tom-krieger/intermediate-openssl.cnf

## intermediate-openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                        = .
RANDFILE                    = $ENV::HOME/.rnd
oid_section                 = new_oids


[ new_oids ]
tsa_policy1                 = 1.2.3.4.1
tsa_policy2                 = 1.2.3.4.5.6
tsa_policy3                 = 1.2.3.4.5.7

[ ca ]
default_ca                  = CA_default

[ CA_default ]
dir                          = /root/ca/puppet
certs                        = $dir/certs
crl_dir                      = $dir/crl
database                     = $dir/index.txt
new_certs_dir                = $dir/newcerts
certificate                  = $dir/certs/puppet.cacert.pem
serial                       = $dir/serial
crlnumber                    = $dir/crlnumber
crl                          = $crl_dir/puppet.crl.pem
crlDistributionPoints        = URI:https://example.com/crl/intermediate.crl.pem
crl_extensions               = crl_ext
private_key                  = $dir/private/puppet.cakey.pem
RANDFILE                     = $dir/private/.rand
x509_extensions              = usr_cert
name_opt                     = ca_default
cert_opt                     = ca_default
default_days                 = 365
default_crl_days             = 30
default_md                   = sha256
preserve                     = no
policy                       = policy_anything

[ policy_match ]
countryName                  = match
stateOrProvinceName          = match
organizationName             = match
organizationalUnitName       = optional
commonName                   = supplied
emailAddress                 = optional

[ policy_anything ]
countryName                  = optional
stateOrProvinceName          = optional
localityName                 = optional
organizationName             = optional
organizationalUnitName       = optional
commonName                   = supplied
emailAddress                 = optional

[ req ]
default_bits                 = 4096
default_md                   = sha256
default_keyfile              = privkey.pem
distinguished_name           = req_distinguished_name
attributes                   = req_attributes
x509_extensions              = v3_ca
string_mask                  = nombstr

[ req_distinguished_name ]
countryName                  = Country Name (2 letter code)
countryName_min              = 2
countryName_max              = 2
stateOrProvinceName          = State or Province Name (full name)
localityName                 = Locality Name (eg, city)
0.organizationName           = Organization Name (eg, company)
organizationalUnitName       = Organizational Unit Name (eg, section)
commonName                   = Common Name (eg, your name or your server\'s hostname)
commonName_max               = 64
emailAddress                 = Email Address
emailAddress_max             = 64

# Optionally, specify some defaults.
# countryName_default        =
# stateOrProvinceName_default=
# localityName_default       =
# 0.organizationName_default =
# organizationalUnitName_default  =
# emailAddress_default       = admin@yourdomain.com

[ req_attributes ]
challengePassword            = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20
unstructuredName             = An optional company name

[ usr_cert ]
basicConstraints             = CA:FALSE
nsComment                    = "OpenSSL Generated Certificate"
subjectKeyIdentifier         = hash
authorityKeyIdentifier       = keyid,issuer

[ v3_req ]
basicConstraints             = CA:FALSE
keyUsage                     = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier         = hash
authorityKeyIdentifier       = keyid:always,issuer
basicConstraints             = critical,CA:true

[ v3_intermediate_ca ]
subjectKeyIdentifier         = hash
authorityKeyIdentifier       = keyid:always,issuer
basicConstraints             = critical, CA:true, pathlen:0
keyUsage                     = critical, digitalSignature, cRLSign, keyCertSign

[ crl_ext ]
authorityKeyIdentifier       = keyid:always

[ proxy_cert_ext ]
basicConstraints             = CA:FALSE
nsComment                    = "OpenSSL Generated Certificate"
subjectKeyIdentifier         = hash
authorityKeyIdentifier       = keyid,issuer
proxyCertInfo                = critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

[ tsa ]
default_tsa                  = tsa_config1  # the default TSA section

[ tsa_config1 ]
dir                          = ./demoCA    # TSA root directory
serial                       = $dir/tsaserial  # The current serial number (mandatory)
crypto_device                = builtin    # OpenSSL engine to use for signing
signer_cert                  = $dir/tsacert.pem
certs                        = $dir/cacert.pem
signer_key                   = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy               = tsa_policy1
other_policies               = tsa_policy2, tsa_policy3
digests                      = sha1, sha256, sha384, sha512
accuracy                     = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits       = 0
ordering                     = yes
tsa_name                     = yes
ess_cert_id_chain            = no
	#
	# OpenSSL example configuration file.
	# This is mostly being used for generation of certificate requests.
	#

	# This definition stops the following lines choking if HOME isn't
	# defined.
	HOME = .
	RANDFILE = $ENV::HOME/.rnd
	oid_section = new_oids


	[ new_oids ]
	tsa_policy1 = 1.2.3.4.1
	tsa_policy2 = 1.2.3.4.5.6
	tsa_policy3 = 1.2.3.4.5.7

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = /root/ca/puppet
	certs = $dir/certs
	crl_dir = $dir/crl
	database = $dir/index.txt
	new_certs_dir = $dir/newcerts
	certificate = $dir/certs/puppet.cacert.pem
	serial = $dir/serial
	crlnumber = $dir/crlnumber
	crl = $crl_dir/puppet.crl.pem
	crlDistributionPoints = URI:https://example.com/crl/intermediate.crl.pem
	crl_extensions = crl_ext
	private_key = $dir/private/puppet.cakey.pem
	RANDFILE = $dir/private/.rand
	x509_extensions = usr_cert
	name_opt = ca_default
	cert_opt = ca_default
	default_days = 365
	default_crl_days = 30
	default_md = sha256
	preserve = no
	policy = policy_anything

	[ policy_match ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	default_bits = 4096
	default_md = sha256
	default_keyfile = privkey.pem
	distinguished_name = req_distinguished_name
	attributes = req_attributes
	x509_extensions = v3_ca
	string_mask = nombstr

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_min = 2
	countryName_max = 2
	stateOrProvinceName = State or Province Name (full name)
	localityName = Locality Name (eg, city)
	0.organizationName = Organization Name (eg, company)
	organizationalUnitName = Organizational Unit Name (eg, section)
	commonName = Common Name (eg, your name or your server\'s hostname)
	commonName_max = 64
	emailAddress = Email Address
	emailAddress_max = 64

	# Optionally, specify some defaults.
	# countryName_default =
	# stateOrProvinceName_default=
	# localityName_default =
	# 0.organizationName_default =
	# organizationalUnitName_default =
	# emailAddress_default = admin@yourdomain.com

	[ req_attributes ]
	challengePassword = A challenge password
	challengePassword_min = 4
	challengePassword_max = 20
	unstructuredName = An optional company name

	[ usr_cert ]
	basicConstraints = CA:FALSE
	nsComment = "OpenSSL Generated Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer

	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment

	[ v3_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical,CA:true

	[ v3_intermediate_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ crl_ext ]
	authorityKeyIdentifier = keyid:always

	[ proxy_cert_ext ]
	basicConstraints = CA:FALSE
	nsComment = "OpenSSL Generated Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

	[ tsa ]
	default_tsa = tsa_config1 # the default TSA section

	[ tsa_config1 ]
	dir = ./demoCA # TSA root directory
	serial = $dir/tsaserial # The current serial number (mandatory)
	crypto_device = builtin # OpenSSL engine to use for signing
	signer_cert = $dir/tsacert.pem
	certs = $dir/cacert.pem
	signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
	default_policy = tsa_policy1
	other_policies = tsa_policy2, tsa_policy3
	digests = sha1, sha256, sha384, sha512
	accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
	clock_precision_digits = 0
	ordering = yes
	tsa_name = yes
	ess_cert_id_chain = no