228 lines
6.5 KiB
INI
228 lines
6.5 KiB
INI
# openssl.cnf - OpenSSL configuration file for the ZHW PKI
|
|
# Mario Strasser <mario.strasser@zhwin.ch>
|
|
#
|
|
|
|
# This definitions were set by the ca_init script DO NOT change
|
|
# them manualy.
|
|
CAHOME = /etc/openssl/rfc3779
|
|
RANDFILE = $CAHOME/.rand
|
|
|
|
# Extra OBJECT IDENTIFIER info:
|
|
oid_section = new_oids
|
|
|
|
[ new_oids ]
|
|
SmartcardLogin = 1.3.6.1.4.1.311.20.2
|
|
ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
|
|
|
|
####################################################################
|
|
|
|
[ ca ]
|
|
default_ca = root_ca # The default ca section
|
|
|
|
####################################################################
|
|
|
|
[ root_ca ]
|
|
|
|
dir = $CAHOME
|
|
certs = $dir/certs # Where the issued certs are kept
|
|
crl_dir = $dir/crl # Where the issued crl are kept
|
|
database = $dir/index.txt # database index file.
|
|
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
|
|
certificate = $dir/strongswanCert.pem # The CA certificate
|
|
serial = $dir/serial # The current serial number
|
|
crl = $dir/crl.pem # The current CRL
|
|
crlnumber = $dir/crlnumber # The current CRL serial number
|
|
private_key = $dir/strongswanKey.pem # The private key
|
|
RANDFILE = $dir/.rand # private random number file
|
|
|
|
x509_extensions = host_ext # The extensions to add to the cert
|
|
|
|
crl_extensions = crl_ext # The extensions to add to the CRL
|
|
|
|
default_days = 1820 # how long to certify for
|
|
default_crl_days= 30 # how long before next CRL
|
|
default_md = sha256 # which md to use.
|
|
preserve = no # keep passed DN ordering
|
|
email_in_dn = no # allow/forbid EMail in DN
|
|
|
|
policy = policy_match # specifying how similar the request must look
|
|
|
|
####################################################################
|
|
|
|
# the 'match' policy
|
|
[ policy_match ]
|
|
countryName = match
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = match
|
|
organizationalUnitName = optional
|
|
userId = optional
|
|
serialNumber = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
# the 'anything' policy
|
|
[ policy_anything ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
####################################################################
|
|
|
|
[ req ]
|
|
default_bits = 1024
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = ca_ext # The extensions to add to the self signed cert
|
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
|
|
|
|
# This sets a mask for permitted string types. There are several options.
|
|
# default: PrintableString, T61String, BMPString.
|
|
# pkix : PrintableString, BMPString.
|
|
# utf8only: only UTF8Strings.
|
|
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
|
# MASK:XXXX a literal mask value.
|
|
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
|
# so use this option with caution!
|
|
string_mask = nombstr
|
|
|
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
|
|
####################################################################
|
|
|
|
[ req_distinguished_name ]
|
|
countryName = Country Name (2 letter code)
|
|
countryName_default = CH
|
|
countryName_min = 2
|
|
countryName_max = 2
|
|
|
|
#stateOrProvinceName = State or Province Name (full name)
|
|
#stateOrProvinceName_default = ZH
|
|
|
|
#localityName = Locality Name (eg, city)
|
|
#localityName_default = Winterthur
|
|
|
|
organizationName = Organization Name (eg, company)
|
|
organizationName_default = Linux strongSwan
|
|
|
|
0.organizationalUnitName = Organizational Unit Name (eg, section)
|
|
0.organizationalUnitName_default = RFC3779
|
|
|
|
#1.organizationalUnitName = Type (eg, Staff)
|
|
#1.organizationalUnitName_default = Staff
|
|
|
|
#userId = UID
|
|
|
|
commonName = Common Name (eg, YOUR name)
|
|
commonName_default = $ENV::COMMON_NAME
|
|
commonName_max = 64
|
|
|
|
#0.emailAddress = Email Address (eg, foo@bar.com)
|
|
#0.emailAddress_min = 0
|
|
#0.emailAddress_max = 40
|
|
|
|
#1.emailAddress = Second Email Address (eg, foo@bar.com)
|
|
#1.emailAddress_min = 0
|
|
#1.emailAddress_max = 40
|
|
|
|
####################################################################
|
|
|
|
[ req_attributes ]
|
|
|
|
####################################################################
|
|
|
|
[ host_ext ]
|
|
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = digitalSignature, keyEncipherment, keyAgreement
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid, issuer:always
|
|
subjectAltName = DNS:$ENV::COMMON_NAME
|
|
#extendedKeyUsage = OCSPSigning
|
|
extendedKeyUsage = serverAuth
|
|
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
|
|
|
|
sbgp-ipAddrBlock = critical, @host-addr-section
|
|
|
|
[host-addr-section]
|
|
|
|
#moon networks
|
|
#IPv4.0 = 192.168.0.1
|
|
#IPv4.1 = 10.1.0.0/16
|
|
#IPv6.0 = fec0::1
|
|
#IPv6.1 = fec1::/16
|
|
|
|
#sun networks
|
|
IPv4.0 = 192.168.0.2
|
|
IPv4.1 = 10.2.0.0/16
|
|
IPv6.0 = fec0::2
|
|
IPv6.1 = fec2::/16
|
|
|
|
####################################################################
|
|
|
|
[ user_ext ]
|
|
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = digitalSignature, keyEncipherment, keyAgreement
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid, issuer:always
|
|
subjectAltName = email:$ENV::COMMON_NAME
|
|
#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
|
|
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
|
|
|
|
#sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit
|
|
|
|
sbgp-ipAddrBlock = critical, @user-addr-section
|
|
|
|
[user-addr-section]
|
|
|
|
#carol networks
|
|
#IPv4.0 = 192.168.0.100
|
|
#IPv4.1 = 10.3.0.1
|
|
#IPv6.0 = fec0::10
|
|
|
|
#dave networks
|
|
IPv4.0 = 192.168.0.200
|
|
IPv4.1 = 10.3.0.2
|
|
IPv6.0 = fec0::20
|
|
|
|
####################################################################
|
|
|
|
[ ca_ext ]
|
|
|
|
basicConstraints = critical, CA:TRUE, pathlen:1
|
|
keyUsage = cRLSign, keyCertSign
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid, issuer:always
|
|
|
|
sbgp-ipAddrBlock = critical, @ca-addr-section
|
|
|
|
[ca-addr-section]
|
|
|
|
IPv4.0 = 192.168.0.0/24
|
|
IPv4.1 = 10.1.0.0/16
|
|
IPv4.2 = 10.2.0.0/16
|
|
IPv4.3 = 10.3.0.1 - 10.3.3.232
|
|
IPv6.0 = fec0::/16
|
|
IPv6.1 = fec1::/16
|
|
IPv6.2 = fec2::/16
|
|
|
|
####################################################################
|
|
|
|
[ crl_ext ]
|
|
|
|
# CRL extensions.
|
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
|
|
|
#issuerAltName = issuer:copy
|
|
authorityKeyIdentifier = keyid:always, issuer:always
|
|
|
|
# eof
|