CA openssl.cnf.tpl

Aus Neobikers Wiki
Version vom 27. Juni 2008, 20:34 Uhr von Neobiker (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

./scripts/openssl.cnf.tpl

# OpenSSL configuration file for certificates.
# 2007 by neobiker
#
# $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: openssl.cnf.tpl,v $
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#

[ new_oids]

####################################################################
[ ca ]
default_ca      = Server_CA                     # The default ca section

####################################################################
[ Root_CA ]

dir             = $path/RootCA                  # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/RCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/RCAkey.pem       # The private key

default_days    = 1825                          # how long to certify for
default_crl_days= 365                           # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = RCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_match                  # default policy

[ Server_CA ]

dir             = $path/ServerCA                # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/SCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/SCAkey.pem       # The private key

default_days    = 1825                          # how long to certify for
default_crl_days= 30                            # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = SCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_anything               # default policy

[ User_CA ]

dir             = $path/UserCA                  # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/UCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/UCAkey.pem       # The private key

default_days    = 730                           # how long to certify for
default_crl_days= 30                            # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = UCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_match                  # default policy

[ policy_match ]

countryName             = match
stateOrProvinceName     = supplied
localityName            = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]

default_bits                    = 2048
distinguished_name              = req_distinguished_name
attributes                      = req_attributes

x509_extensions                 = v3_ca         # The extentions to add to the self signed cert

string_mask                     = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = DE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Bayern

localityName                    = Locality Name (eg, city)
localityName_default            = Nuernberg

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = OrganisationName

organizationalUnitName          = Organizational Unit Name (eg, section or website)
organizationalUnitName_default  = OrganisationUnit

commonName                      = Common Name (SERVER / USER name)
#commonName_default             = server.company.de
commonName_max                  = 64

emailAddress                    = Email Address (eg, YOUR email)
emailAddress_default            = webmaster@company.de

[ req_attributes ]
        # Das Challenge Password dient dazu, sich bei Verlust des geheimen
        # Schluessels gegenueber der Herausgeber-CA fuer einen
        # Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der
        # Zeritifikatsanforderung erfragt.

challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = company.de

##################################################################
[ RCA_cert ]

basicConstraints        = critical, CA:TRUE
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/RCA.crl
nsCertType              = sslCA, emailCA, objCA
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de CA"


[ SCA_cert ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/SCA.crl
nsCertType              = server
nsBaseUrl               = https://company.de/
nsComment               = "issued by company.de (Server CA)"


[ UCA_cert ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/UCA.crl
nsCertType              = client, email
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de (User CA)"


#################################################################
[ v3_ca ]

basicConstraints        = critical, CA:true
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.de/RCA.crl
nsCertType              = sslCA, emailCA, objCA
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de CA"

[ crl_ext ]

issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always