script/ekca/intermed-ca.cnf - third_party/github.com/tpm2-software/tpm2-tss - Git at Google

 #
 # OpenSSL configuration for the Intermediate Certification Authority.
 #

 #
 # This definition doesn't work if HOME isn't defined.
 CA_HOME                 = .
 RANDFILE                = $ENV::CA_HOME/private/.rnd
 oid_section             = new_oids

 #
 # XMPP address Support
 [ new_oids ]
 xmppAddr          = 1.3.6.1.5.5.7.8.5
 dnsSRV            = 1.3.6.1.5.5.7.8.7

 #
 # Default Certification Authority
 [ ca ]
 default_ca              = intermed_ca

 #
 # Intermediate Certification Authority
 [ intermed_ca ]
 dir                     = $ENV::CA_HOME
 certs                   = $dir/certs
 serial                  = $dir/intermed-ca.serial
 database                = $dir/intermed-ca.index
 new_certs_dir           = $dir/newcerts
 certificate             = $dir/intermed-ca.cert.pem
 private_key             = $dir/private/intermed-ca.key.pem
 default_days            = 730 # Two years
 crl                     = $dir/crl/intermed-ca.crl
 crl_dir                 = $dir/crl
 crlnumber               = $dir/intermed-ca.crlnum
 name_opt                = multiline, align
 cert_opt                = no_pubkey
 copy_extensions         = copy
 crl_extensions          = crl_ext
 default_crl_days        = 30
 default_md              = sha256
 preserve                = no
 email_in_dn             = no
 policy                  = policy
 unique_subject          = no

 #
 # Distinguished Name Policy
 [ policy ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied

 #
 # Distinguished Name Policy for Personal Certificates
 [ user_policy ]
 countryName             = supplied
 stateOrProvinceName     = optional
 localityName            = supplied
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = supplied
 #xmppAddr               = optional # Added to SubjAltName by req

 #
 # Intermediate CA request options
 [ req ]
 default_bits            = 2048
 default_keyfile         = private/intermed-ca.key.pem
 encrypt_key             = yes
 default_md              = sha256
 string_mask             = utf8only
 utf8                    = yes
 prompt                  = no
 req_extensions          = req_ext
 distinguished_name      = distinguished_name
 subjectAltName          = subject_alt_name

 #
 # Intermediate CA Request Extensions
 [ req_ext ]
 subjectKeyIdentifier    = hash
 subjectAltName          = @subject_alt_name

 #
 # Distinguished Name (DN)
 [ distinguished_name ]
 organizationName        = tpm2-software
 commonName              = intermed ek ca

 #
 # Server Certificate Extensions
 [ server_ext ]
 basicConstraints        = CA:FALSE
 keyUsage                = critical, digitalSignature, keyEncipherment
 extendedKeyUsage        = critical, serverAuth, clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
 issuerAltName           = issuer:copy
 authorityInfoAccess     = @auth_info_access
 crlDistributionPoints   = crl_dist

 #
 # Client Certificate Extensions
 [ client_ext ]
 basicConstraints        = CA:FALSE
 keyUsage                = critical, digitalSignature
 extendedKeyUsage        = critical, clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
 issuerAltName           = issuer:copy
 authorityInfoAccess     = @auth_info_access
 crlDistributionPoints   = crl_dist

 #
 # User Certificate Extensions
 [ user_ext ]
 basicConstraints        = CA:FALSE
 keyUsage                = critical, digitalSignature
 extendedKeyUsage        = critical, clientAuth, emailProtection
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
 issuerAltName           = issuer:copy
 authorityInfoAccess     = @auth_info_access
 crlDistributionPoints   = crl_dist

 #
 # CRL Certificate Extensions
 [ crl_ext ]
 authorityKeyIdentifier  = keyid:always
 issuerAltName           = issuer:copy

 #
 # Certificate Authorities Alternative Names
 [ subject_alt_name ]
 URI                     = http://ca.example.net/
 email                   = certmaster@example.net

