jan/cacert-devsetup
1
0
Fork 1
Code Issues Pull requests Releases Wiki Activity

Add signer configuration

Browse source
This commit is contained in:
Jan Dittberner 2020-12-23 22:14:13 +01:00 committed by Jan Dittberner
parent e8ad6b9ba7
commit 774c6b0e9c
23 changed files with 597 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docker-compose.yml
View file

@ -39,6 +39,7 @@ services:
MYSQL_WEBDB_DATABASE: cacert MYSQL_WEBDB_DATABASE: cacert
CSR_DIRECTORY: /certs/csr CSR_DIRECTORY: /certs/csr
CRT_DIRECTORY: /certs/crt CRT_DIRECTORY: /certs/crt
CRL_DIRECTORY: /certs/crl
DEFAULT_HOSTNAME: www.cacert.localhost DEFAULT_HOSTNAME: www.cacert.localhost
SECURE_HOSTNAME: secure.cacert.localhost SECURE_HOSTNAME: secure.cacert.localhost
TVERIFY_HOSTNAME: tverify.cacert.localhost TVERIFY_HOSTNAME: tverify.cacert.localhost
@ -97,6 +98,7 @@ services:
MYSQL_WEBDB_DATABASE: cacert MYSQL_WEBDB_DATABASE: cacert
CSR_DIRECTORY: /srv/certs/csr CSR_DIRECTORY: /srv/certs/csr
CRT_DIRECTORY: /srv/certs/crt CRT_DIRECTORY: /srv/certs/crt
CRL_DIRECTORY: /srv/certs/crl
volumes: volumes:
- certstaging:/srv/certs - certstaging:/srv/certs
- signersockets:/srv/sockets - signersockets:/srv/sockets
@ -109,6 +111,7 @@ services:
environment: environment:
SIGNER_WORKDIR: /srv/ca/work SIGNER_WORKDIR: /srv/ca/work
SIGNER_CA_CONFIG: /srv/caconfig SIGNER_CA_CONFIG: /srv/caconfig
SIGNER_BASEDIR: /srv/ca
volumes: volumes:
- signersockets:/srv/sockets - signersockets:/srv/sockets
- signerdata:/srv/ca - signerdata:/srv/ca

4
docker/apache-webdb-foreground
View file

@ -8,6 +8,10 @@ cp /usr/local/etc/application/feed.rss /www/pages/index/feed.rss
make -C /www/locale make -C /www/locale
mkdir -p "$CSR_DIRECTORY" "$CRT_DIRECTORY"
chown www-data "$CSR_DIRECTORY" "$CRT_DIRECTORY"
chmod 0755 "$CSR_DIRECTORY" "$CRT_DIRECTORY"
apache2ctl start "$@" apache2ctl start "$@"
exec tail -F --follow=name --retry /var/log/apache2/error.log /var/log/apache2/phperror.log exec tail -F --follow=name --retry /var/log/apache2/error.log /var/log/apache2/phperror.log

14
docker/run-signer
View file

@ -8,6 +8,20 @@ sleep 1
export SERIAL_PORT=/dev/ttyUSB0 export SERIAL_PORT=/dev/ttyUSB0
mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts
cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem
cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem
if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi
if [ ! -f /srv/ca/CA/serial ]; then echo 1 > /srv/ca/CA/serial; fi
if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi
mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts
cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem
cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem
if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi
if [ ! -f /srv/ca/class3/serial ]; then echo 1 > /srv/ca/class3/serial; fi
if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi
cd /srv/CommModule/ cd /srv/CommModule/
touch server.pl-active touch server.pl-active

40
docker/signer-config/class3-client-codesign.cnf Normal file
View file

@ -0,0 +1,40 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical, CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/test-class3-revoke.crl
subjectAltName = email:copy
[ crl_ext ]

40
docker/signer-config/class3-client-org.cnf Normal file
View file

@ -0,0 +1,40 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical, CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
subjectAltName = email:copy
[ crl_ext ]

36
docker/signer-config/class3-client.cnf
View file

@ -1,23 +1,23 @@
[ ca ] [ ca ]
default_ca = CA_default # The default ca section default_ca = CA_default # The default ca section
[ CA_default ] [ CA_default ]
dir = /srv/ca/class3 # Where everything is kept dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # bug-1438 crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438)
database = $dir/index.txt # database index file. database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs. new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key.pem # The private key private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use. default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
policy = policy_anything policy = policy_anything
[ policy_anything ] [ policy_anything ]
@ -37,3 +37,5 @@ extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
subjectAltName = email:copy subjectAltName = email:copy
[ crl_ext ]

38
docker/signer-config/class3-ocsp.cnf Normal file
View file

@ -0,0 +1,38 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = serverAuth,OCSPSigning,nsSGC,msSGC
# no authorityInfoAccess to avoid loops
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
[ crl_ext ]

39
docker/signer-config/class3-server-org.cnf Normal file
View file

@ -0,0 +1,39 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 180 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
subjectAltName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
[ crl_ext ]

