summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathan Angelacos <nangel@tetrasec.net>2008-07-08 21:40:56 +0000
committerNathan Angelacos <nangel@tetrasec.net>2008-07-08 21:40:56 +0000
commit6e4491a2a8234f52f9c571e811b6312aefc4ea88 (patch)
tree3b2662174ac4956250c661f1476c69374421189e
parent9c1669a4343097cbb2453a51ac09b9417ad95f70 (diff)
downloadacf-openssh-6e4491a2a8234f52f9c571e811b6312aefc4ea88.tar.bz2
acf-openssh-6e4491a2a8234f52f9c571e811b6312aefc4ea88.tar.xz
First stab at a config file
git-svn-id: svn://svn.alpinelinux.org/acf/openssh/trunk@1291 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r--Makefile1
-rw-r--r--openssl-ca-acf.cnf180
2 files changed, 181 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index 8a5d22b..9e54812 100644
--- a/Makefile
+++ b/Makefile
@@ -25,6 +25,7 @@ dist: $(tarball)
install:
mkdir -p "$(install_dir)"
cp -a $(APP_DIST) "$(install_dir)"
+
$(tarball): $(DISTFILES)
rm -rf $(P)
diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
new file mode 100644
index 0000000..b7367e4
--- /dev/null
+++ b/openssl-ca-acf.cnf
@@ -0,0 +1,180 @@
+#
+# OpenSSL Certifying Authority (CA) configuration file for ACF
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = /etc/ssl
+RANDFILE = /dev/urandom
+
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/certs # default place for new certs.
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem # The private key
+default_md = sha1 # which md to use.
+#policy = policy_match
+
+
+dir = /etc/ssl # Where everything is kept
+crl_dir = $dir/crl # Where the issued crl are kept
+certs = $dir/certs # Where the issued certs are kept
+crl = $dir/crl.pem # The current CRL
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = ssl_client_cert
+
+default_days = 365
+default_crl_days= 365
+preserve = no # keep passed DN ordering
+#name_opt = ca_default_cert
+#cert_opt = ca_default_cert
+
+####################################################################
+[ ca ]
+default_ca = general_cert # The default ca section
+
+####################################################################
+#
+# The "Certificate Type" dropdown in the web interface is built
+# from any section in which all of the CA Mandatory Entries are
+# Defined. The CA Mandadory Entries are:
+# new_certs_dir, certificat, private_key, default_md, database,
+# serial, and policy
+#
+# In this file, we will define all but the policy in the
+# CA_default section, and then define the policy in each section
+# that will be presented as a "Certificate Type"
+#
+# To add a new certificate type, just add a new section name,
+# and make sure "policy" is defined there
+
+#[ CA_default ]
+# RANDFILE = $dir/private/.rand # private random number file
+# preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = ssl_client_cert
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default =
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default =
+
+localityName = Locality Name (eg, city)
+localityName_default =
+
+organizationName = Organization Name (eg, company)
+organizationName_default = Watchtower
+
+organizationalUnitName = Organizational Unit Name (eg, division)
+organizationalUnitName_default = OpenVPN
+
+commonName = Common Name (eg, the certificate CN)
+commonName_max = 64
+commonName_default =
+
+emailAddress = Email Address
+emailAddress_max = 60
+
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+
+# Use -extensions "section_name" to load one of these sections
+
+[ general_cert ]
+# Non-specific
+basicConstraints = CA:FALSE
+#nsCertType =
+#keyUsage =
+#extendedKeyUsage =
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+dir = /etc/ssl # Where everything is kept
+
+
+[ ssl_server_cert ]
+# SSL server
+basicConstraints = CA:FALSE
+nsCertType = server
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+
+[ ssl_client_cert ]
+# SSL client
+basicConstraints = CA:FALSE
+nsCertType = client
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+
+[ v3_ca_cert ]
+# SSL Certifying Authority
+basicConstraints = critical, CA:true
+nsCertType = sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage = cRLSign, keyCertSign
+#extendedKeyUsage = serverAuth, clientAuth
+extenedKeyUsage =
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+
+
+[ crl_ext ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+