net/tools/quic/certs/ca.cnf

   1 # Defaults in the event they're not set in the environment
   2 CA_DIR    = out
   3 KEY_SIZE  = 2048
   4 ALGO      = sha256
   5 CERT_TYPE = root
   6 CA_NAME   = req_env_dn
   7
   8 [ca]
   9 default_ca = CA_root
  10 preserve   = yes
  11
  12 # The default test root, used to generate certificates and CRLs.
  13 [CA_root]
  14 dir           = $ENV::CA_DIR
  15 key_size      = $ENV::KEY_SIZE
  16 algo          = $ENV::ALGO
  17 cert_type     = $ENV::CERT_TYPE
  18 type          = $key_size-$algo-$cert_type
  19 database      = $dir/$type-index.txt
  20 new_certs_dir = $dir
  21 serial        = $dir/$type-serial
  22 certificate   = $dir/$type.pem
  23 private_key   = $dir/$type.key
  24 RANDFILE      = $dir/.rand
  25 default_days     = 3650
  26 default_crl_days = 30
  27 default_md       = sha256
  28 policy           = policy_anything
  29 unique_subject   = no
  30 copy_extensions  = copy
  31
  32 [user_cert]
  33 # Extensions to add when signing a request for an EE cert
  34 basicConstraints       = critical, CA:false
  35 subjectKeyIdentifier   = hash
  36 authorityKeyIdentifier = keyid:always
  37 extendedKeyUsage       = serverAuth,clientAuth
  38
  39 [name_constraint_bad]
  40 # A leaf cert that will violate the root's imposed name constraints
  41 basicConstraints       = critical, CA:false
  42 subjectKeyIdentifier   = hash
  43 authorityKeyIdentifier = keyid:always
  44 extendedKeyUsage       = serverAuth,clientAuth
  45 subjectAltName         = @san_name_constraint_bad
  46
  47 [ca_cert]
  48 # Extensions to add when signing a request for an intermediate/CA cert
  49 basicConstraints       = critical, CA:true
  50 subjectKeyIdentifier   = hash
  51 #authorityKeyIdentifier = keyid:always
  52 keyUsage               = critical, keyCertSign, cRLSign
  53 nameConstraints        = permitted;DNS:mail.example.com
  54 nameConstraints        = permitted;DNS:mail.example.org
  55 nameConstraints        = permitted;DNS:www.example.com
  56
  57 [crl_extensions]
  58 # Extensions to add when signing a CRL
  59 authorityKeyIdentifier = keyid:always
  60
  61 [policy_anything]
  62 # Default signing policy
  63 countryName            = optional
  64 stateOrProvinceName    = optional
  65 localityName           = optional
  66 organizationName       = optional
  67 organizationalUnitName = optional
  68 commonName             = optional
  69 emailAddress           = optional
  70
  71 [req]
  72 # The request section used to generate the root CA certificate. This should
  73 # not be used to generate end-entity certificates. For certificates other
  74 # than the root CA, see README to find the appropriate configuration file
  75 # (ie: openssl_cert.cnf).
  76 default_bits       = $ENV::KEY_SIZE
  77 default_md         = sha256
  78 string_mask        = utf8only
  79 prompt             = no
  80 encrypt_key        = no
  81 distinguished_name = $ENV::CA_NAME
  82 x509_extensions    = req_ca_exts
  83
  84 [req_env_dn]
  85 CN = QUIC Server Root CA
  86
  87 [req_ca_exts]
  88 basicConstraints       = critical, CA:true
  89 keyUsage               = critical, keyCertSign, cRLSign
  90 subjectKeyIdentifier   = hash