#
# OpenSSL Certifying Authority (CA) configuration file for ACF
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= /etc/ssl
RANDFILE		= /dev/urandom

# Openssl wants to put these in the ca section; but for our purposes
# this config file is only used by the CA, so we define them
# for everything
dir		= /etc/ssl		# Where everything is kept
crl_dir		= $dir/crl		# Where the issued crl are kept
certs		= $dir/certs		# Where the issued certs are kept
crl		= $dir/crl.pem 		# The current CRL
RANDFILE	= $dir/private/.rand	# private random number file

# The "Certificate Type" dropdown in the web interface is built
# from any section in which all of the CA Mandatory Entries are 
# Defined.  The CA Mandadory Entries are:
# new_certs_dir, certificat, private_key, default_md, database,
# serial, and policy
#
# In this file, we will define all but the policy here, and then
# define the policy in each section that is to be presented 
# as a specific "Certificate Type" 
#
# You can overwrite any of these in that section - setting it here
# just means we don't have to specify them all for each
# "Certificate Type"
#
database	= $dir/index.txt	  # database index file.
new_certs_dir	= $dir/certs		  # default place for new certs.
certificate	= $dir/cacert.pem 	  # The CA certificate
serial		= $dir/serial 		  # The current serial number
private_key	= $dir/private/cakey.pem  # The private key
default_md	= sha1			  # which md to use.
unique_subject	= no			  # Allow same subject for renewal
#policy		= policy_match

default_days	= 365
default_crl_days= 365
preserve	= no			# keep passed DN ordering
name_opt	= ca_default
cert_opt	= ca_default

####################################################################
# This section will be presented as the default
# "Certificate Type" in the web interface
[ ca ]
default_ca	= ssl_server_cert

####################################################################
# To add a new certificate type, just add a new section name, 
# and make sure "policy" is defined there

# The policy states what must be supplied, and if it must match
# the signing CA.  For a list of the fields presented in the 
# web interface, see req below

[ policy_acf_ca ]
organizationName        = match
organizationalUnitName  = optional
countryName             = optional
commonName              = supplied
emailAddress            = optional
localityName            = optional

[ policy_acf_cert ]
organizationName        = optional
organizationalUnitName  = optional
countryName             = optional
commonName              = supplied
emailAddress            = optional
localityName            = optional

####################################################################
# The settings for a request.  
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions		= v3_ca_cert
string_mask		= nombstr

# The req section specifies the attributes that will be asked for
# Here is where we define the fields that are presented in 
# the web interface; if you don't want a subjectaltname to be
# allowed, just comment it out in this section, and it 
# isn't shown in the web interface.

# Note - the options are not guaranteed to be in the order shown
# below.
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= 
countryName_min			= 2
countryName_max			= 2

organizationName		= Organization Name
organizationName_default	= 

localityName			= Locality Name (e.g. city)
localityName_default		= 

# This is how you add multiple values; in this case we will
# use multiple organizationalUnitNames

0.organizationalUnitName	= Organizational Unit Name (eg, division)
0.organizationalUnitName_default= 

1.organizationalUnitName	= Organizational Unit Name (eg, division)
1.organizationalUnitName_default= 

2.organizationalUnitName	= Organizational Unit Name (eg, division)
2.organizationalUnitName_default= 

commonName			= Common Name (eg, the certificate CN)
commonName_max			= 64
commonName_default		=

emailAddress			= Email Address
emailAddress_max		= 60

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

[ v3_ca_cert ]
basicConstraints		= critical, CA:true
nsCertType			= sslCA
# Below is correct, but may prevent self-signed certs from working
keyUsage			= cRLSign, keyCertSign 
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always

[ general_cert ]
# Non-specific 
policy				= policy_acf_cert
x509_extensions			= general
copy_extensions			= copy
[ general ]
basicConstraints		= CA:FALSE
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always

[ ssl_server_cert ]
# SSL server
policy				= policy_acf_cert
x509_extensions			= ssl_server
copy_extensions			= copy
[ ssl_server ]
basicConstraints		= CA:FALSE
nsCertType			= server
keyUsage			= digitalSignature, keyEncipherment
extendedKeyUsage		= serverAuth
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always

[ ssl_client_cert ] 
# SSL client
policy				= policy_acf_cert
x509_extensions			= ssl_client
copy_extensions			= copy
[ ssl_client ] 
basicConstraints		= CA:FALSE
nsCertType			= client
keyUsage			= digitalSignature, keyEncipherment
extendedKeyUsage		= clientAuth
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always

[ ssl_ca_cert ]
# SSL Certifying Authority
policy				= policy_acf_ca
x509_extensions			= ssl_ca
copy_extensions			= copy
[ ssl_ca ]
basicConstraints		= critical, CA:true
nsCertType			= sslCA
# Below is correct, but may prevent self-signed certs from working
keyUsage			= cRLSign, keyCertSign 
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always

[ crl_ext ]
authorityKeyIdentifier		= keyid,issuer:always