1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
#
# This config file used as an Ugly Simple CA for EST demonstration purposes
#
# Normally one would replace the ESTserver callout scripts with scripts that
# talk to your own fully armed and operational CA. (e.g. something real with some
# meat behind it, not just some demo CA).
#
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
# Some of these values are duplicates of settings in estScript_variables.sh file
# (keep them in sync!)
dir = ./CA/estCA # top dir (aka EST_OPENSSL_CADIR)
database = $dir/index.txt # index file (aka EST_OPENSSL_CADATABASE)
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.crt # The CA cert (aka EST_OPENSSL_CACERT)
serial = $dir/serial # serial no file (aka EST_OPENSSL_CASERIAL)
private_key = $dir/private/cakey.pem # CA private key (aka EST_OPENSSL_CAPRIVATE)
RANDFILE = $dir/.rnd # random number file
default_days = 7305 # how long to certify for
default_md = sha256 # md to use
# For certificate revocation lists
crl = $dir/crl_estCA.pem
crl_extensions = crl_ext
default_crl_days = 7305 # how long before next CRL
crlDistributionPoints = URI:http://example.com/crl.pem
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
x509_extensions = client_cert # The extensions to add to certs issued
# To enable a demo client to be run multiple time we DISABLE unique subject
# checking. This significantly reduces the security of this CA!!
unique_subject = no
# This policy applies to clients *and* it apples to the CA cert itself
[ policy_any ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
serialNumber = optional
emailAddress = optional
title = optional
givenName = optional
initials = optional
pseudonym = optional
generationQualifier = optional
domainComponent = optional
# This section is used when issuing certs from simpleEnroll.sh
[ client_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyCertSign
#
# Add the id-kp-cmcRA usage. This isn't defined in OpenSSL, so we
# Need to use the OID value
#extendedKeyUsage = critical,serverAuth,clientAuth,1.3.6.1.5.5.7.3.28
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid,issuer
authorityKeyIdentifier = keyid
[ req_distinguished_name ]
x509_extensions = v3_ca
# estExample_setup.sh references this section for initial CA values
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
#keyUsage = digitalSignature, keyCertSign
subjectAltName = @alt_names
crlDistributionPoints = URI:http://example.com/crl.pem
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ alt_names ]
DNS.1 = localhost
DNS.2 = ip6-localhost
IP.1 = 127.0.0.1
IP.2 = ::1
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
# NOTE: this must be the last section and last lines
# because the ESThandler_clientgenp10.sh extends this file for
# setting the challenge password attribute
|
