testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf

   1 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
   2 # Mario Strasser <mario.strasser@zhwin.ch>
   3 #
   4
   5 # This definitions were set by the ca_init script DO NOT change
   6 # them manually.
   7 CAHOME                  = /etc/openssl/ecdsa
   8 RANDFILE                = $CAHOME/.rand
   9
  10 # Extra OBJECT IDENTIFIER info:
  11 oid_section             = new_oids
  12
  13 [ new_oids ]
  14 SmartcardLogin          = 1.3.6.1.4.1.311.20.2
  15 ClientAuthentication    = 1.3.6.1.4.1.311.20.2.2
  16
  17 ####################################################################
  18
  19 [ ca ]
  20 default_ca      = root_ca               # The default ca section
  21
  22 ####################################################################
  23
  24 [ root_ca ]
  25
  26 dir             = $CAHOME
  27 certs           = $dir/certs                 # Where the issued certs are kept
  28 crl_dir         = $dir/crl                   # Where the issued crl are kept
  29 database        = $dir/index.txt             # database index file.
  30 new_certs_dir   = $dir/newcerts              # default place for new certs.
  31
  32 certificate     = $dir/strongswan_ecCert.pem # The CA certificate
  33 serial          = $dir/serial                # The current serial number
  34 crl             = $dir/crl.pem               # The current CRL
  35 crlnumber       = $dir/crlnumber             # The current CRL serial number
  36 private_key     = $dir/strongswan_ecKey.pem  # The private key
  37 RANDFILE        = $dir/.rand                 # private random number file
  38
  39 x509_extensions = host_ext                   # The extensions to add to the cert
  40
  41 crl_extensions  = crl_ext                    # The extensions to add to the CRL
  42
  43 default_days    = 1825                       # how long to certify for
  44 default_crl_days= 30                         # how long before next CRL
  45 default_md      = sha256                     # which md to use.
  46 preserve        = no                         # keep passed DN ordering
  47 email_in_dn     = no                         # allow/forbid EMail in DN
  48
  49 policy          = policy_match               # specifying how similar the request must look
  50
  51 ####################################################################
  52
  53 # the 'match' policy
  54 [ policy_match ]
  55 countryName             = match
  56 stateOrProvinceName     = optional
  57 localityName            = optional
  58 organizationName        = match
  59 organizationalUnitName  = optional
  60 userId                  = optional
  61 serialNumber            = optional
  62 commonName              = supplied
  63 emailAddress            = optional
  64
  65 # the 'anything' policy
  66 [ policy_anything ]
  67 countryName             = optional
  68 stateOrProvinceName     = optional
  69 localityName            = optional
  70 organizationName        = optional
  71 organizationalUnitName  = optional
  72 commonName              = supplied
  73 emailAddress            = optional
  74
  75 ####################################################################
  76
  77 [ req ]
  78 default_bits            = 1024
  79 default_keyfile         = privkey.pem
  80 distinguished_name      = req_distinguished_name
  81 attributes              = req_attributes
  82 x509_extensions         = ca_ext        # The extensions to add to the self signed cert
  83 # req_extensions        = v3_req        # The extensions to add to a certificate request
  84
  85
  86 # This sets a mask for permitted string types. There are several options.
  87 # default: PrintableString, T61String, BMPString.
  88 # pkix   : PrintableString, BMPString.
  89 # utf8only: only UTF8Strings.
  90 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  91 # MASK:XXXX a literal mask value.
  92 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  93 # so use this option with caution!
  94 string_mask                     = nombstr
  95
  96 # req_extensions = v3_req # The extensions to add to a certificate request
  97
  98 ####################################################################
  99
 100 [ req_distinguished_name ]
 101 countryName                     = Country Name (2 letter code)
 102 countryName_default             = CH
 103 countryName_min                 = 2
 104 countryName_max                 = 2
 105
 106 #stateOrProvinceName            = State or Province Name (full name)
 107 #stateOrProvinceName_default    = ZH
 108
 109 #localityName                   = Locality Name (eg, city)
 110 #localityName_default           = Winterthur
 111
 112 organizationName                = Organization Name (eg, company)
 113 organizationName_default        = Linux strongSwan
 114
 115 0.organizationalUnitName                = Organizational Unit Name (eg, section)
 116 #0.organizationalUnitName_default       = Research
 117
 118 #1.organizationalUnitName       = Type (eg, Staff)
 119 #1.organizationalUnitName_default = Staff
 120
 121 #userId                         = UID
 122
 123 commonName                      = Common Name (eg, YOUR name)
 124 commonName_default              = $ENV::COMMON_NAME
 125 commonName_max                  = 64
 126
 127 #0.emailAddress                 = Email Address (eg, foo@bar.com)
 128 #0.emailAddress_min              = 0
 129 #0.emailAddress_max              = 40
 130
 131 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
 132 #1.emailAddress_min              = 0
 133 #1.emailAddress_max              = 40
 134
 135 ####################################################################
 136
 137 [ req_attributes ]
 138
 139 ####################################################################
 140
 141 [ host_ext ]
 142
 143 basicConstraints                = CA:FALSE
 144 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 145 subjectKeyIdentifier            = hash
 146 authorityKeyIdentifier          = keyid, issuer:always
 147 subjectAltName                  = DNS:$ENV::COMMON_NAME
 148 #extendedKeyUsage               = OCSPSigning
 149 crlDistributionPoints           = URI:http://crl.strongswan.org/strongswan_ec.crl
 150
 151 ####################################################################
 152
 153 [ user_ext ]
 154
 155 basicConstraints                = CA:FALSE
 156 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 157 subjectKeyIdentifier            = hash
 158 authorityKeyIdentifier          = keyid, issuer:always
 159 subjectAltName                  = email:$ENV::COMMON_NAME
 160 #authorityInfoAccess            = OCSP;URI:http://ocsp.strongswan.org:8880
 161 crlDistributionPoints           = URI:http://crl.strongswan.org/strongswan_ec.crl
 162
 163 ####################################################################
 164
 165 [ ca_ext ]
 166
 167 basicConstraints                = critical, CA:TRUE
 168 keyUsage                        = cRLSign, keyCertSign
 169 subjectKeyIdentifier           = hash
 170 authorityKeyIdentifier         = keyid, issuer:always
 171
 172 ####################################################################
 173
 174 [ crl_ext ]
 175
 176 # CRL extensions.
 177 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 178
 179 #issuerAltName                  = issuer:copy
 180 authorityKeyIdentifier          = keyid:always, issuer:always
 181
 182 # eof