Charlweed/ca-root-toblerone.mydomain.org.conf Secret

## ca-root-toblerone.mydomain.org.conf
HOME            = .
# This is our Root CA. I will also use a sub-CA
####################################################################
[ default ]
ca                      = ca-root.mydomain.org  # CA name
base_url                = http://ca-root.mydomain.org   # CA base URL
aia_url                 = $base_url/$ca.cer                # CA certificate URL
crl_url                 = $base_url/$ca.crl                # Certificate Revocation List distribution point
ocsp_url                = http://ocsp-signer.mydomain.org   # OCSP responder URL
dir                     = /opt/public_key_infrastructure_plant/alt_local/pki/CA                         # The root dir of the CA configuration
name_opt                = multiline, -esc_msb, utf8        # Display UTF-8 characters
####################################################################
[ req ]
default_bits        = 4096             # RSA key size
default_keyfile     = ca-root.mydomain.org_key_certificate-authority-root_authenticate.key
distinguished_name  = ca_distinguished_name
string_mask         = utf8only
x509_extensions     = ca_extensions
####################################################################
[ ca ]
default_ca = ca_default
####################################################################
[ ca_default ]
certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA/certs/ca-root.mydomain.org_certificate-authority-root_authenticate.crt # The Root CA cert
copy_extensions = none                # Copy extensions from CSR
crl_extensions  = crl_ext             # CRL extensions
database        = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.index# The certificiate database a.k.a. index file
default_crl_days= 365                 # how long before next certificate revocation list (CRL)
default_days    = 3653                # how long to certify for, 10 years
default_md      = sha256              # use public key default MD
email_in_dn     = no                  # Don't concat the email in the DN
name_opt        = $name_opt           # Subject DN display options
new_certs_dir   = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.certs# Certificate archive
preserve        = no                  # keep passed DN ordering
name_opt        = $name_opt           # Subject DN display optionsname_opt        = $name_opt           # Subject DN display options
private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA/private/ca-root.mydomain.org_key_certificate-authority-root_authenticate.key
RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.rand
serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.serial   # This is also use by ocsp
unique_subject  = no            # Set to 'no' to allow creation of several certificates with same subject.
x509_extensions = ca_extensions  # The extensions to add to the cert
####################################################################
[ generic_policy ]
countryName = US
stateOrProvinceName = California
localityName = Pacifica
organizationName = Mydomain
organizationalUnitName = domestic
commonName = supplied
emailAddress = deft@mydomain.name
####################################################################
[ ca_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = US
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = California
localityName            = Locality Name (eg, city)
localityName_default    = Pacifica
organizationName        = Organization Name (eg, company)
organizationName_default= Mydomain
commonName              = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = ca-root.mydomain.org
emailAddress            = Email Address
emailAddress_default    = deft@mydomain.name
####################################################################
[ ca_extensions ]
basicConstraints = critical, CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
####################################################################
[ signing_policy ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
####################################################################
[ crl_ext ]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
issuerAltName = issuer:copy
####################################################################
[ issuer_info ]
caIssuers;URI.0         = $aia_url
####################################################################
[ crl_info ]
URI.0                   = $crl_url

## gistfile1.txt
HOME            = .
# This is our sub-CA
####################################################################
[ default ]
ca                      = ca-sub-toblerone.mydomain.org # CA name
base_url                = http://toblerone.mydomain.org # CA base URL
aia_url                 = $base_url/$ca.cer                # CA certificate URL
crl_url                 = $base_url/$ca.crl                # Certificate Revocation List distribution point
ocsp_url                = http://ocsp-signer.mydomain.org   # OCSP responder URL
dir                     = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub                         # The root dir of the CA configuration
name_opt                = multiline, -esc_msb, utf8        # Display UTF-8 characters
####################################################################
[ req ]
default_bits        = 4096             # RSA key size
default_md          = sha256           # use public key default MD
distinguished_name  = ca_distinguished_name      # DN template
encrypt_key         = no               # Protect private key
prompt              = no               # Prompt for DN
req_extensions      = ca_reqext        # Desired extensions
string_mask         = utf8only         # Emit UTF-8 strings
utf8                = yes              # Input is UTF-8
####################################################################
[ ca ]
default_ca = ca_sub
####################################################################
[ ca_sub ]
certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/certs/toblerone.mydomain.org_certificate-authority-sub_authenticate.crt # The Subordinate  CA cert
copy_extensions = copy                # Required to copy SANs from CSR to cert
crl_extensions  = crl_ext             # CRL extensions
database        = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.index# The certificiate database a.k.a. index file
default_crl_days= 365                 # how long before next certificate revocation list (CRL)
default_days    = 3653                # how long to certify for, 10 years
default_md      = sha256              # use public key default MD
email_in_dn     = no                  # Don't concat the email in the DN
name_opt        = $name_opt           # Subject DN display options
new_certs_dir   = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.certs# Certificate archive
policy          = match_pol           # Default naming policy
preserve        = no                  # keep passed DN ordering
name_opt        = $name_opt           # Subject DN display options
private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/private/toblerone.mydomain.org_key_certificate-authority-sub_authenticate.key
RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.rand
serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.serial   # This is also use by ocsp
unique_subject  = no            # Set to 'no' to allow creation of several certificates with same subject.
