Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(238)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/tools/quic/certs/ca.cnf

Issue 1330223003: Add scripts for generating certs to be used with the quic_server (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Add nameConstraints and 3 day expiration Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/tools/quic/certs/generate-certs.sh » ('j') | net/tools/quic/certs/generate-certs.sh » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Defaults in the event they're not set in the environment 1 # Defaults in the event they're not set in the environment
2 CA_DIR = out 2 CA_DIR = out
3 KEY_SIZE = 2048 3 KEY_SIZE = 2048
4 ALGO = sha256 4 ALGO = sha256
5 CERT_TYPE = root 5 CERT_TYPE = root
6 CA_NAME = req_env_dn 6 CA_NAME = req_env_dn
7 7
8 [ca] 8 [ca]
9 default_ca = CA_root 9 default_ca = CA_root
10 preserve = yes 10 preserve = yes
(...skipping 26 matching lines...) Expand all
37 extendedKeyUsage = serverAuth,clientAuth 37 extendedKeyUsage = serverAuth,clientAuth
38 38
39 [name_constraint_bad] 39 [name_constraint_bad]
40 # A leaf cert that will violate the root's imposed name constraints 40 # A leaf cert that will violate the root's imposed name constraints
41 basicConstraints = critical, CA:false 41 basicConstraints = critical, CA:false
42 subjectKeyIdentifier = hash 42 subjectKeyIdentifier = hash
43 authorityKeyIdentifier = keyid:always 43 authorityKeyIdentifier = keyid:always
44 extendedKeyUsage = serverAuth,clientAuth 44 extendedKeyUsage = serverAuth,clientAuth
45 subjectAltName = @san_name_constraint_bad 45 subjectAltName = @san_name_constraint_bad
46 46
47 [name_constraint_good]
48 # A leaf cert that will match the root's imposed name constraints
49 basicConstraints = critical, CA:false
50 subjectKeyIdentifier = hash
51 authorityKeyIdentifier = keyid:always
52 extendedKeyUsage = serverAuth,clientAuth
53 subjectAltName = @san_name_constraint_good
54
55 [san_name_constraint_bad]
56 DNS.1 = test.ExAmPlE.CoM
57 DNS.2 = test.ExAmPlE.OrG
58
59 [san_name_constraint_good]
60 DNS.1 = test.ExAmPlE.CoM
61 DNS.2 = example.notarealtld
62
63 [ca_cert] 47 [ca_cert]
64 # Extensions to add when signing a request for an intermediate/CA cert 48 # Extensions to add when signing a request for an intermediate/CA cert
65 basicConstraints = critical, CA:true 49 basicConstraints = critical, CA:true
66 subjectKeyIdentifier = hash 50 subjectKeyIdentifier = hash
67 #authorityKeyIdentifier = keyid:always 51 #authorityKeyIdentifier = keyid:always
68 keyUsage = critical, keyCertSign, cRLSign 52 keyUsage = critical, keyCertSign, cRLSign
53 nameConstraints = permitted;DNS:mail.example.com
54 nameConstraints = permitted;DNS:mail.example.org
55 nameConstraints = permitted;DNS:www.example.com
69 56
70 [crl_extensions] 57 [crl_extensions]
71 # Extensions to add when signing a CRL 58 # Extensions to add when signing a CRL
72 authorityKeyIdentifier = keyid:always 59 authorityKeyIdentifier = keyid:always
73 60
74 [policy_anything] 61 [policy_anything]
75 # Default signing policy 62 # Default signing policy
76 countryName = optional 63 countryName = optional
77 stateOrProvinceName = optional 64 stateOrProvinceName = optional
78 localityName = optional 65 localityName = optional
79 organizationName = optional 66 organizationName = optional
80 organizationalUnitName = optional 67 organizationalUnitName = optional
81 commonName = optional 68 commonName = optional
82 emailAddress = optional 69 emailAddress = optional
83 70
84 [req] 71 [req]
85 # The request section used to generate the root CA certificate. This should 72 # The request section used to generate the root CA certificate. This should
86 # not be used to generate end-entity certificates. For certificates other 73 # not be used to generate end-entity certificates. For certificates other
87 # than the root CA, see README to find the appropriate configuration file 74 # than the root CA, see README to find the appropriate configuration file
88 # (ie: openssl_cert.cnf). 75 # (ie: openssl_cert.cnf).
89 default_bits = $ENV::KEY_SIZE 76 default_bits = $ENV::KEY_SIZE
90 default_md = sha256 77 default_md = sha256
91 string_mask = utf8only 78 string_mask = utf8only
92 prompt = no 79 prompt = no
93 encrypt_key = no 80 encrypt_key = no
94 distinguished_name = $ENV::CA_NAME 81 distinguished_name = $ENV::CA_NAME
95 x509_extensions = req_ca_exts 82 x509_extensions = req_ca_exts
96 83
97 [req_ca_dn]
98 C = US
99 ST = California
100 L = Mountain View
101 O = Test CA
102 CN = Test Root CA
103
104 [req_intermediate_dn]
105 C = US
106 ST = California
107 L = Mountain View
108 O = Test CA
109 CN = Test Intermediate CA
110
111 [req_env_dn] 84 [req_env_dn]
112 CN = $ENV::CA_COMMON_NAME 85 CN = QUIC Server Root CA
113 86
114 [req_ca_exts] 87 [req_ca_exts]
115 basicConstraints = critical, CA:true 88 basicConstraints = critical, CA:true
116 keyUsage = critical, keyCertSign, cRLSign 89 keyUsage = critical, keyCertSign, cRLSign
117 subjectKeyIdentifier = hash 90 subjectKeyIdentifier = hash
OLDNEW
« no previous file with comments | « no previous file | net/tools/quic/certs/generate-certs.sh » ('j') | net/tools/quic/certs/generate-certs.sh » ('J')

Powered by Google App Engine
This is Rietveld 408576698