Scripts to bootstrap a development domtool environment

[hcoop/domtool2.git] / bootstrap / common.ssl.conf

diff --git a/bootstrap/common.ssl.conf b/bootstrap/common.ssl.conf
new file mode 100644 (file)
index 0000000..c2c0ddb
--- /dev/null
+++ b/bootstrap/common.ssl.conf
@@ -0,0 +1,91 @@
+# Minimal openssl configuration needed to be a CA for domtool
+
+# intentionally not setting RANDFILE, because it is useless on modern
+# machines.
+
+[ ca ]
+default_ca = Domtool_CA
+
+[ Domtool_CA ]
+dir             = ${Domtool_Defaults::ca_dir}
+
+certs          = $dir/certs            
+crl_dir                = $dir/crl              
+database       = $dir/index
+
+# Needed because domtool does not revoke certs before
+# reissuing. Possibly bad behavior, if a private key were to leak.
+unique_subject = no
+                                       
+new_certs_dir  = $dir/newcerts         
+
+certificate    = $dir/ca-cert.pem      
+serial         = $dir/serial           
+crlnumber      = $dir/crlnumber        
+                                       
+crl            = $dir/crl.pem          
+private_key    = $dir/private/ca-key.pem
+RANDFILE       = $dir/private/.rand    
+
+x509_extensions        = usr_cert
+
+name_opt       = ca_default
+cert_opt       = ca_default
+
+crl_extensions = crl_ext
+
+default_days   = 365                   
+default_crl_days= 30
+default_md      = sha1
+preserve       = no                    
+
+policy         = policy_domtool
+
+[ policy_domtool ]
+# Domtool doesn't care where you claim to live
+#countryName           = optional
+#stateOrProvinceName   = optional
+#localityName            = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = supplied
+
+# req section is only used when generating the request for the CA to sign itself!
+[ req ]
+default_bits            = 4096
+default_keyfile         = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = root_ca_distinguished_name
+string_mask = nombstr
+
+# Extensions to add to the self-signed cert generated to certificate the CA
+x509_extensions = v3_ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
+#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
+
+[ v3_ca ]
+# These extensions are added when the CA signs itself
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+# Ensure only user certificates and not another ca can be signed
+basicConstraints = critical,CA:true,pathlen:0
+
+[ root_ca_distinguished_name ]
+commonName = ${Domtool_Defaults::org_name}
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Berkeley
+0.organizationName = ${Domtool_Defaults::org_domain}
+emailAddress = ca@${Domtool_Defaults::org_domain}
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always