Index: net/data/ssl/scripts/ca.cnf |
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf |
index 8a1d1e75f1ee02879e8ee6517ae4980a82874f4e..1b78e01985e3f332c890c7c1f90ad34c92373677 100644 |
--- a/net/data/ssl/scripts/ca.cnf |
+++ b/net/data/ssl/scripts/ca.cnf |
@@ -1,7 +1,7 @@ |
# Defaults in the event they're not set in the environment |
CA_DIR = out |
KEY_SIZE = 2048 |
-ALGO = sha1 |
+ALGO = sha256 |
CERT_TYPE = root |
CA_NAME = req_env_dn |
@@ -24,7 +24,7 @@ private_key = $dir/$type.key |
RANDFILE = $dir/.rand |
default_days = 3650 |
default_crl_days = 30 |
-default_md = sha1 |
+default_md = sha256 |
policy = policy_anything |
unique_subject = no |
copy_extensions = copy |
@@ -36,6 +36,30 @@ subjectKeyIdentifier = hash |
authorityKeyIdentifier = keyid:always |
extendedKeyUsage = serverAuth,clientAuth |
+[name_constraint_bad] |
+# A leaf cert that will violate the root's imposed name constraints |
+basicConstraints = critical, CA:false |
+subjectKeyIdentifier = hash |
+authorityKeyIdentifier = keyid:always |
+extendedKeyUsage = serverAuth,clientAuth |
+subjectAltName = @san_name_constraint_bad |
+ |
+[name_constraint_good] |
+# A leaf cert that will match the root's imposed name constraints |
+basicConstraints = critical, CA:false |
+subjectKeyIdentifier = hash |
+authorityKeyIdentifier = keyid:always |
+extendedKeyUsage = serverAuth,clientAuth |
+subjectAltName = @san_name_constraint_good |
+ |
+[san_name_constraint_bad] |
+DNS.1 = test.ExAmPlE.CoM |
+DNS.2 = test.ExAmPlE.OrG |
+ |
+[san_name_constraint_good] |
+DNS.1 = test.ExAmPlE.CoM |
+DNS.2 = example.notarealtld |
+ |
[ca_cert] |
# Extensions to add when signing a request for an intermediate/CA cert |
basicConstraints = critical, CA:true |
@@ -63,7 +87,7 @@ emailAddress = optional |
# than the root CA, see README to find the appropriate configuration file |
# (ie: openssl_cert.cnf). |
default_bits = $ENV::KEY_SIZE |
-default_md = sha1 |
+default_md = sha256 |
string_mask = utf8only |
prompt = no |
encrypt_key = no |