34
docker/signer-config/class3-server.cnf Normal file
View file

@ -0,0 +1,34 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438)
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 180 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
commonName = optional
subjectAltName = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
[ crl_ext ]

33
docker/signer-config/class3-subca.cnf Normal file
View file

@ -0,0 +1,33 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 180 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
commonName = optional
subjectAltName = optional
[ usr_cert ]
basicConstraints = critical,CA:TRUE
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
keyUsage = digitalSignature,keyEncipherment
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
[ crl_ext ]

38
docker/signer-config/class3-timestamp.cnf Normal file
View file

@ -0,0 +1,38 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/class3 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
extendedKeyUsage = clientAuth,serverAuth,timeStamping
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
subjectAltName = email:copy
[ crl_ext ]

40
docker/signer-config/openssl-client-codesign.cnf Normal file
View file

@ -0,0 +1,40 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
subjectAltName = email:copy
[ crl_ext ]

40
docker/signer-config/openssl-client-org.cnf Normal file
View file

@ -0,0 +1,40 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
subjectAltName = email:copy
[ crl_ext ]

44
docker/signer-config/openssl-client.cnf
View file

@ -1,23 +1,23 @@
[ ca ] [ ca ]
default_ca = CA_default # The default ca section default_ca = CA_default # The default ca section
[ CA_default ] [ CA_default ]
dir = /srv/ca/CA # Where everything is kept dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # bug-1438 crlnumber = $dir/crlnumber # bug-1438
database = $dir/index.txt # database index file. database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs. new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key.pem # The private key private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use. default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
policy = policy_anything policy = policy_anything
[ policy_anything ] [ policy_anything ]
@ -30,10 +30,12 @@ commonName = optional
emailAddress = optional emailAddress = optional
[ usr_cert ] [ usr_cert ]
basicConstraints = critical, CA:FALSE basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
subjectAltName = email:copy subjectAltName = email:copy
[ crl_ext ]

38
docker/signer-config/openssl-ocsp.cnf Normal file
View file

@ -0,0 +1,38 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = serverAuth,OCSPSigning,nsSGC,msSGC
# no authorityInfoAccess to avoid loops
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
[ crl_ext ]

39
docker/signer-config/openssl-server-org.cnf Normal file
View file

@ -0,0 +1,39 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
subjectAltName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
[ crl_ext ]

34
docker/signer-config/openssl-server.cnf Normal file
View file

@ -0,0 +1,34 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438)
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
commonName = optional
subjectAltName = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
[ crl_ext ]

34
docker/signer-config/openssl-subca.cnf Normal file
View file

@ -0,0 +1,34 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438)
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
commonName = optional
subjectAltName = optional
[ usr_cert ]
basicConstraints = critical,CA:TRUE
extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC
keyUsage = digitalSignature,keyEncipherment
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
[ crl_ext ]

38
docker/signer-config/openssl-timestamp.cnf Normal file
View file

@ -0,0 +1,38 @@
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /srv/ca/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438)
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 200 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ usr_cert ]
basicConstraints = critical,CA:FALSE
extendedKeyUsage = clientAuth,serverAuth,timeStamping
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost
subjectAltName = email:copy
[ crl_ext ]

2
mgr.Dockerfile
View file

@ -29,7 +29,7 @@ COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf
COPY docker/mgr-application.ini /usr/local/etc/ COPY docker/mgr-application.ini /usr/local/etc/
VOLUME /var/www VOLUME /var/www/mgr
RUN a2ensite mgr.cacert.localhost ; \ RUN a2ensite mgr.cacert.localhost ; \
a2dissite 000-default ; \ a2dissite 000-default ; \

7
signer.Dockerfile
View file

@ -10,15 +10,18 @@ RUN apt-get update \
openssl \ openssl \
perl \ perl \
socat \ socat \
xdelta \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
VOLUME /srv/ca
COPY cacert-software/CommModule/server.pl \ COPY cacert-software/CommModule/server.pl \
cacert-software/CommModule/logclean.sh \ cacert-software/CommModule/logclean.sh \
/srv/CommModule/ /srv/CommModule/
COPY docker/run-signer usr/local/bin/ COPY docker/run-signer usr/local/bin/
COPY docker/signer-config/* /srv/caconfig/ COPY docker/signer-config/* /srv/caconfig/
COPY testca /srv/testca/
VOLUME /srv/ca
CMD ["/usr/local/bin/run-signer"] CMD ["/usr/local/bin/run-signer"]

1
signer_client.Dockerfile
View file

@ -11,6 +11,7 @@ RUN apt-get update \
openssl \ openssl \
perl \ perl \
socat \ socat \
xdelta \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

2
webdb.Dockerfile
View file

@ -12,6 +12,8 @@ RUN apt-get update \
make \ make \
netbase \ netbase \
nullmailer \ nullmailer \
openssl-blacklist \
openssl-blacklist-extra \
php-apc \ php-apc \
php-fpdf \ php-fpdf \
php-gettext \ php-gettext \