OpenSSL -- Software CA Configuration File

Aus RZ-Amper Wiki
Version vom 10. Juni 2020, 22:35 Uhr von WikiSysop (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „Create the file using vi text editor. Here are the basics needed for this exercise (edit as needed): <br /> /usr/local/etc/PKI/etc/tls-ca.conf # RZ-Amper S…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Create the file using vi text editor. Here are the basics needed for this exercise (edit as needed):
/usr/local/etc/PKI/etc/tls-ca.conf

# RZ-Amper Software CA

[ default ]
ca                      = software-ca                              # CA name
dir                     = .                                        # Top dir
base_url                = http://www.rz-amper.de/trust-center      # CA base URL
aia_url                 = $base_url/index.php?stage=dl_tlscer      # CA certificate URL
crl_url                 = $base_url/index.php?stage=dl_tlscrl      # CRL distribution point
name_opt                = multiline,-esc_msb,utf8                  # Display UTF-8 characters

# CA certificate request
[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha1                  # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_reqext             # Desired extensions

[ ca_dn ]
countryName             = "NO"
organizationName        = "Green AS"
organizationalUnitName  = "Green Certificate Authority"
commonName              = "Green Software CA"

[ ca_reqext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true,pathlen:0
subjectKeyIdentifier    = hash

# CA operational settings
[ ca ]
default_ca              = software_ca           # The default CA section

[ software_ca ]
certificate             = $dir/ca/$ca.crt       # The CA cert
private_key             = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir           = $dir/ca/$ca           # Certificate archive
serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database                = $dir/ca/$ca/db/$ca.db # Index file
unique_subject          = no                    # Require unique subject
default_days            = 1826                  # How long to certify for
default_md              = sha1                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = $name_opt             # Subject DN display options
cert_opt                = ca_default            # Certificate display options
copy_extensions         = copy                  # Copy extensions from CSR
x509_extensions         = codesign_ext          # Default cert extensions
default_crl_days        = 30                    # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

[ match_pol ]
countryName             = match                 # Must match 'NO'
stateOrProvinceName     = optional              # Included if present
localityName            = optional              # Included if present
organizationName        = match                 # Must match 'Green AS'
organizationalUnitName  = optional              # Included if present
commonName              = supplied              # Must be present

[ any_pol ]
domainComponent         = optional
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

# Extensions
[ codesign_ext ]
keyUsage                = critical,digitalSignature
basicConstraints        = CA:false
extendedKeyUsage        = critical,codeSigning
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info
crlDistributionPoints   = @crl_info

[ crl_ext ]
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info

[ issuer_info ]
caIssuers;URI.0         = $aia_url

[ crl_info ]
URI.0                   = $crl_url