hcoop: remove mccarthy and navajos from domtool control
[hcoop/domtool2.git] / bootstrap / common.ssl.conf
CommitLineData
0f9f712c
CE
1# Minimal openssl configuration needed to be a CA for domtool
2
3# intentionally not setting RANDFILE, because it is useless on modern
4# machines.
5
6[ ca ]
7default_ca = Domtool_CA
8
9[ Domtool_CA ]
10dir = ${Domtool_Defaults::ca_dir}
11
12certs = $dir/certs
13crl_dir = $dir/crl
14database = $dir/index
15
16# Needed because domtool does not revoke certs before
17# reissuing. Possibly bad behavior, if a private key were to leak.
18unique_subject = no
19
20new_certs_dir = $dir/newcerts
21
22certificate = $dir/ca-cert.pem
23serial = $dir/serial
24crlnumber = $dir/crlnumber
25
26crl = $dir/crl.pem
27private_key = $dir/private/ca-key.pem
28RANDFILE = $dir/private/.rand
29
30x509_extensions = usr_cert
31
32name_opt = ca_default
33cert_opt = ca_default
34
35crl_extensions = crl_ext
36
37default_days = 365
38default_crl_days= 30
39default_md = sha1
40preserve = no
41
42policy = policy_domtool
43
44[ policy_domtool ]
45# Domtool doesn't care where you claim to live
46#countryName = optional
47#stateOrProvinceName = optional
48#localityName = optional
49organizationName = optional
50organizationalUnitName = optional
51commonName = supplied
52emailAddress = supplied
53
54# req section is only used when generating the request for the CA to sign itself!
55[ req ]
56default_bits = 4096
57default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
58default_md = sha1
59
60prompt = no
61distinguished_name = root_ca_distinguished_name
62string_mask = nombstr
63
64# Extensions to add to the self-signed cert generated to certificate the CA
65x509_extensions = v3_ca
66
67[ usr_cert ]
68# These extensions are added when 'ca' signs a request.
69subjectKeyIdentifier=hash
70authorityKeyIdentifier=keyid,issuer
71basicConstraints=CA:FALSE
72# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
73#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
74
75[ v3_ca ]
76# These extensions are added when the CA signs itself
77subjectKeyIdentifier=hash
78authorityKeyIdentifier=keyid:always,issuer:always
79# Ensure only user certificates and not another ca can be signed
80basicConstraints = critical,CA:true,pathlen:0
81
82[ root_ca_distinguished_name ]
83commonName = ${Domtool_Defaults::org_name}
84#countryName = US
85#stateOrProvinceName = CA
86#localityName = Berkeley
870.organizationName = ${Domtool_Defaults::org_domain}
88emailAddress = ca@${Domtool_Defaults::org_domain}
89
90[ crl_ext ]
91authorityKeyIdentifier=keyid:always,issuer:always