 #
 # Certificate download addresses for the intermediate CA
 [ auth_info_access ]
 caIssuers;URI           = INTERMEDCRT

 #
 # CRL Download address for the intermediate CA
 [ crl_dist ]
 fullname                = INTERMEDCRL

 # EOF
	#
	# OpenSSL configuration for the Intermediate Certification Authority.
	#

	#
	# This definition doesn't work if HOME isn't defined.
	CA_HOME = .
	RANDFILE = $ENV::CA_HOME/private/.rnd
	oid_section = new_oids

	#
	# XMPP address Support
	[ new_oids ]
	xmppAddr = 1.3.6.1.5.5.7.8.5
	dnsSRV = 1.3.6.1.5.5.7.8.7

	#
	# Default Certification Authority
	[ ca ]
	default_ca = intermed_ca

	#
	# Intermediate Certification Authority
	[ intermed_ca ]
	dir = $ENV::CA_HOME
	certs = $dir/certs
	serial = $dir/intermed-ca.serial
	database = $dir/intermed-ca.index
	new_certs_dir = $dir/newcerts
	certificate = $dir/intermed-ca.cert.pem
	private_key = $dir/private/intermed-ca.key.pem
	default_days = 730 # Two years
	crl = $dir/crl/intermed-ca.crl
	crl_dir = $dir/crl
	crlnumber = $dir/intermed-ca.crlnum
	name_opt = multiline, align
	cert_opt = no_pubkey
	copy_extensions = copy
	crl_extensions = crl_ext
	default_crl_days = 30
	default_md = sha256
	preserve = no
	email_in_dn = no
	policy = policy
	unique_subject = no

	#
	# Distinguished Name Policy
	[ policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied

	#
	# Distinguished Name Policy for Personal Certificates
	[ user_policy ]
	countryName = supplied
	stateOrProvinceName = optional
	localityName = supplied
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = supplied
	#xmppAddr = optional # Added to SubjAltName by req

	#
	# Intermediate CA request options
	[ req ]
	default_bits = 2048
	default_keyfile = private/intermed-ca.key.pem
	encrypt_key = yes
	default_md = sha256
	string_mask = utf8only
	utf8 = yes
	prompt = no
	req_extensions = req_ext
	distinguished_name = distinguished_name
	subjectAltName = subject_alt_name

	#
	# Intermediate CA Request Extensions
	[ req_ext ]
	subjectKeyIdentifier = hash
	subjectAltName = @subject_alt_name

	#
	# Distinguished Name (DN)
	[ distinguished_name ]
	organizationName = tpm2-software
	commonName = intermed ek ca

	#
	# Server Certificate Extensions
	[ server_ext ]
	basicConstraints = CA:FALSE
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = critical, serverAuth, clientAuth
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy
	authorityInfoAccess = @auth_info_access
	crlDistributionPoints = crl_dist

	#
	# Client Certificate Extensions
	[ client_ext ]
	basicConstraints = CA:FALSE
	keyUsage = critical, digitalSignature
	extendedKeyUsage = critical, clientAuth
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy
	authorityInfoAccess = @auth_info_access
	crlDistributionPoints = crl_dist

	#
	# User Certificate Extensions
	[ user_ext ]
	basicConstraints = CA:FALSE
	keyUsage = critical, digitalSignature
	extendedKeyUsage = critical, clientAuth, emailProtection
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy
	authorityInfoAccess = @auth_info_access
	crlDistributionPoints = crl_dist

	#
	# CRL Certificate Extensions
	[ crl_ext ]
	authorityKeyIdentifier = keyid:always
	issuerAltName = issuer:copy

	#
	# Certificate Authorities Alternative Names
	[ subject_alt_name ]
	URI = http://ca.example.net/
	email = certmaster@example.net

	#
	# Certificate download addresses for the intermediate CA
	[ auth_info_access ]
	caIssuers;URI = INTERMEDCRT

	#
	# CRL Download address for the intermediate CA
	[ crl_dist ]
	fullname = INTERMEDCRL

	# EOF