Blame - conf/CA/openssl.conf - onap/aaf/authz

blob: abb2892fb44826f11d45f1ab7f46f20ba775b0ff [file] [log] [blame]

Instrumental	7a1817b	2018-11-05 11:11:15 -0600	[diff] [blame]	1	#!/bin/bash
				2	#########
				3	# ============LICENSE_START====================================================
				4	# org.onap.aaf
				5	# ===========================================================================
				6	# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
				7	# ===========================================================================
				8	# Licensed under the Apache License, Version 2.0 (the "License");
				9	# you may not use this file except in compliance with the License.
				10	# You may obtain a copy of the License at
				11	#
				12	# http://www.apache.org/licenses/LICENSE-2.0
				13	#
				14	# Unless required by applicable law or agreed to in writing, software
				15	# distributed under the License is distributed on an "AS IS" BASIS,
				16	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				17	# See the License for the specific language governing permissions and
				18	# limitations under the License.
				19	# ============LICENSE_END====================================================
				20	#
Instrumental	31d847e	2018-03-26 14:17:19 -0700	[diff] [blame]	21	# OpenSSL root CA configuration file.
				22	# Copy to `/opt/app/osaaf/CA/openssl.cnf`.
				23
				24	[ ca ]
				25	# `man ca`
				26	default_ca = CA_default
				27
				28	[ CA_default ]
				29	# Directory and file locations.
				30	dir = .
				31	certs = $dir/certs
				32	crl_dir = $dir/crl
				33	new_certs_dir = $dir/newcerts
				34	database = $dir/index.txt
				35	serial = $dir/serial
				36	RANDFILE = $dir/private/.rand
				37
				38	# The root key and root certificate.
				39	private_key = $dir/private/ca.key
				40	certificate = $dir/certs/ca.crt
				41
				42	# For certificate revocation lists.
				43	crlnumber = $dir/crlnumber
				44	crl = $dir/crl/ca.crl.pem
				45	crl_extensions = crl_ext
				46	default_crl_days = 30
				47
				48	# SHA-1 is deprecated, so use SHA-2 instead.
				49	default_md = sha256
				50
				51	name_opt = ca_default
				52	cert_opt = ca_default
				53	default_days = 60
				54	preserve = no
				55	policy = policy_strict
				56
				57	[ policy_strict ]
				58	# The root CA should only sign intermediate certificates that match.
				59	# See the POLICY FORMAT section of `man ca`.
				60	countryName = match
				61	stateOrProvinceName = optional
				62	organizationName = match
				63	organizationalUnitName = supplied
				64	commonName = supplied
				65
				66	[ policy_loose ]
				67	# Allow the intermediate CA to sign a more diverse range of certificates.
				68	# See the POLICY FORMAT section of the `ca` man page.
				69	countryName = optional
				70	stateOrProvinceName = optional
				71	localityName = optional
				72	organizationName = optional
				73	organizationalUnitName = optional
				74	commonName = supplied
				75	emailAddress = optional
				76
				77	[ req ]
				78	# Options for the `req` tool (`man req`).
				79	default_bits = 2048
				80	distinguished_name = req_distinguished_name
				81	string_mask = utf8only
				82
				83	# SHA-1 is deprecated, so use SHA-2 instead.
				84	default_md = sha256
				85
				86	# Extension to add when the -x509 option is used.
				87	x509_extensions = v3_ca
				88
				89	[ req_distinguished_name ]
				90	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
				91	countryName = Country Name (2 letter code)
				92	stateOrProvinceName = State or Province Name
				93	localityName = Locality Name
				94	0.organizationName = Organization Name
				95	organizationalUnitName = Organizational Unit Name
				96	commonName = Common Name
				97	emailAddress = Email Address
				98
				99	# Optionally, specify some defaults.
				100	countryName_default =
				101	stateOrProvinceName_default =
				102	localityName_default =
				103	0.organizationName_default =
				104	organizationalUnitName_default =
				105	emailAddress_default =
				106
				107	[ v3_ca ]
				108	# Extensions for a typical CA (`man x509v3_config`).
				109	subjectKeyIdentifier = hash
				110	authorityKeyIdentifier = keyid:always,issuer
				111	basicConstraints = critical, CA:true
				112	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
				113
				114	[ v3_intermediate_ca ]
				115	# Extensions for a typical intermediate CA (`man x509v3_config`).
				116	subjectKeyIdentifier = hash
				117	authorityKeyIdentifier = keyid:always,issuer
				118	basicConstraints = critical, CA:true, pathlen:0
				119	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
				120
				121	[ usr_cert ]
				122	# Extensions for client certificates (`man x509v3_config`).
				123	basicConstraints = CA:FALSE
				124	nsCertType = client, email
				125	nsComment = "OpenSSL Generated Client Certificate"
				126	subjectKeyIdentifier = hash
				127	authorityKeyIdentifier = keyid,issuer
				128	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
				129	extendedKeyUsage = clientAuth, emailProtection
				130
				131	[ server_cert ]
				132	# Extensions for server certificates (`man x509v3_config`).
				133	basicConstraints = CA:FALSE
				134	nsCertType = server, client
				135	nsComment = "OpenSSL Generated Server Certificate"
				136	subjectKeyIdentifier = hash
				137	authorityKeyIdentifier = keyid,issuer:always
				138	keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
				139	extendedKeyUsage = serverAuth, clientAuth
				140
				141	[ crl_ext ]
				142	# Extension for CRLs (`man x509v3_config`).
				143	authorityKeyIdentifier=keyid:always
				144
				145	[ ocsp ]
				146	# Extension for OCSP signing certificates (`man ocsp`).
				147	basicConstraints = CA:FALSE
				148	subjectKeyIdentifier = hash
				149	authorityKeyIdentifier = keyid,issuer
				150	keyUsage = critical, digitalSignature
				151	extendedKeyUsage = critical, OCSPSigning