x509_extensions = ca_extensions  # The extensions to add to the cert
####################################################################
[ match_pol ]
countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
####################################################################
[ generic_policy ]
countryName = US
stateOrProvinceName = California
localityName = Pacifica
organizationName = Mydomain
organizationalUnitName = domestic
commonName = supplied
emailAddress = deft@mydomain.name
####################################################################
[ ca_distinguished_name ]
countryName         = US
stateOrProvinceName = California
localityName        = Pacifica
organizationName    = Mydomain
commonName          = ca-sub.mydomain.org
emailAddress        = postmaster@mydomain.name
####################################################################
[ ca_extensions ]
basicConstraints = critical, CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
####################################################################
[ signing_policy ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
####################################################################
[ ca_reqext ]
subjectKeyIdentifier    = hash
keyUsage                = critical, nonRepudiation, digitalSignature
subjectAltName          = @alternate_names
####################################################################
[ crl_ext ]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
issuerAltName = issuer:copy
####################################################################
[ issuer_info ]
caIssuers;URI.0         = $aia_url
####################################################################
[ crl_info ]
URI.0                   = $crl_url
####################################################################
[ alternate_names ]
IP    = 192.168.0.8
DNS.1 = ca-sub.mydomain.org
DNS.2 = toblerone.mydomain.org
	HOME = .
	# This is our Root CA. I will also use a sub-CA
	####################################################################
	[ default ]
	ca = ca-root.mydomain.org # CA name
	base_url = http://ca-root.mydomain.org # CA base URL
	aia_url = $base_url/$ca.cer # CA certificate URL
	crl_url = $base_url/$ca.crl # Certificate Revocation List distribution point
	ocsp_url = http://ocsp-signer.mydomain.org # OCSP responder URL
	dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA # The root dir of the CA configuration
	name_opt = multiline, -esc_msb, utf8 # Display UTF-8 characters
	####################################################################
	[ req ]
	default_bits = 4096 # RSA key size
	default_keyfile = ca-root.mydomain.org_key_certificate-authority-root_authenticate.key
	distinguished_name = ca_distinguished_name
	string_mask = utf8only
	x509_extensions = ca_extensions
	####################################################################
	[ ca ]
	default_ca = ca_default
	####################################################################
	[ ca_default ]
	certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA/certs/ca-root.mydomain.org_certificate-authority-root_authenticate.crt # The Root CA cert
	copy_extensions = none # Copy extensions from CSR
	crl_extensions = crl_ext # CRL extensions
	database = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.index# The certificiate database a.k.a. index file
	default_crl_days= 365 # how long before next certificate revocation list (CRL)
	default_days = 3653 # how long to certify for, 10 years
	default_md = sha256 # use public key default MD
	email_in_dn = no # Don't concat the email in the DN
	name_opt = $name_opt # Subject DN display options
	new_certs_dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.certs# Certificate archive
	preserve = no # keep passed DN ordering
	name_opt = $name_opt # Subject DN display optionsname_opt = $name_opt # Subject DN display options
	private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA/private/ca-root.mydomain.org_key_certificate-authority-root_authenticate.key
	RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.rand
	serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.serial # This is also use by ocsp
	unique_subject = no # Set to 'no' to allow creation of several certificates with same subject.
