]>
Commit | Line | Data |
---|---|---|
1bd02e86 AS |
1 | # openssl.cnf - OpenSSL configuration file for the ZHW PKI |
2 | # Mario Strasser <mario.strasser@zhwin.ch> | |
1bd02e86 AS |
3 | # |
4 | ||
5 | # This definitions were set by the ca_init script DO NOT change | |
2db6d5b8 | 6 | # them manually. |
1bd02e86 AS |
7 | CAHOME = /etc/openssl/ecdsa |
8 | RANDFILE = $CAHOME/.rand | |
9 | ||
10 | # Extra OBJECT IDENTIFIER info: | |
11 | oid_section = new_oids | |
12 | ||
13 | [ new_oids ] | |
14 | SmartcardLogin = 1.3.6.1.4.1.311.20.2 | |
15 | ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 | |
16 | ||
17 | #################################################################### | |
18 | ||
19 | [ ca ] | |
20 | default_ca = root_ca # The default ca section | |
21 | ||
22 | #################################################################### | |
23 | ||
24 | [ root_ca ] | |
25 | ||
26 | dir = $CAHOME | |
27 | certs = $dir/certs # Where the issued certs are kept | |
28 | crl_dir = $dir/crl # Where the issued crl are kept | |
29 | database = $dir/index.txt # database index file. | |
30 | new_certs_dir = $dir/newcerts # default place for new certs. | |
31 | ||
32 | certificate = $dir/strongswan_ecCert.pem # The CA certificate | |
33 | serial = $dir/serial # The current serial number | |
34 | crl = $dir/crl.pem # The current CRL | |
35 | crlnumber = $dir/crlnumber # The current CRL serial number | |
36 | private_key = $dir/strongswan_ecKey.pem # The private key | |
37 | RANDFILE = $dir/.rand # private random number file | |
38 | ||
f3bb1bd0 | 39 | x509_extensions = host_ext # The extensions to add to the cert |
1bd02e86 | 40 | |
f3bb1bd0 | 41 | crl_extensions = crl_ext # The extensions to add to the CRL |
1bd02e86 AS |
42 | |
43 | default_days = 1825 # how long to certify for | |
44 | default_crl_days= 30 # how long before next CRL | |
45 | default_md = sha256 # which md to use. | |
46 | preserve = no # keep passed DN ordering | |
47 | email_in_dn = no # allow/forbid EMail in DN | |
48 | ||
49 | policy = policy_match # specifying how similar the request must look | |
50 | ||
51 | #################################################################### | |
52 | ||
53 | # the 'match' policy | |
54 | [ policy_match ] | |
55 | countryName = match | |
56 | stateOrProvinceName = optional | |
57 | localityName = optional | |
58 | organizationName = match | |
59 | organizationalUnitName = optional | |
60 | userId = optional | |
61 | serialNumber = optional | |
62 | commonName = supplied | |
63 | emailAddress = optional | |
64 | ||
65 | # the 'anything' policy | |
66 | [ policy_anything ] | |
67 | countryName = optional | |
68 | stateOrProvinceName = optional | |
69 | localityName = optional | |
70 | organizationName = optional | |
71 | organizationalUnitName = optional | |
72 | commonName = supplied | |
73 | emailAddress = optional | |
74 | ||
75 | #################################################################### | |
76 | ||
77 | [ req ] | |
78 | default_bits = 1024 | |
79 | default_keyfile = privkey.pem | |
80 | distinguished_name = req_distinguished_name | |
81 | attributes = req_attributes | |
f3bb1bd0 | 82 | x509_extensions = ca_ext # The extensions to add to the self signed cert |
1bd02e86 AS |
83 | # req_extensions = v3_req # The extensions to add to a certificate request |
84 | ||
85 | ||
86 | # This sets a mask for permitted string types. There are several options. | |
87 | # default: PrintableString, T61String, BMPString. | |
88 | # pkix : PrintableString, BMPString. | |
89 | # utf8only: only UTF8Strings. | |
90 | # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). | |
91 | # MASK:XXXX a literal mask value. | |
92 | # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings | |
93 | # so use this option with caution! | |
94 | string_mask = nombstr | |
95 | ||
96 | # req_extensions = v3_req # The extensions to add to a certificate request | |
97 | ||
98 | #################################################################### | |
99 | ||
100 | [ req_distinguished_name ] | |
101 | countryName = Country Name (2 letter code) | |
102 | countryName_default = CH | |
103 | countryName_min = 2 | |
104 | countryName_max = 2 | |
105 | ||
106 | #stateOrProvinceName = State or Province Name (full name) | |
107 | #stateOrProvinceName_default = ZH | |
108 | ||
109 | #localityName = Locality Name (eg, city) | |
110 | #localityName_default = Winterthur | |
111 | ||
112 | organizationName = Organization Name (eg, company) | |
113 | organizationName_default = Linux strongSwan | |
114 | ||
115 | 0.organizationalUnitName = Organizational Unit Name (eg, section) | |
116 | #0.organizationalUnitName_default = Research | |
117 | ||
118 | #1.organizationalUnitName = Type (eg, Staff) | |
119 | #1.organizationalUnitName_default = Staff | |
120 | ||
121 | #userId = UID | |
122 | ||
123 | commonName = Common Name (eg, YOUR name) | |
124 | commonName_default = $ENV::COMMON_NAME | |
125 | commonName_max = 64 | |
126 | ||
127 | #0.emailAddress = Email Address (eg, foo@bar.com) | |
128 | #0.emailAddress_min = 0 | |
129 | #0.emailAddress_max = 40 | |
130 | ||
131 | #1.emailAddress = Second Email Address (eg, foo@bar.com) | |
132 | #1.emailAddress_min = 0 | |
133 | #1.emailAddress_max = 40 | |
134 | ||
135 | #################################################################### | |
136 | ||
137 | [ req_attributes ] | |
138 | ||
139 | #################################################################### | |
140 | ||
141 | [ host_ext ] | |
142 | ||
143 | basicConstraints = CA:FALSE | |
144 | keyUsage = digitalSignature, keyEncipherment, keyAgreement | |
145 | subjectKeyIdentifier = hash | |
146 | authorityKeyIdentifier = keyid, issuer:always | |
147 | subjectAltName = DNS:$ENV::COMMON_NAME | |
148 | #extendedKeyUsage = OCSPSigning | |
149 | crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl | |
150 | ||
151 | #################################################################### | |
152 | ||
153 | [ user_ext ] | |
154 | ||
155 | basicConstraints = CA:FALSE | |
156 | keyUsage = digitalSignature, keyEncipherment, keyAgreement | |
157 | subjectKeyIdentifier = hash | |
158 | authorityKeyIdentifier = keyid, issuer:always | |
159 | subjectAltName = email:$ENV::COMMON_NAME | |
160 | #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 | |
161 | crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl | |
162 | ||
163 | #################################################################### | |
164 | ||
165 | [ ca_ext ] | |
166 | ||
167 | basicConstraints = critical, CA:TRUE | |
168 | keyUsage = cRLSign, keyCertSign | |
169 | subjectKeyIdentifier = hash | |
170 | authorityKeyIdentifier = keyid, issuer:always | |
171 | ||
172 | #################################################################### | |
173 | ||
174 | [ crl_ext ] | |
175 | ||
176 | # CRL extensions. | |
177 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. | |
178 | ||
179 | #issuerAltName = issuer:copy | |
180 | authorityKeyIdentifier = keyid:always, issuer:always | |
181 | ||
182 | # eof |