bootstrap/common.ssl.conf

   1 # Minimal openssl configuration needed to be a CA for domtool
   2
   3 # intentionally not setting RANDFILE, because it is useless on modern
   4 # machines.
   5
   6 [ ca ]
   7 default_ca = Domtool_CA
   8
   9 [ Domtool_CA ]
  10 dir             = ${Domtool_Defaults::ca_dir}
  11
  12 certs           = $dir/certs
  13 crl_dir         = $dir/crl
  14 database        = $dir/index
  15
  16 # Needed because domtool does not revoke certs before
  17 # reissuing. Possibly bad behavior, if a private key were to leak.
  18 unique_subject  = no
  19
  20 new_certs_dir   = $dir/newcerts
  21
  22 certificate     = $dir/ca-cert.pem
  23 serial          = $dir/serial
  24 crlnumber       = $dir/crlnumber
  25
  26 crl             = $dir/crl.pem
  27 private_key     = $dir/private/ca-key.pem
  28 RANDFILE        = $dir/private/.rand
  29
  30 x509_extensions = usr_cert
  31
  32 name_opt        = ca_default
  33 cert_opt        = ca_default
  34
  35 crl_extensions  = crl_ext
  36
  37 default_days    = 365
  38 default_crl_days= 30
  39 default_md      = sha1
  40 preserve        = no
  41
  42 policy          = policy_domtool
  43
  44 [ policy_domtool ]
  45 # Domtool doesn't care where you claim to live
  46 #countryName            = optional
  47 #stateOrProvinceName    = optional
  48 #localityName            = optional
  49 organizationName        = optional
  50 organizationalUnitName  = optional
  51 commonName              = supplied
  52 emailAddress            = supplied
  53
  54 # req section is only used when generating the request for the CA to sign itself!
  55 [ req ]
  56 default_bits            = 4096
  57 default_keyfile         = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
  58 default_md              = sha1
  59
  60 prompt                  = no
  61 distinguished_name      = root_ca_distinguished_name
  62 string_mask = nombstr
  63
  64 # Extensions to add to the self-signed cert generated to certificate the CA
  65 x509_extensions = v3_ca
  66
  67 [ usr_cert ]
  68 # These extensions are added when 'ca' signs a request.
  69 subjectKeyIdentifier=hash
  70 authorityKeyIdentifier=keyid,issuer
  71 basicConstraints=CA:FALSE
  72 # leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
  73 #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
  74
  75 [ v3_ca ]
  76 # These extensions are added when the CA signs itself
  77 subjectKeyIdentifier=hash
  78 authorityKeyIdentifier=keyid:always,issuer:always
  79 # Ensure only user certificates and not another ca can be signed
  80 basicConstraints = critical,CA:true,pathlen:0
  81
  82 [ root_ca_distinguished_name ]
  83 commonName = ${Domtool_Defaults::org_name}
  84 #countryName = US
  85 #stateOrProvinceName = CA
  86 #localityName = Berkeley
  87 0.organizationName = ${Domtool_Defaults::org_domain}
  88 emailAddress = ca@${Domtool_Defaults::org_domain}
  89
  90 [ crl_ext ]
  91 authorityKeyIdentifier=keyid:always,issuer:always