1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
#
# OpenSSL Certifying Authority (CA) configuration file for ACF
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = /etc/ssl
RANDFILE = /dev/urandom
# Openssl wants to put these in the ca section; but for our purposes
# this config file is only used by the CA, so we define them
# for everything
dir = /etc/ssl # Where everything is kept
crl_dir = $dir/crl # Where the issued crl are kept
certs = $dir/certs # Where the issued certs are kept
crl = $dir/crl.pem # The current CRL
RANDFILE = $dir/private/.rand # private random number file
# The "Certificate Type" dropdown in the web interface is built
# from any section in which all of the CA Mandatory Entries are
# Defined. The CA Mandadory Entries are:
# new_certs_dir, certificat, private_key, default_md, database,
# serial, and policy
#
# In this file, we will define all but the policy here, and then
# define the policy in each section that is to be presented
# as a specific "Certificate Type"
#
# You can overwrite any of these in that section - setting it here
# just means we don't have to specify them all for each
# "Certificate Type"
#
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem # The private key
default_md = sha1 # which md to use.
#policy = policy_match
default_days = 365
default_crl_days= 365
preserve = no # keep passed DN ordering
name_opt = ca_default
cert_opt = ca_default
####################################################################
# This section will be presented as the default
# "Certificate Type" in the web interface
[ ca ]
default_ca = ssl_server_cert
####################################################################
# To add a new certificate type, just add a new section name,
# and make sure "policy" is defined there
# Here are some policies that we may choose to have for our CA
# For the CA policy
#[ policy_match ]
#countryName = match
#stateOrProvinceName = match
#organizationName = match
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
#[ policy_anything ]
#countryName = optional
#stateOrProvinceName = optional
#localityName = optional
#organizationName = optional
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
[ policy_acf_ca ]
organizationName = match
organizationalUnitName = optional
countryName = optional
commonName = supplied
emailAddress = optional
localityName = optional
subjectAltName = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca_cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default =
countryName_min = 2
countryName_max = 2
localityName = Locality Name (e.g. city)
localityName_default =
organizationName = Organization Name
organizationName_default =
organizationalUnitName = Organizational Unit Name (eg, division)
organizationalUnitName_default =
commonName = Common Name (eg, the certificate CN)
commonName_max = 64
commonName_default =
emailAddress = Email Address
emailAddress_max = 60
subjectAltName = Additional CN specifier (e.g DNS:www.myotherhost.com)
subjectAltName_max = 64
subjectAltName_default =
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca_cert ]
basicConstraints = critical, CA:true
nsCertType = sslCA
# Below is correct, but may prevent self-signed certs from working
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ general_cert ]
# Non-specific
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_acf_ca
[ ssl_server_cert ]
# SSL server
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_acf_ca
[ ssl_client_cert ]
# SSL client
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_acf_ca
[ ssl_ca_cert ]
# SSL Certifying Authority
basicConstraints = critical, CA:true
nsCertType = sslCA
# Below is correct, but may prevent self-signed certs from working
keyUsage = cRLSign, keyCertSign
extendedKeyUsage =
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_acf_ca
[ crl_ext ]
authorityKeyIdentifier = keyid,issuer:always
|
