Blame - cfg/cacert.cnf - onap/oom/offline-installer

blob: a6917ca9bce36db2be213fa3993b5540714c875c [file] [log] [blame]

Samuli Silvius	f5534d8	2018-12-21 16:08:09 +0200	[diff] [blame]	1	[ ca ]
				2	# `man ca`
				3	default_ca = CA_default
				4
				5	[ CA_default ]
				6	# Directory and file locations.
				7	dir = ./
				8	certs = $dir/certs
				9	crl_dir = $dir/crl
				10	new_certs_dir = $dir/newcerts
				11	database = $dir/index.txt
				12	serial = $dir/serial
				13	RANDFILE = $dir/private/.rand
				14
				15	# The root key and root certificate.
				16	private_key = $dir/private/ca.key.pem
				17	certificate = $dir/certs/ca.cert.pem
				18
				19	# For certificate revocation lists.
				20	crlnumber = $dir/crlnumber
				21	crl = $dir/crl/ca.crl.pem
				22	crl_extensions = crl_ext
				23	default_crl_days = 30
				24
				25	# SHA-1 is deprecated, so use SHA-2 instead.
				26	default_md = sha256
				27
				28	name_opt = ca_default
				29	cert_opt = ca_default
				30	default_days = 3750
				31	preserve = no
				32	policy = policy_strict
				33
				34	[ policy_strict ]
				35	# The root CA should only sign intermediate certificates that match.
				36	# See the POLICY FORMAT section of `man ca`.
				37	countryName = match
				38	organizationName = match
				39	commonName = supplied
				40
				41	[ policy_loose ]
				42	# Allow the intermediate CA to sign a more diverse range of certificates.
				43	# See the POLICY FORMAT section of the `ca` man page.
				44	countryName = optional
				45	localityName = optional
				46	organizationName = optional
				47	commonName = supplied
				48
				49	[ req ]
				50	# Options for the `req` tool (`man req`).
				51	default_bits = 4096
				52	distinguished_name = req_distinguished_name
				53	string_mask = utf8only
				54	prompt = no
				55
				56	# SHA-1 is deprecated, so use SHA-2 instead.
				57	default_md = sha256
				58
				59	# Extension to add when the -x509 option is used.
				60	x509_extensions = v3_ca
				61
				62	[ req_distinguished_name ]
				63	# Optionally, specify some defaults.
				64	countryName = PL
				65	localityName = Krakow
				66	organizationName = Samsung
				67	commonName = onap
				68
				69	[ v3_ca ]
				70	# Extensions for a typical CA (`man x509v3_config`).
				71	subjectKeyIdentifier = hash
				72	authorityKeyIdentifier = keyid:always,issuer
				73	basicConstraints = critical, CA:true
				74	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
				75
				76	[ v3_intermediate_ca ]
				77	# Extensions for a typical intermediate CA (`man x509v3_config`).
				78	subjectKeyIdentifier = hash
				79	authorityKeyIdentifier = keyid:always,issuer
				80	basicConstraints = critical, CA:true, pathlen:0
				81	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
				82
				83	[ usr_cert ]
				84	# Extensions for client certificates (`man x509v3_config`).
				85	basicConstraints = CA:FALSE
				86	nsCertType = client, email
				87	nsComment = "OpenSSL Generated Client Certificate"
				88	subjectKeyIdentifier = hash
				89	authorityKeyIdentifier = keyid,issuer
				90	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
				91	extendedKeyUsage = clientAuth, emailProtection
				92
				93	[ server_cert ]
				94	# Extensions for server certificates (`man x509v3_config`).
				95	basicConstraints = CA:FALSE
				96	nsCertType = server
				97	nsComment = "OpenSSL Generated Server Certificate"
				98	subjectKeyIdentifier = hash
				99	authorityKeyIdentifier = keyid,issuer:always
				100	keyUsage = critical, digitalSignature, keyEncipherment
				101	extendedKeyUsage = serverAuth
				102
				103	[ crl_ext ]
				104	# Extension for CRLs (`man x509v3_config`).
				105	authorityKeyIdentifier=keyid:always
				106
				107	[ ocsp ]
				108	# Extension for OCSP signing certificates (`man ocsp`).
				109	basicConstraints = CA:FALSE
				110	subjectKeyIdentifier = hash
				111	authorityKeyIdentifier = keyid,issuer
				112	keyUsage = critical, digitalSignature
				113	extendedKeyUsage = critical, OCSPSigning