1 # Minimal openssl configuration needed to be a CA for domtool
3 # intentionally not setting RANDFILE, because it is useless on modern
7 default_ca = Domtool_CA
10 dir = ${Domtool_Defaults::ca_dir}
16 # Needed because domtool does not revoke certs before
17 # reissuing. Possibly bad behavior, if a private key were to leak.
20 new_certs_dir = $dir/newcerts
22 certificate = $dir/ca-cert.pem
24 crlnumber = $dir/crlnumber
27 private_key = $dir/private/ca-key.pem
28 RANDFILE = $dir/private/.rand
30 x509_extensions = usr_cert
35 crl_extensions = crl_ext
42 policy = policy_domtool
45 # Domtool doesn't care where you claim to live
46 #countryName = optional
47 #stateOrProvinceName = optional
48 #localityName = optional
49 organizationName = optional
50 organizationalUnitName = optional
52 emailAddress = supplied
54 # req section is only used when generating the request for the CA to sign itself!
57 default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
61 distinguished_name = root_ca_distinguished_name
64 # Extensions to add to the self-signed cert generated to certificate the CA
65 x509_extensions = v3_ca
68 # These extensions are added when 'ca' signs a request.
69 subjectKeyIdentifier=hash
70 authorityKeyIdentifier=keyid,issuer
71 basicConstraints=CA:FALSE
72 # leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
73 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
76 # These extensions are added when the CA signs itself
77 subjectKeyIdentifier=hash
78 authorityKeyIdentifier=keyid:always,issuer:always
79 # Ensure only user certificates and not another ca can be signed
80 basicConstraints = critical,CA:true,pathlen:0
82 [ root_ca_distinguished_name ]
83 commonName = ${Domtool_Defaults::org_name}
85 #stateOrProvinceName = CA
86 #localityName = Berkeley
87 0.organizationName = ${Domtool_Defaults::org_domain}
88 emailAddress = ca@${Domtool_Defaults::org_domain}
91 authorityKeyIdentifier=keyid:always,issuer:always