first whack at making a usable acf ca openssl.cnf file

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1292 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 190 insertions, 0 deletions

diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
new file mode 100644
index 0000000..2e3adfb
--- /dev/null
+++ b/openssl-ca-acf.cnf
@@ -0,0 +1,190 @@
+#
+# OpenSSL Certifying Authority (CA) configuration file for ACF
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= /etc/ssl
+RANDFILE		= /dev/urandom
+
+
+
+
+# Openssl wants to put these in the ca section; but for our purposes
+# this config file is only used by the CA, so we define them
+# for everything
+dir		= /etc/ssl		# Where everything is kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl		= $dir/crl.pem 		# The current CRL
+RANDFILE	= $dir/private/.rand	# private random number file
+
+
+# The "Certificate Type" dropdown in the web interface is built
+# from any section in which all of the CA Mandatory Entries are 
+# Defined.  The CA Mandadory Entries are:
+# new_certs_dir, certificat, private_key, default_md, database,
+# serial, and policy
+#
+# In this file, we will define all but the policy here, and then
+# define the policy in each section that is to be presented 
+# as a specific "Certificate Type" 
+#
+# You can overwrite any of these in that section - setting it here
+# just means we don't have to specify them all for each
+# "Certificate Type"
+#
+database	= $dir/index.txt	  # database index file.
+new_certs_dir	= $dir/certs		  # default place for new certs.
+certificate	= $dir/cacert.pem 	  # The CA certificate
+serial		= $dir/serial 		  # The current serial number
+private_key	= $dir/private/cakey.pem  # The private key
+default_md	= sha1			  # which md to use.
+#policy		= policy_match
+
+default_days	= 365
+default_crl_days= 365
+preserve	= no			# keep passed DN ordering
+name_opt	= ca_default
+cert_opt	= ca_default
+
+####################################################################
+# This section will be presented as the default
+# "Certificate Type" in the web interface
+[ ca ]
+default_ca	= ssl_server_cert
+
+####################################################################
+# To add a new certificate type, just add a new section name, 
+# and make sure "policy" is defined there
+
+# Here are some policies that we may choose to have for our CA
+# For the CA policy
+
+#[ policy_match ]
+#countryName		= match
+#stateOrProvinceName	= match
+#organizationName	= match
+#organizationalUnitName	= optional
+#commonName		= supplied
+#emailAddress		= optional
+
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+#[ policy_anything ]
+#countryName		= optional
+#stateOrProvinceName	= optional
+#localityName		= optional
+#organizationName	= optional
+#organizationalUnitName	= optional
+#commonName		= supplied
+#emailAddress		= optional
+
+[ policy_acf_ca ]
+organizationName        = match
+organizationalUnitName  = optional
+countryName             = optional
+commonName              = supplied
+emailAddress            = optional
+localityName            = optional
+subjectAltName.1	= optional
+subjectAltName.2	= optional
+subjectAltName.3	= optional
+subjectAltName.4	= optional
+
+
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ssl_client_cert
+string_mask		= nombstr
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= 
+countryName_min			= 2
+countryName_max			= 2
+
+localityName			= Locality Name (e.g. city)
+localityName_default		= 
+
+organizationName		= Organization Name
+organizationName_default	= 
+
+organizationalUnitName		= Organizational Unit Name (eg, division)
+organizationalUnitName_default	= 
+
+commonName			= Common Name (eg, the certificate CN)
+commonName_max			= 64
+commonName_default		=
+
+emailAddress			= Email Address
+emailAddress_max		= 60
+
+subjectAltName			= Additional CN specifier (e.g DNS:www.myotherhost.com)
+subjectAltName_max		= 64
+subjectAltName_default		=
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+
+[ general_cert ]
+# Non-specific 
+basicConstraints		= CA:FALSE
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
+policy				= policy_acf_ca
+
+
+[ ssl_server_cert ]
+# SSL server
+basicConstraints		= CA:FALSE
+nsCertType			= server
+keyUsage			= digitalSignature, keyEncipherment
+extendedKeyUsage		= serverAuth
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
+policy				= policy_acf_ca
+
+[ ssl_client_cert ] 
+# SSL client
+basicConstraints		= CA:FALSE
+nsCertType			= client
+keyUsage			= digitalSignature, keyEncipherment
+extendedKeyUsage		= clientAuth
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
+policy				= policy_acf_ca
+
+[ v3_ca_cert ]
+# SSL Certifying Authority
+basicConstraints		= critical, CA:true
+nsCertType			= sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage			= cRLSign, keyCertSign 
+#extendedKeyUsage		= serverAuth, clientAuth
+extenedKeyUsage			= 
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
+policy				= policy_acf_ca
+
+[ crl_ext ]
+basicConstraints		= CA:FALSE
+keyUsage			= digitalSignature, keyEncipherment
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+