[hcoop/domtool2.git] / bootstrap / common.ssl.conf

# Minimal openssl configuration needed to be a CA for domtool

# intentionally not setting RANDFILE, because it is useless on modern
# machines.

[ ca ]
default_ca = Domtool_CA

[ Domtool_CA ]
dir             = ${Domtool_Defaults::ca_dir}

certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index

# Needed because domtool does not revoke certs before
# reissuing. Possibly bad behavior, if a private key were to leak.
unique_subject	= no
					
new_certs_dir	= $dir/newcerts		

certificate	= $dir/ca-cert.pem 	
serial		= $dir/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca-key.pem
RANDFILE	= $dir/private/.rand	

x509_extensions	= usr_cert

name_opt 	= ca_default
cert_opt 	= ca_default

crl_extensions	= crl_ext

default_days	= 365			
default_crl_days= 30
default_md      = sha1
preserve	= no			

policy		= policy_domtool

[ policy_domtool ]
# Domtool doesn't care where you claim to live
#countryName		= optional
#stateOrProvinceName	= optional
#localityName            = optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= supplied

# req section is only used when generating the request for the CA to sign itself!
[ req ]
default_bits            = 4096
default_keyfile         = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
default_md              = sha1

prompt                  = no
distinguished_name      = root_ca_distinguished_name
string_mask = nombstr

# Extensions to add to the self-signed cert generated to certificate the CA
x509_extensions = v3_ca

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem

[ v3_ca ]
# These extensions are added when the CA signs itself
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Ensure only user certificates and not another ca can be signed
basicConstraints = critical,CA:true,pathlen:0

[ root_ca_distinguished_name ]
commonName = ${Domtool_Defaults::org_name}
#countryName = US
#stateOrProvinceName = CA
#localityName = Berkeley
0.organizationName = ${Domtool_Defaults::org_domain}
emailAddress = ca@${Domtool_Defaults::org_domain}

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
Commit	Line	Data
0f9f712c CE	1	# Minimal openssl configuration needed to be a CA for domtool
	2
	3	# intentionally not setting RANDFILE, because it is useless on modern
	4	# machines.
	5
	6	[ ca ]
	7	default_ca = Domtool_CA
	8
	9	[ Domtool_CA ]
	10	dir = ${Domtool_Defaults::ca_dir}
	11
	12	certs = $dir/certs
	13	crl_dir = $dir/crl
	14	database = $dir/index
	15
	16	# Needed because domtool does not revoke certs before
	17	# reissuing. Possibly bad behavior, if a private key were to leak.
	18	unique_subject = no
	19
	20	new_certs_dir = $dir/newcerts
	21
	22	certificate = $dir/ca-cert.pem
	23	serial = $dir/serial
	24	crlnumber = $dir/crlnumber
	25
	26	crl = $dir/crl.pem
	27	private_key = $dir/private/ca-key.pem
	28	RANDFILE = $dir/private/.rand
	29
	30	x509_extensions = usr_cert
	31
	32	name_opt = ca_default
	33	cert_opt = ca_default
	34
	35	crl_extensions = crl_ext
	36
	37	default_days = 365
	38	default_crl_days= 30
	39	default_md = sha1
	40	preserve = no
	41
	42	policy = policy_domtool
	43
	44	[ policy_domtool ]
	45	# Domtool doesn't care where you claim to live
	46	#countryName = optional
	47	#stateOrProvinceName = optional
	48	#localityName = optional
	49	organizationName = optional
	50	organizationalUnitName = optional
	51	commonName = supplied
	52	emailAddress = supplied
	53
	54	# req section is only used when generating the request for the CA to sign itself!
	55	[ req ]
	56	default_bits = 4096
	57	default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
	58	default_md = sha1
	59
	60	prompt = no
	61	distinguished_name = root_ca_distinguished_name
	62	string_mask = nombstr
	63
	64	# Extensions to add to the self-signed cert generated to certificate the CA
65	x509_extensions = v3_ca
66
67	[ usr_cert ]
68	# These extensions are added when 'ca' signs a request.
69	subjectKeyIdentifier=hash
70	authorityKeyIdentifier=keyid,issuer
71	basicConstraints=CA:FALSE
72	# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
73	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
74
75	[ v3_ca ]
76	# These extensions are added when the CA signs itself
77	subjectKeyIdentifier=hash
78	authorityKeyIdentifier=keyid:always,issuer:always
79	# Ensure only user certificates and not another ca can be signed
80	basicConstraints = critical,CA:true,pathlen:0
81
82	[ root_ca_distinguished_name ]
83	commonName = ${Domtool_Defaults::org_name}
84	#countryName = US
85	#stateOrProvinceName = CA
86	#localityName = Berkeley
87	0.organizationName = ${Domtool_Defaults::org_domain}
88	emailAddress = ca@${Domtool_Defaults::org_domain}
89
90	[ crl_ext ]
91	authorityKeyIdentifier=keyid:always,issuer:always