testing/hosts/winnetou/etc/openssl/sales/openssl.cnf

   1 # openssl.cnf -  OpenSSL configuration file
   2 #
   3
   4 # This definitions were set by the ca_init script DO NOT change
   5 # them manually.
   6 CAHOME                  = /etc/openssl/sales
   7 RANDFILE                = $CAHOME/.rand
   8
   9 ####################################################################
  10
  11 [ ca ]
  12 default_ca      = root_ca               # The default ca section
  13
  14 ####################################################################
  15
  16 [ root_ca ]
  17
  18 dir             = $CAHOME
  19 certs           = $dir/certs              # Where the issued certs are kept
  20 crl_dir         = $dir/crl                # Where the issued crl are kept
  21 database        = $dir/index.txt          # database index file.
  22 new_certs_dir   = $dir/newcerts           # default place for new certs.
  23
  24 certificate     = $dir/salesCert.pem      # The CA certificate
  25 serial          = $dir/serial             # The current serial number
  26 crl             = $dir/crl.pem            # The current CRL
  27 crlnumber       = $dir/crlnumber          # The current CRL serial number
  28 private_key     = $dir/salesKey.pem       # The private key
  29 RANDFILE        = $dir/.rand              # private random number file
  30
  31 x509_extensions = host_ext                # The extensions to add to the cert
  32
  33 crl_extensions  = crl_ext                 # The extensions to add to the CRL
  34
  35 default_days    = 1825                    # how long to certify for
  36 default_crl_days= 30                      # how long before next CRL
  37 default_md      = sha256                  # which md to use.
  38 preserve        = no                      # keep passed DN ordering
  39 email_in_dn     = no                      # allow/forbid EMail in DN
  40
  41 policy          = policy_match            # specifying how similar the request must look
  42
  43 ####################################################################
  44
  45 # the 'match' policy
  46 [ policy_match ]
  47 countryName             = match
  48 stateOrProvinceName     = optional
  49 localityName            = optional
  50 organizationName        = match
  51 organizationalUnitName  = optional
  52 userId                  = optional
  53 commonName              = supplied
  54 emailAddress            = optional
  55
  56 # the 'anything' policy
  57 [ policy_anything ]
  58 countryName             = optional
  59 stateOrProvinceName     = optional
  60 localityName            = optional
  61 organizationName        = optional
  62 organizationalUnitName  = optional
  63 commonName              = supplied
  64 emailAddress            = optional
  65
  66 ####################################################################
  67
  68 [ req ]
  69 default_bits            = 2048
  70 default_keyfile         = privkey.pem
  71 distinguished_name      = req_distinguished_name
  72 attributes              = req_attributes
  73 x509_extensions         = ca_ext        # The extensions to add to the self signed cert
  74 # req_extensions        = v3_req        # The extensions to add to a certificate request
  75
  76
  77 # This sets a mask for permitted string types. There are several options.
  78 # default: PrintableString, T61String, BMPString.
  79 # pkix   : PrintableString, BMPString.
  80 # utf8only: only UTF8Strings.
  81 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  82 # MASK:XXXX a literal mask value.
  83 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  84 # so use this option with caution!
  85 string_mask                     = nombstr
  86
  87 # req_extensions = v3_req # The extensions to add to a certificate request
  88
  89 ####################################################################
  90
  91 [ req_distinguished_name ]
  92 countryName                     = Country Name (2 letter code)
  93 countryName_default             = CH
  94 countryName_min                 = 2
  95 countryName_max                 = 2
  96
  97 #stateOrProvinceName            = State or Province Name (full name)
  98 #stateOrProvinceName_default    = ZH
  99
 100 #localityName                   = Locality Name (eg, city)
 101 #localityName_default           = Winterthur
 102
 103 organizationName                = Organization Name (eg, company)
 104 organizationName_default        = Linux strongSwan
 105
 106 0.organizationalUnitName                = Organizational Unit Name (eg, section)
 107 0.organizationalUnitName_default        = Sales
 108
 109 #1.organizationalUnitName       = Type (eg, Staff)
 110 #1.organizationalUnitName_default = Staff
 111
 112 #userId                         = UID
 113
 114 commonName                      = Common Name (eg, YOUR name)
 115 commonName_default              = $ENV::COMMON_NAME
 116 commonName_max                  = 64
 117
 118 #0.emailAddress                 = Email Address (eg, foo@bar.com)
 119 #0.emailAddress_min              = 0
 120 #0.emailAddress_max              = 40
 121
 122 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
 123 #1.emailAddress_min              = 0
 124 #1.emailAddress_max              = 40
 125
 126 ####################################################################
 127
 128 [ req_attributes ]
 129
 130 ####################################################################
 131
 132 [ host_ext ]
 133
 134 basicConstraints                = CA:FALSE
 135 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 136 subjectKeyIdentifier            = hash
 137 authorityKeyIdentifier          = keyid, issuer:always
 138 subjectAltName                  = DNS:$ENV::COMMON_NAME
 139 #extendedKeyUsage               = OCSPSigning
 140 crlDistributionPoints           = URI:http://crl.strongswan.org/sales.crl
 141
 142 ####################################################################
 143
 144 [ user_ext ]
 145
 146 basicConstraints                = CA:FALSE
 147 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 148 subjectKeyIdentifier            = hash
 149 authorityKeyIdentifier          = keyid, issuer:always
 150 subjectAltName                  = email:$ENV::COMMON_NAME
 151 crlDistributionPoints           = URI:http://crl.strongswan.org/sales.crl
 152 #authorityInfoAccess             = OCSP;URI:http://ocsp2.strongswan.org:8882
 153
 154 ####################################################################
 155
 156 [ ca_ext ]
 157
 158 basicConstraints                = critical, CA:TRUE
 159 keyUsage                        = cRLSign, keyCertSign
 160 subjectKeyIdentifier           = hash
 161 authorityKeyIdentifier         = keyid, issuer:always
 162
 163 ####################################################################
 164
 165 [ crl_ext ]
 166
 167 # CRL extensions.
 168 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 169
 170 #issuerAltName                  = issuer:copy
 171 authorityKeyIdentifier          = keyid:always, issuer:always
 172
 173 # eof