Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-ttcn3-hacks / bb169b224c845fd63857fc4a52df238125ff63a4 / . / ipad / example_ca / pki / safessl-easyrsa.cnf
blob: d42bba911b78af96f58e4a4138d3f11232f476e8 [file] [log] [blame]
Philipp Maierbb169b22024-03-04 11:09:00 +0100[diff] [blame^]1# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
2
3####################################################################
4[ ca ]
5default_ca = CA_default # The default ca section
6
7####################################################################
8[ CA_default ]
9
10dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where everything is kept
11certs = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued certs are kept
12crl_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued crl are kept
13database = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/index.txt # database index file.
14new_certs_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/certs_by_serial # default place for new certs.
15
16certificate = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/ca.crt # The CA certificate
17serial = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/serial # The current serial number
18crl = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/crl.pem # The current CRL
19private_key = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/private/ca.key # The private key
20RANDFILE = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/.rand # private random number file
21
22x509_extensions = basic_exts # The extensions to add to the cert
23
24# A placeholder to handle the --copy-ext feature:
25#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
26
27# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
28# is designed for will. In return, we get the Issuer attached to CRLs.
29crl_extensions = crl_ext
30
31default_days = 365000 # how long to certify for
32default_crl_days = 180 # how long before next CRL
33default_md = sha256 # use public key default MD
34preserve = no # keep passed DN ordering
35
36# This allows to renew certificates which have not been revoked
37unique_subject = no
38
39# A few different ways of specifying how similar the request should look
40# For type CA, the listed attributes must be the same, and the optional
41# and supplied fields are just that :-)
42policy = policy_anything
43
44# For the 'anything' policy, which defines allowed DN fields
45[ policy_anything ]
46countryName = optional
47stateOrProvinceName = optional
48localityName = optional
49organizationName = optional
50organizationalUnitName = optional
51commonName = supplied
52name = optional
53emailAddress = optional
54
55####################################################################
56# Easy-RSA request handling
57# We key off $DN_MODE to determine how to format the DN
58[ req ]
59default_bits = 2048
60default_keyfile = privkey.pem
61default_md = sha256
62distinguished_name = cn_only
63x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
64
65# A placeholder to handle the $EXTRA_EXTS feature:
66#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
67
68####################################################################
69# Easy-RSA DN (Subject) handling
70
71# Easy-RSA DN for cn_only support:
72[ cn_only ]
73commonName = Common Name (eg: your user, host, or server name)
74commonName_max = 64
75commonName_default = ChangeMe
76
77# Easy-RSA DN for org support:
78[ org ]
79countryName = Country Name (2 letter code)
80countryName_default = US
81countryName_min = 2
82countryName_max = 2
83
84stateOrProvinceName = State or Province Name (full name)
85stateOrProvinceName_default = California
86
87localityName = Locality Name (eg, city)
88localityName_default = San Francisco
89
900.organizationName = Organization Name (eg, company)
910.organizationName_default = Copyleft Certificate Co
92
93organizationalUnitName = Organizational Unit Name (eg, section)
94organizationalUnitName_default = My Organizational Unit
95
96commonName = Common Name (eg: your user, host, or server name)
97commonName_max = 64
98commonName_default = ChangeMe
99
100emailAddress = Email Address
101emailAddress_default = me@example.net
102emailAddress_max = 64
103
104####################################################################
105# Easy-RSA cert extension handling
106
107# This section is effectively unused as the main script sets extensions
108# dynamically. This core section is left to support the odd usecase where
109# a user calls openssl directly.
110[ basic_exts ]
111basicConstraints = CA:FALSE
112subjectKeyIdentifier = hash
113authorityKeyIdentifier = keyid,issuer:always
114
115# The Easy-RSA CA extensions
116[ easyrsa_ca ]
117
118# PKIX recommendations:
119
120subjectKeyIdentifier=hash
121authorityKeyIdentifier=keyid:always,issuer:always
122
123# This could be marked critical, but it's nice to support reading by any
124# broken clients who attempt to do so.
125basicConstraints = CA:true
126
127# Limit key usage to CA tasks. If you really want to use the generated pair as
128# a self-signed cert, comment this out.
129keyUsage = cRLSign, keyCertSign
130
131# nsCertType omitted by default. Let's try to let the deprecated stuff die.
132# nsCertType = sslCA
133
134# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
135#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
136
137# CRL extensions.
138[ crl_ext ]
139
140# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
141
142# issuerAltName=issuer:copy
143authorityKeyIdentifier=keyid:always,issuer:always