-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenssl.cnf
199 lines (150 loc) · 4.75 KB
/
openssl.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# -*- mode: ini -*-
#
# ovpnmgr openssl.cnf
#
# copy of https://github.com/openssl/openssl/blob/master/apps/openssl.cnf
# reformatted for easier manipulation using scripts
# adjusted for the needs of ovpnmgr
config_diagnostics = 1
# environment defaults
HOME = ${ENV::PKI_DIR}
CERT_LIFETIME = 365
REQ_DN_MODE = org
REQ_DEFAULT_COUNTRY = CH
REQ_DEFAULT_STATE = SG
REQ_DEFAULT_CITY =
REQ_DEFAULT_ORG = riiengineering
REQ_DEFAULT_OU =
REQ_DEFAULT_CN =
REQ_DEFAULT_EMAIL =
####################################################################
[ ca ]
# The default ca section
default_ca = CA_default
####################################################################
[ CA_default ]
# Where everything is kept
dir = ${ENV::PKI_DIR}
# Where the issued certs are kept
certs = ${dir}/certs
# database index file.
database = ${dir}/index.txt
# default place for new certs (by serial).
new_certs_dir = ${dir}/newcerts
# unique_subject = no allows to renew certificates which have not been revoked
unique_subject = no
# The CA certificate
certificate = ${dir}/ca/ca.crt
# The current serial number
serial = ${dir}/serial
# for random serial#s
rand_serial = yes
# The current CRL
# XXX: needed?
crl = ${dir}/crl.pem
# The private key
private_key = ${dir}/ca/ca.key
# The extensions to add to the cert
x509_extensions = basic_exts
# Subject Name options
name_opt = ca_default
# Certificate field options
cert_opt = ca_default
# how long to certify for
default_days = ${ENV::CERT_LIFETIME}
# how long before next CRL
default_crl_days = 30
# use public key default MD
default_md = sha256
# keep passed DN ordering
preserve = no
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# Don't add the email into cert DN
email_in_dn = no
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
serialNumber = optional
####################################################################
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = req_dn_${ENV::REQ_DN_MODE}
attributes = req_attributes
# The extensions to add to the self signed cert
x509_extensions = v3_ca
string_mask = utf8only
[ req_attributes ]
####################################################################
# DN (Subject)
# subject is only commonName
[ req_dn_cn_only ]
commonName = Your User Name
commonName_max = 64
commonName_default = ${ENV::REQ_DEFAULT_CN}
# subject is full org structure
[ req_dn_org ]
countryName = Country Name (2 letter code)
countryName_default = ${ENV::REQ_DEFAULT_COUNTRY}
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ${ENV::REQ_DEFAULT_STATE}
localityName = Locality Name (eg, city)
localityName_default = ${ENV::REQ_DEFAULT_CITY}
0.organizationName = Organization Name (eg, company)
0.organizationName_default = ${ENV::REQ_DEFAULT_ORG}
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ${ENV::REQ_DEFAULT_OU}
commonName = Your User Name
commonName_max = 64
commonName_default = ${ENV::REQ_DEFAULT_CN}
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = ${ENV::REQ_DEFAULT_EMAIL}
####################################################################
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
keyUsage = digitalSignature
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = critical,clientAuth
[ v3_ca ]
# Extensions for a typical CA
basicConstraints = CA:TRUE
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
# Limit key usage to CA tasks.
keyUsage = cRLSign, keyCertSign
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always