	x509_extensions = ca_extensions # The extensions to add to the cert
	####################################################################
	[ generic_policy ]
	countryName = US
	stateOrProvinceName = California
	localityName = Pacifica
	organizationName = Mydomain
	organizationalUnitName = domestic
	commonName = supplied
	emailAddress = deft@mydomain.name
	####################################################################
	[ ca_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = US
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = California
	localityName = Locality Name (eg, city)
	localityName_default = Pacifica
	organizationName = Organization Name (eg, company)
	organizationName_default= Mydomain
	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_default = ca-root.mydomain.org
	emailAddress = Email Address
	emailAddress_default = deft@mydomain.name
	####################################################################
	[ ca_extensions ]
	basicConstraints = critical, CA:true
	keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer
	extendedKeyUsage = serverAuth
	crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
	authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
	####################################################################
	[ signing_policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	####################################################################
	[ signing_req ]
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	####################################################################
	[ crl_ext ]
	authorityInfoAccess = @issuer_info
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy
	####################################################################
	[ issuer_info ]
	caIssuers;URI.0 = $aia_url
	####################################################################
	[ crl_info ]
	URI.0 = $crl_url
	HOME = .
	# This is our sub-CA
	####################################################################
	[ default ]
	ca = ca-sub-toblerone.mydomain.org # CA name
	base_url = http://toblerone.mydomain.org # CA base URL
	aia_url = $base_url/$ca.cer # CA certificate URL
	crl_url = $base_url/$ca.crl # Certificate Revocation List distribution point
	ocsp_url = http://ocsp-signer.mydomain.org # OCSP responder URL
	dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub # The root dir of the CA configuration
	name_opt = multiline, -esc_msb, utf8 # Display UTF-8 characters
	####################################################################
	[ req ]
	default_bits = 4096 # RSA key size
	default_md = sha256 # use public key default MD
	distinguished_name = ca_distinguished_name # DN template
	encrypt_key = no # Protect private key
	prompt = no # Prompt for DN
	req_extensions = ca_reqext # Desired extensions
	string_mask = utf8only # Emit UTF-8 strings
	utf8 = yes # Input is UTF-8
	####################################################################
	[ ca ]
	default_ca = ca_sub
	####################################################################
	[ ca_sub ]
	certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/certs/toblerone.mydomain.org_certificate-authority-sub_authenticate.crt # The Subordinate CA cert
	copy_extensions = copy # Required to copy SANs from CSR to cert
	crl_extensions = crl_ext # CRL extensions
	database = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.index# The certificiate database a.k.a. index file
	default_crl_days= 365 # how long before next certificate revocation list (CRL)
	default_days = 3653 # how long to certify for, 10 years
	default_md = sha256 # use public key default MD
	email_in_dn = no # Don't concat the email in the DN
	name_opt = $name_opt # Subject DN display options
	new_certs_dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.certs# Certificate archive
	policy = match_pol # Default naming policy
	preserve = no # keep passed DN ordering
	name_opt = $name_opt # Subject DN display options
	private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/private/toblerone.mydomain.org_key_certificate-authority-sub_authenticate.key
	RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.rand
	serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.serial # This is also use by ocsp
	unique_subject = no # Set to 'no' to allow creation of several certificates with same subject.
	x509_extensions = ca_extensions # The extensions to add to the cert
	####################################################################
	[ match_pol ]
	countryName = match
	stateOrProvinceName = optional
	localityName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	####################################################################
	[ generic_policy ]
	countryName = US
	stateOrProvinceName = California
	localityName = Pacifica
	organizationName = Mydomain
	organizationalUnitName = domestic
	commonName = supplied
	emailAddress = deft@mydomain.name
	####################################################################
	[ ca_distinguished_name ]
	countryName = US
	stateOrProvinceName = California
	localityName = Pacifica
	organizationName = Mydomain
	commonName = ca-sub.mydomain.org
	emailAddress = postmaster@mydomain.name
	####################################################################
	[ ca_extensions ]
	basicConstraints = critical, CA:true
	keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer
	extendedKeyUsage = serverAuth
	crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
	authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
	####################################################################
	[ signing_policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	####################################################################
	[ signing_req ]
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectAltName = @alternate_names
	####################################################################
	[ ca_reqext ]
	subjectKeyIdentifier = hash
	keyUsage = critical, nonRepudiation, digitalSignature
	subjectAltName = @alternate_names
	####################################################################
	[ crl_ext ]
	authorityInfoAccess = @issuer_info
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy
	####################################################################
	[ issuer_info ]
	caIssuers;URI.0 = $aia_url
	####################################################################
	[ crl_info ]
	URI.0 = $crl_url
	####################################################################
	[ alternate_names ]
	IP = 192.168.0.8
	DNS.1 = ca-sub.mydomain.org
	DNS.2 = toblerone.mydomain.org