diff options
| -rw-r--r-- | Makefile | 7 | ||||
| -rw-r--r-- | openssl-ca-acf.cnf | 60 |
2 files changed, 37 insertions, 30 deletions
@@ -3,8 +3,11 @@ PACKAGE=acf-$(APP_NAME) VERSION=0.1.1 APP_DIST=\ - openssl* \ + openssl* \ +ETC_DIST=\ + openssl-ca-acf.cnf + EXTRA_DIST=README Makefile config.mk @@ -25,6 +28,8 @@ dist: $(tarball) install: mkdir -p "$(install_dir)" cp -a $(APP_DIST) "$(install_dir)" + mkdir -p "$(DESTDIR)/etc/ssl" + cp $(ETC_DIST) $(DESTDIR)/etc/ssl/ $(tarball): $(DISTFILES) rm -rf $(P) diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf index 47eec0e..1ffa05f 100644 --- a/openssl-ca-acf.cnf +++ b/openssl-ca-acf.cnf @@ -58,29 +58,9 @@ default_ca = ssl_server_cert # To add a new certificate type, just add a new section name, # and make sure "policy" is defined there -# Here are some policies that we may choose to have for our CA -# For the CA policy - -#[ policy_match ] -#countryName = match -#stateOrProvinceName = match -#organizationName = match -#organizationalUnitName = optional -#commonName = supplied -#emailAddress = optional - - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -#[ policy_anything ] -#countryName = optional -#stateOrProvinceName = optional -#localityName = optional -#organizationName = optional -#organizationalUnitName = optional -#commonName = supplied -#emailAddress = optional +# The policy states what must be supplied, and if it must match +# the signing CA. For a list of the fields presented in the +# web interface, see req below [ policy_acf_ca ] organizationName = match @@ -91,7 +71,17 @@ emailAddress = optional localityName = optional subjectAltName = optional + +[ policy_acf_cert ] +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +subjectAltName.0 = optional +subjectAltName.1 = optional + + #################################################################### +# The settings for a request. [ req ] default_bits = 2048 default_keyfile = privkey.pem @@ -100,18 +90,26 @@ attributes = req_attributes x509_extensions = v3_ca_cert string_mask = nombstr +# The req section specifies the attributes that will be asked for +# Here is where we define the fields that are presented in +# the web interface; if you don't want a subjectaltname to be +# allowed, just comment it out in this section, and it +# isn't shown in the web interface. + +# Note - the options are not guaranteed to be in the order shown +# below. [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = countryName_min = 2 countryName_max = 2 -localityName = Locality Name (e.g. city) -localityName_default = - organizationName = Organization Name organizationName_default = +localityName = Locality Name (e.g. city) +localityName_default = + organizationalUnitName = Organizational Unit Name (eg, division) organizationalUnitName_default = @@ -126,6 +124,10 @@ subjectAltName = Additional CN specifier (e.g DNS:www.myotherhost.com) subjectAltName_max = 64 subjectAltName_default = +subjectAltName.1 = Tertiary CN specifier (e.g DNS:www.mythirdhost.com) +subjectAltName_max.1 = 64 +subjectAltName_default.1 = + [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 @@ -155,7 +157,7 @@ keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_ca +policy = policy_acf_cert [ ssl_client_cert ] # SSL client @@ -165,7 +167,7 @@ keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_ca +policy = policy_acf_cert [ ssl_ca_cert ] # SSL Certifying Authority @@ -176,7 +178,7 @@ keyUsage = cRLSign, keyCertSign extendedKeyUsage = subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_ca +policy = policy_acf_cert [ crl_ext ] authorityKeyIdentifier = keyid,issuer:always |