hcoop: enable `minsky' as a mail node for all members
[hcoop/domtool2.git] / bootstrap / common.ssl.conf
1 # Minimal openssl configuration needed to be a CA for domtool
2
3 # intentionally not setting RANDFILE, because it is useless on modern
4 # machines.
5
6 [ ca ]
7 default_ca = Domtool_CA
8
9 [ Domtool_CA ]
10 dir = ${Domtool_Defaults::ca_dir}
11
12 certs = $dir/certs
13 crl_dir = $dir/crl
14 database = $dir/index
15
16 # Needed because domtool does not revoke certs before
17 # reissuing. Possibly bad behavior, if a private key were to leak.
18 unique_subject = no
19
20 new_certs_dir = $dir/newcerts
21
22 certificate = $dir/ca-cert.pem
23 serial = $dir/serial
24 crlnumber = $dir/crlnumber
25
26 crl = $dir/crl.pem
27 private_key = $dir/private/ca-key.pem
28 RANDFILE = $dir/private/.rand
29
30 x509_extensions = usr_cert
31
32 name_opt = ca_default
33 cert_opt = ca_default
34
35 crl_extensions = crl_ext
36
37 default_days = 365
38 default_crl_days= 30
39 default_md = sha1
40 preserve = no
41
42 policy = policy_domtool
43
44 [ policy_domtool ]
45 # Domtool doesn't care where you claim to live
46 #countryName = optional
47 #stateOrProvinceName = optional
48 #localityName = optional
49 organizationName = optional
50 organizationalUnitName = optional
51 commonName = supplied
52 emailAddress = supplied
53
54 # req section is only used when generating the request for the CA to sign itself!
55 [ req ]
56 default_bits = 4096
57 default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
58 default_md = sha1
59
60 prompt = no
61 distinguished_name = root_ca_distinguished_name
62 string_mask = nombstr
63
64 # Extensions to add to the self-signed cert generated to certificate the CA
65 x509_extensions = v3_ca
66
67 [ usr_cert ]
68 # These extensions are added when 'ca' signs a request.
69 subjectKeyIdentifier=hash
70 authorityKeyIdentifier=keyid,issuer
71 basicConstraints=CA:FALSE
72 # leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
73 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
74
75 [ v3_ca ]
76 # These extensions are added when the CA signs itself
77 subjectKeyIdentifier=hash
78 authorityKeyIdentifier=keyid:always,issuer:always
79 # Ensure only user certificates and not another ca can be signed
80 basicConstraints = critical,CA:true,pathlen:0
81
82 [ root_ca_distinguished_name ]
83 commonName = ${Domtool_Defaults::org_name}
84 #countryName = US
85 #stateOrProvinceName = CA
86 #localityName = Berkeley
87 0.organizationName = ${Domtool_Defaults::org_domain}
88 emailAddress = ca@${Domtool_Defaults::org_domain}
89
90 [ crl_ext ]
91 authorityKeyIdentifier=keyid:always,issuer:always