| # |
| # OpenSSL configuration for the Intermediate Certification Authority. |
| # |
| |
| # |
| # This definition doesn't work if HOME isn't defined. |
| CA_HOME = . |
| RANDFILE = $ENV::CA_HOME/private/.rnd |
| oid_section = new_oids |
| |
| # |
| # XMPP address Support |
| [ new_oids ] |
| xmppAddr = 1.3.6.1.5.5.7.8.5 |
| dnsSRV = 1.3.6.1.5.5.7.8.7 |
| |
| # |
| # Default Certification Authority |
| [ ca ] |
| default_ca = intermed_ca |
| |
| # |
| # Intermediate Certification Authority |
| [ intermed_ca ] |
| dir = $ENV::CA_HOME |
| certs = $dir/certs |
| serial = $dir/intermed-ca.serial |
| database = $dir/intermed-ca.index |
| new_certs_dir = $dir/newcerts |
| certificate = $dir/intermed-ca.cert.pem |
| private_key = $dir/private/intermed-ca.key.pem |
| default_days = 730 # Two years |
| crl = $dir/crl/intermed-ca.crl |
| crl_dir = $dir/crl |
| crlnumber = $dir/intermed-ca.crlnum |
| name_opt = multiline, align |
| cert_opt = no_pubkey |
| copy_extensions = copy |
| crl_extensions = crl_ext |
| default_crl_days = 30 |
| default_md = sha256 |
| preserve = no |
| email_in_dn = no |
| policy = policy |
| unique_subject = no |
| |
| # |
| # Distinguished Name Policy |
| [ policy ] |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| |
| # |
| # Distinguished Name Policy for Personal Certificates |
| [ user_policy ] |
| countryName = supplied |
| stateOrProvinceName = optional |
| localityName = supplied |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = supplied |
| #xmppAddr = optional # Added to SubjAltName by req |
| |
| # |
| # Intermediate CA request options |
| [ req ] |
| default_bits = 2048 |
| default_keyfile = private/intermed-ca.key.pem |
| encrypt_key = yes |
| default_md = sha256 |
| string_mask = utf8only |
| utf8 = yes |
| prompt = no |
| req_extensions = req_ext |
| distinguished_name = distinguished_name |
| subjectAltName = subject_alt_name |
| |
| # |
| # Intermediate CA Request Extensions |
| [ req_ext ] |
| subjectKeyIdentifier = hash |
| subjectAltName = @subject_alt_name |
| |
| # |
| # Distinguished Name (DN) |
| [ distinguished_name ] |
| organizationName = tpm2-software |
| commonName = intermed ek ca |
| |
| # |
| # Server Certificate Extensions |
| [ server_ext ] |
| basicConstraints = CA:FALSE |
| keyUsage = critical, digitalSignature, keyEncipherment |
| extendedKeyUsage = critical, serverAuth, clientAuth |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| authorityInfoAccess = @auth_info_access |
| crlDistributionPoints = crl_dist |
| |
| # |
| # Client Certificate Extensions |
| [ client_ext ] |
| basicConstraints = CA:FALSE |
| keyUsage = critical, digitalSignature |
| extendedKeyUsage = critical, clientAuth |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| authorityInfoAccess = @auth_info_access |
| crlDistributionPoints = crl_dist |
| |
| # |
| # User Certificate Extensions |
| [ user_ext ] |
| basicConstraints = CA:FALSE |
| keyUsage = critical, digitalSignature |
| extendedKeyUsage = critical, clientAuth, emailProtection |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| authorityInfoAccess = @auth_info_access |
| crlDistributionPoints = crl_dist |
| |
| # |
| # CRL Certificate Extensions |
| [ crl_ext ] |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| |
| # |
| # Certificate Authorities Alternative Names |
| [ subject_alt_name ] |
| URI = http://ca.example.net/ |
| email = certmaster@example.net |
| |
| # |
| # Certificate download addresses for the intermediate CA |
| [ auth_info_access ] |
| caIssuers;URI = INTERMEDCRT |
| |
| # |
| # CRL Download address for the intermediate CA |
| [ crl_dist ] |
| fullname = INTERMEDCRL |
| |
| # EOF |