplied | |
53 | ||
54 | # req section is only used when generating the request for the CA to sign itself! | |
55 | [ req ] | |
56 | default_bits = 4096 | |
57 | default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem | |
58 | default_md = sha1 | |
59 | ||
60 | prompt = no | |
61 | distinguished_name = root_ca_distinguished_name | |
62 | string_mask = nombstr | |
63 | ||
64 | # Extensions to add to the self-signed cert generated to certificate the CA | |
65 | x509_extensions = v3_ca | |
66 | ||
67 | [ usr_cert ] | |
68 | # These extensions are added when 'ca' signs a request. | |
69 | subjectKeyIdentifier=hash | |
70 | authorityKeyIdentifier=keyid,issuer | |
71 | basicConstraints=CA:FALSE | |
72 | # leaving nsCaRevocationUrl unset, since domtool isn't checking revocations | |
73 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem | |
74 | ||
75 | [ v3_ca ] | |
76 | # These extensions are added when the CA signs itself | |
77 | subjectKeyIdentifier=hash | |
78 | authorityKeyIdentifier=keyid:always,issuer:always | |
79 | # Ensure only user certificates and not another ca can be signed | |
80 | basicConstraints = critical,CA:true,pathlen:0 | |
81 | ||
82 | [ root_ca_distinguished_name ] | |
83 | commonName = ${Domtool_Defaults::org_name} | |
84 | #countryName = US | |
85 | #stateOrProvinceName = CA | |
86 | #localityName = Berkeley | |
87 | 0.organizationName = ${Domtool_Defaults::org_domain} | |
88 | emailAddress = ca@${Domtool_Defaults::org_domain} | |
89 | ||
90 | [ crl_ext ] | |
91 | authorityKeyIdentifier=keyid:always,issuer:always |