Changeset 45:7ecc7152123b in freeDiameter for contrib/ca_script2/openssl.cnf

Timestamp:

Nov 26, 2009, 6:31:48 PM (14 years ago)

Author:

Sebastien Decugis <sdecugis@nict.go.jp>

Branch:

default

Phase:

public

Message:

Work in progress

File:

• contrib/ca_script2/openssl.cnf (modified) (4 diffs)

contrib/ca_script2/openssl.cnf

@@ -1 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
+# Note: for this file to be working, an environment var CA_ROOT_DIR = directory 
+# must be defined and pointing to the CA top-level directory.
 
-# This definition stops the following lines choking if HOME isn't
-# defined.
 HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd
 
-# Extra OBJECT IDENTIFIER info:
-#oid_file               = $ENV::HOME/.oid
 oid_section             = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions            = 
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
 
 [ new_oids ]
 
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
+
+####################################################################
+[ req ]
+default_bits            = 1024
+# default_keyfile       = privkey.pem
+string_mask             = utf8only
+
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+req_extensions          = v3_req    # overwrite with -reqexts
+x509_extensions         = ca_cert   # overwrite with -extensions; used for self-signed keys only
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = JP
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Tokyo
+localityName                    = Locality Name (eg, city)
+localityName_default            = Koganei
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = WIDE
+1.organizationName              = Second Organization Name (eg, company)
+1.organizationName_default      = NICT
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = AAA WG testbed
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 0
+challengePassword_max           = 20
+unstructuredName                = An optional company name
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_req_ca ]
+# Extensions to add to a certificate request for CA
+basicConstraints = CA:TRUE
+
 
 ####################################################################
@@ -32 +57 @@
 default_ca      = CA_default            # The default ca section
 
-####################################################################
 [ CA_default ]
 
-dir             = /etc/openssl-ca       # Where everything is kept
+dir             = $ENV::CA_ROOT_DIR     # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
@@ -45 +69 @@
 certificate     = $dir/public-www/cacert.pem    # The CA certificate
 serial          = $dir/serial           # The current serial number
-# crlnumber     = $dir/crlnumber        # the current crl number
-                                        # must be commented out to leave a V1 CRL
+crlnumber       = $dir/crlnumber        # the current crl number
 crl             = $dir/public-www/crl.pem               # The current CRL
-private_key     = $dir/private/cakey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-
+private_key     = $dir/private/cakey.pem        # The private key
 x509_extensions = usr_cert              # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
+                                        # overwrite with -extensions
 name_opt        = ca_default            # Subject Name options
 cert_opt        = ca_default            # Certificate field options
+crl_extensions  = crl_ext
 
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions        = crl_ext
-
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
+default_days    = 3650                  # how long to certify for
+default_crl_days= 365                   # how long before next CRL
 default_md      = sha1                  # which md to use.
 preserve        = no                    # keep passed DN ordering
 
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-# policy                = policy_match
+# We accept to sign anything, but a real deployment would limit to proper domain etc...
 policy                  = policy_anything
 
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
 [ policy_anything ]
 countryName             = optional
@@ -98 +95 @@
 emailAddress            = optional
 
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = privkey.pem
-distinguished_name      = req_distinguished_name
-attributes              = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = fdsecret
-# output_password = fdsecret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix   : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = JP
-countryName_min                 = 2
-countryName_max                 = 2
-
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = Tokyo
-
-localityName                    = Locality Name (eg, city)
-localityName_default            = Koganei
-
-0.organizationName              = Organization Name (eg, company)
-0.organizationName_default      = WIDE
-
-# we can do this but it is not needed normally :-)
-1.organizationName              = Second Organization Name (eg, company)
-1.organizationName_default      = NICT
-
-organizationalUnitName          = Organizational Unit Name (eg, section)
-organizationalUnitName_default  = AAA WG
-
-commonName                      = Common Name (i.e. Diameter Agent hostname)
-commonName_max                  = 64
-
-emailAddress                    = Email Address (i.e. Diameter agent administrator)
-emailAddress_max                = 64
-
-# SET-ex3                       = SET extension number 3
-
-[ req_attributes ]
-challengePassword               = A challenge password
-challengePassword_min           = 0
-challengePassword_max           = 20
-
-unstructuredName                = An optional company name
-
 [ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
 basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                    = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
+[ ca_cert ]
 # Extensions for a typical CA
-
-
-# PKIX recommendation.
-
 subjectKeyIdentifier=hash
-
 authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
+basicConstraints = critical,CA:true  # Remove "critical," in case of problems
+keyUsage = cRLSign, keyCertSign
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
 
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
 [ crl_ext ]
-
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
 
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
 
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                    = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo