sub CA configuration
This commit is contained in:
parent
2aab7772dc
commit
129ee2a7c2
1 changed files with 80 additions and 0 deletions
80
subca.conf
Normal file
80
subca.conf
Normal file
|
|
@ -0,0 +1,80 @@
|
||||||
|
# Example Sub CA configuration
|
||||||
|
# this CA should be used to sign client and server certificates
|
||||||
|
#
|
||||||
|
# Author: Jan Dittberner <jan@dittberner.info>
|
||||||
|
# Date: 2011-05-04
|
||||||
|
|
||||||
|
RANDFILE = $ENV::HOME/subca/.rnd
|
||||||
|
|
||||||
|
extensions = v3_ext
|
||||||
|
|
||||||
|
[ ca ]
|
||||||
|
default_ca = EXAMPLESUBCA # name of the default CA section
|
||||||
|
|
||||||
|
[ EXAMPLESUBCA ]
|
||||||
|
dir = $ENV::HOME/subca
|
||||||
|
certs = $dir/certs
|
||||||
|
crl_dir = $dir/crl
|
||||||
|
database = $dir/index.txt
|
||||||
|
new_certs_dir = $dir/newcerts
|
||||||
|
|
||||||
|
certificate = $dir/ca.crt.pem
|
||||||
|
serial = $dir/serial
|
||||||
|
crl = $dir/crl.pem
|
||||||
|
private_key = $dir/private/ca.key.pem
|
||||||
|
RANDFILE = $dir/private/.rand
|
||||||
|
unique_subject = no
|
||||||
|
|
||||||
|
email_in_dn = no
|
||||||
|
policy = policy_examplesub
|
||||||
|
x509_extensions = client_cert
|
||||||
|
|
||||||
|
# certificates are valid for 1 year
|
||||||
|
default_days = 365
|
||||||
|
default_crl_days= 1
|
||||||
|
default_md = sha256
|
||||||
|
|
||||||
|
copy_extensions = copy
|
||||||
|
|
||||||
|
[ policy_examplesub ]
|
||||||
|
countryName = match
|
||||||
|
stateOrProvinceName = match
|
||||||
|
organizationName = match
|
||||||
|
organizationalUnitName = supplied
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ client_cert ]
|
||||||
|
basicConstraints = critical, CA:false
|
||||||
|
keyUsage = keyEncipherment,digitalSignature
|
||||||
|
extendedKeyUsage = clientAuth
|
||||||
|
nsComment = "Example Sub CA signed client certificate"
|
||||||
|
|
||||||
|
# PKIX recommendations harmless if included in all certificates.
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||||||
|
|
||||||
|
# Include email address in subject alt name: another PKIX recommendation
|
||||||
|
subjectAltName = email:copy
|
||||||
|
issuerAltName = issuer:copy
|
||||||
|
|
||||||
|
[ server_cert ]
|
||||||
|
basicConstraints = critical, CA:false
|
||||||
|
keyUsage = keyEncipherment,digitalSignature
|
||||||
|
extendedKeyUsage = serverAuth
|
||||||
|
nsComment = "Example Sub CA signed server certificate"
|
||||||
|
|
||||||
|
# PKIX recommendations harmless if included in all certificates.
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||||||
|
|
||||||
|
# Include email address in subject alt name: another PKIX recommendation
|
||||||
|
subjectAltName = email:copy
|
||||||
|
issuerAltName = issuer:copy
|
||||||
|
|
||||||
|
[ crl_ext ]
|
||||||
|
# CRL extensions.
|
||||||
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||||
|
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||||||
Loading…
Reference in a new issue