From 6e4491a2a8234f52f9c571e811b6312aefc4ea88 Mon Sep 17 00:00:00 2001 From: Nathan Angelacos Date: Tue, 8 Jul 2008 21:40:56 +0000 Subject: First stab at a config file git-svn-id: svn://svn.alpinelinux.org/acf/openssh/trunk@1291 ab2d0c66-481e-0410-8bed-d214d4d58bed --- Makefile | 1 + openssl-ca-acf.cnf | 180 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 openssl-ca-acf.cnf diff --git a/Makefile b/Makefile index 8a5d22b..9e54812 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ dist: $(tarball) install: mkdir -p "$(install_dir)" cp -a $(APP_DIST) "$(install_dir)" + $(tarball): $(DISTFILES) rm -rf $(P) diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf new file mode 100644 index 0000000..b7367e4 --- /dev/null +++ b/openssl-ca-acf.cnf @@ -0,0 +1,180 @@ +# +# OpenSSL Certifying Authority (CA) configuration file for ACF +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = /etc/ssl +RANDFILE = /dev/urandom + +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs # default place for new certs. +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +private_key = $dir/private/cakey.pem # The private key +default_md = sha1 # which md to use. +#policy = policy_match + + +dir = /etc/ssl # Where everything is kept +crl_dir = $dir/crl # Where the issued crl are kept +certs = $dir/certs # Where the issued certs are kept +crl = $dir/crl.pem # The current CRL +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = ssl_client_cert + +default_days = 365 +default_crl_days= 365 +preserve = no # keep passed DN ordering +#name_opt = ca_default_cert +#cert_opt = ca_default_cert + +#################################################################### +[ ca ] +default_ca = general_cert # The default ca section + +#################################################################### +# +# The "Certificate Type" dropdown in the web interface is built +# from any section in which all of the CA Mandatory Entries are +# Defined. The CA Mandadory Entries are: +# new_certs_dir, certificat, private_key, default_md, database, +# serial, and policy +# +# In this file, we will define all but the policy in the +# CA_default section, and then define the policy in each section +# that will be presented as a "Certificate Type" +# +# To add a new certificate type, just add a new section name, +# and make sure "policy" is defined there + +#[ CA_default ] +# RANDFILE = $dir/private/.rand # private random number file +# preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ssl_client_cert +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = + +localityName = Locality Name (eg, city) +localityName_default = + +organizationName = Organization Name (eg, company) +organizationName_default = Watchtower + +organizationalUnitName = Organizational Unit Name (eg, division) +organizationalUnitName_default = OpenVPN + +commonName = Common Name (eg, the certificate CN) +commonName_max = 64 +commonName_default = + +emailAddress = Email Address +emailAddress_max = 60 + + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + + +# Use -extensions "section_name" to load one of these sections + +[ general_cert ] +# Non-specific +basicConstraints = CA:FALSE +#nsCertType = +#keyUsage = +#extendedKeyUsage = +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +policy = policy_anything +dir = /etc/ssl # Where everything is kept + + +[ ssl_server_cert ] +# SSL server +basicConstraints = CA:FALSE +nsCertType = server +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +policy = policy_anything + +[ ssl_client_cert ] +# SSL client +basicConstraints = CA:FALSE +nsCertType = client +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +policy = policy_anything + +[ v3_ca_cert ] +# SSL Certifying Authority +basicConstraints = critical, CA:true +nsCertType = sslCA +# Below is correct, but may prevent self-signed certs from working +keyUsage = cRLSign, keyCertSign +#extendedKeyUsage = serverAuth, clientAuth +extenedKeyUsage = +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +policy = policy_anything + + +[ crl_ext ] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + -- cgit v1.2.3