OLD | NEW |
1 # Defaults in the event they're not set in the environment | 1 # Defaults in the event they're not set in the environment |
2 CA_DIR = out | 2 CA_DIR = out |
3 KEY_SIZE = 2048 | 3 KEY_SIZE = 2048 |
4 ALGO = sha1 | 4 ALGO = sha256 |
5 CERT_TYPE = root | 5 CERT_TYPE = root |
6 CA_NAME = req_env_dn | 6 CA_NAME = req_env_dn |
7 | 7 |
8 [ca] | 8 [ca] |
9 default_ca = CA_root | 9 default_ca = CA_root |
10 preserve = yes | 10 preserve = yes |
11 | 11 |
12 # The default test root, used to generate certificates and CRLs. | 12 # The default test root, used to generate certificates and CRLs. |
13 [CA_root] | 13 [CA_root] |
14 dir = $ENV::CA_DIR | 14 dir = $ENV::CA_DIR |
15 key_size = $ENV::KEY_SIZE | 15 key_size = $ENV::KEY_SIZE |
16 algo = $ENV::ALGO | 16 algo = $ENV::ALGO |
17 cert_type = $ENV::CERT_TYPE | 17 cert_type = $ENV::CERT_TYPE |
18 type = $key_size-$algo-$cert_type | 18 type = $key_size-$algo-$cert_type |
19 database = $dir/$type-index.txt | 19 database = $dir/$type-index.txt |
20 new_certs_dir = $dir | 20 new_certs_dir = $dir |
21 serial = $dir/$type-serial | 21 serial = $dir/$type-serial |
22 certificate = $dir/$type.pem | 22 certificate = $dir/$type.pem |
23 private_key = $dir/$type.key | 23 private_key = $dir/$type.key |
24 RANDFILE = $dir/.rand | 24 RANDFILE = $dir/.rand |
25 default_days = 3650 | 25 default_days = 3650 |
26 default_crl_days = 30 | 26 default_crl_days = 30 |
27 default_md = sha1 | 27 default_md = sha256 |
28 policy = policy_anything | 28 policy = policy_anything |
29 unique_subject = no | 29 unique_subject = no |
30 copy_extensions = copy | 30 copy_extensions = copy |
31 | 31 |
32 [user_cert] | 32 [user_cert] |
33 # Extensions to add when signing a request for an EE cert | 33 # Extensions to add when signing a request for an EE cert |
34 basicConstraints = critical, CA:false | 34 basicConstraints = critical, CA:false |
35 subjectKeyIdentifier = hash | 35 subjectKeyIdentifier = hash |
36 authorityKeyIdentifier = keyid:always | 36 authorityKeyIdentifier = keyid:always |
37 extendedKeyUsage = serverAuth,clientAuth | 37 extendedKeyUsage = serverAuth,clientAuth |
38 | 38 |
| 39 [name_constraint_bad] |
| 40 # A leaf cert that will violate the root's imposed name constraints |
| 41 basicConstraints = critical, CA:false |
| 42 subjectKeyIdentifier = hash |
| 43 authorityKeyIdentifier = keyid:always |
| 44 extendedKeyUsage = serverAuth,clientAuth |
| 45 subjectAltName = @san_name_constraint_bad |
| 46 |
| 47 [name_constraint_good] |
| 48 # A leaf cert that will match the root's imposed name constraints |
| 49 basicConstraints = critical, CA:false |
| 50 subjectKeyIdentifier = hash |
| 51 authorityKeyIdentifier = keyid:always |
| 52 extendedKeyUsage = serverAuth,clientAuth |
| 53 subjectAltName = @san_name_constraint_good |
| 54 |
| 55 [san_name_constraint_bad] |
| 56 DNS.1 = test.ExAmPlE.CoM |
| 57 DNS.2 = test.ExAmPlE.OrG |
| 58 |
| 59 [san_name_constraint_good] |
| 60 DNS.1 = test.ExAmPlE.CoM |
| 61 DNS.2 = example.notarealtld |
| 62 |
39 [ca_cert] | 63 [ca_cert] |
