#
# This config file used as an Ugly Simple CA for EST demonstration purposes
#
# Normally one would replace the ESTserver callout scripts with scripts that 
# talk to your own fully armed and operational CA. (e.g. something real with some
# meat behind it, not just some demo CA).
#
# This particular config file mostly used as an "external" CA.
# It stands in for an alternate PKI that might have issued an existing
# client certificate. An alternate example is to issue a certificate
# to the estserver which is NOT issued by the CA the estserver fronts
# for. This would be equivalent to an estserver with a certificate
# issued by a web server CA but fronting for a local CA.
#

[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]
# Some of these values are duplicates of the settings in the estScript_variables.sh file (keep them in sync!)
dir            = ./masaCA   		   # top dir (aka EST_OPENSSL_CADIR)
database       = $dir/index.txt        # index file (aka EST_OPENSSL_CADATABASE)
new_certs_dir  = $dir/newcerts         # new certs dir

certificate    = $dir/cacert.crt       # The CA cert (aka EST_OPENSSL_CACERT)
serial         = $dir/serial           # serial no file (aka EST_OPENSSL_CASERIAL)
private_key    = $dir/private/cakey.pem# CA private key (aka EST_OPENSSL_CAPRIVATE)
RANDFILE       = $dir/private/.rnd     # random number file

default_days   = 365                   # how long to certify for
default_crl_days= 30                   # how long before next CRL
default_md     =  sha256               # md to use

policy         = policy_any            # default policy
email_in_dn    = no                    # Don't add the email into cert DN

name_opt       = ca_default            # Subject name display option
cert_opt       = ca_default            # Certificate display option
copy_extensions = none                 # Don't copy extensions from request
x509_extensions = client_cert          # The extensions to add to certs issued

# to enable a demo client to be run multiple time we DISABLE unique subject
# checking. This significantly reduces the security of this CA!!
unique_subject=no

# This policy applies to clients *and* it apples to the CA cert itself
[ policy_any ]
commonName              = supplied
serialNumber            = optional 

# this section is used when issuing certs from simpleEnroll.sh
[ client_cert ]
# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid,issuer
authorityKeyIdentifier=keyid

[ req_distinguished_name ]
x509_extensions        = v3_ca

# estExample_setup.sh references this section for initial CA values
[ v3_ca ]
basicConstraints    = CA:TRUE
subjectKeyIdentifier=hash

[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
# NOTE: this must be the last section and last lines 
# because the ESThandler_clientgenp10.sh extends this file for 
# setting the challenge password attribute