# Minimal openssl configuration needed to be a CA for domtool # intentionally not setting RANDFILE, because it is useless on modern # machines. [ ca ] default_ca = Domtool_CA [ Domtool_CA ] dir = ${Domtool_Defaults::ca_dir} certs = $dir/certs crl_dir = $dir/crl database = $dir/index # Needed because domtool does not revoke certs before # reissuing. Possibly bad behavior, if a private key were to leak. unique_subject = no new_certs_dir = $dir/newcerts certificate = $dir/ca-cert.pem serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/ca-key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default crl_extensions = crl_ext default_days = 365 default_crl_days= 30 default_md = sha1 preserve = no policy = policy_domtool [ policy_domtool ] # Domtool doesn't care where you claim to live #countryName = optional #stateOrProvinceName = optional #localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied # req section is only used when generating the request for the CA to sign itself! [ req ] default_bits = 4096 default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name string_mask = nombstr # Extensions to add to the self-signed cert generated to certificate the CA x509_extensions = v3_ca [ usr_cert ] # These extensions are added when 'ca' signs a request. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE # leaving nsCaRevocationUrl unset, since domtool isn't checking revocations #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem [ v3_ca ] # These extensions are added when the CA signs itself subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # Ensure only user certificates and not another ca can be signed basicConstraints = critical,CA:true,pathlen:0 [ root_ca_distinguished_name ] commonName = ${Domtool_Defaults::org_name} #countryName = US #stateOrProvinceName = CA #localityName = Berkeley 0.organizationName = ${Domtool_Defaults::org_domain} emailAddress = ca@${Domtool_Defaults::org_domain} [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always