40 # Extensions to add when signing a request for an intermediate/CA cert | 64 # Extensions to add when signing a request for an intermediate/CA cert |
41 basicConstraints = critical, CA:true | 65 basicConstraints = critical, CA:true |
42 subjectKeyIdentifier = hash | 66 subjectKeyIdentifier = hash |
43 #authorityKeyIdentifier = keyid:always | 67 #authorityKeyIdentifier = keyid:always |
44 keyUsage = critical, keyCertSign, cRLSign | 68 keyUsage = critical, keyCertSign, cRLSign |
45 | 69 |
46 [crl_extensions] | 70 [crl_extensions] |
47 # Extensions to add when signing a CRL | 71 # Extensions to add when signing a CRL |
48 authorityKeyIdentifier = keyid:always | 72 authorityKeyIdentifier = keyid:always |
49 | 73 |
50 [policy_anything] | 74 [policy_anything] |
51 # Default signing policy | 75 # Default signing policy |
52 countryName = optional | 76 countryName = optional |
53 stateOrProvinceName = optional | 77 stateOrProvinceName = optional |
54 localityName = optional | 78 localityName = optional |
55 organizationName = optional | 79 organizationName = optional |
56 organizationalUnitName = optional | 80 organizationalUnitName = optional |
57 commonName = optional | 81 commonName = optional |
58 emailAddress = optional | 82 emailAddress = optional |
59 | 83 |
60 [req] | 84 [req] |
61 # The request section used to generate the root CA certificate. This should | 85 # The request section used to generate the root CA certificate. This should |
62 # not be used to generate end-entity certificates. For certificates other | 86 # not be used to generate end-entity certificates. For certificates other |
63 # than the root CA, see README to find the appropriate configuration file | 87 # than the root CA, see README to find the appropriate configuration file |
64 # (ie: openssl_cert.cnf). | 88 # (ie: openssl_cert.cnf). |
65 default_bits = $ENV::KEY_SIZE | 89 default_bits = $ENV::KEY_SIZE |
66 default_md = sha1 | 90 default_md = sha256 |
67 string_mask = utf8only | 91 string_mask = utf8only |
68 prompt = no | 92 prompt = no |
69 encrypt_key = no | 93 encrypt_key = no |
70 distinguished_name = $ENV::CA_NAME | 94 distinguished_name = $ENV::CA_NAME |
71 x509_extensions = req_ca_exts | 95 x509_extensions = req_ca_exts |
72 | 96 |
73 [req_ca_dn] | 97 [req_ca_dn] |
74 C = US | 98 C = US |
75 ST = California | 99 ST = California |
76 L = Mountain View | 100 L = Mountain View |
77 O = Test CA | 101 O = Test CA |
78 CN = Test Root CA | 102 CN = Test Root CA |
79 | 103 |
80 [req_intermediate_dn] | 104 [req_intermediate_dn] |
81 C = US | 105 C = US |
82 ST = California | 106 ST = California |
83 L = Mountain View | 107 L = Mountain View |
84 O = Test CA | 108 O = Test CA |
85 CN = Test Intermediate CA | 109 CN = Test Intermediate CA |
86 | 110 |
87 [req_env_dn] | 111 [req_env_dn] |
88 CN = $ENV::CA_COMMON_NAME | 112 CN = $ENV::CA_COMMON_NAME |
89 | 113 |
90 [req_ca_exts] | 114 [req_ca_exts] |
91 basicConstraints = critical, CA:true | 115 basicConstraints = critical, CA:true |
92 keyUsage = critical, keyCertSign, cRLSign | 116 keyUsage = critical, keyCertSign, cRLSign |
93 subjectKeyIdentifier = hash | 117 subjectKeyIdentifier = hash |
OLD | NEW |