aboutsummaryrefslogtreecommitdiff
path: root/tests/ca.cnf
diff options
context:
space:
mode:
Diffstat (limited to 'tests/ca.cnf')
-rw-r--r--tests/ca.cnf108
1 files changed, 108 insertions, 0 deletions
diff --git a/tests/ca.cnf b/tests/ca.cnf
new file mode 100644
index 0000000..ef5a9c9
--- /dev/null
+++ b/tests/ca.cnf
@@ -0,0 +1,108 @@
+[ ca ]
+default_ca = CA
+
+[ CA ]
+# Database
+dir = .
+certs = $dir/certs/
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+# Although we use $ openssl ca -rand_serial, this seems necessary.
+serial = $dir/serial
+RANDFILE = $dir/.rand
+
+private_key = $dir/ca.key
+certificate = $dir/ca.crt
+
+# CRL
+crlnumber = $dir/crlnumber
+crl = $dir/ca.crl
+crl_extensions = crl_ext
+# Root CA CRL: 1 year
+default_crl_days = 365
+
+# Cryptography
+default_md = sha512
+
+# Policy
+name_opt = ca_default
+cert_opt = ca_default
+# Intermediate CA: 10 years
+default_days = 3650
+preserve = no
+policy = policy_ca
+
+[ policy_ca ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = 4096
+distinguished_name = req_dn
+string_mask = utf8only
+
+# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
+default_md = sha256
+
+x509_extensions = extensions
+
+[ req_dn ]
+commonName = Common Name
+countryName = Country Name (2 letter code)
+# For simplicity
+#stateOrProvinceName = State or Province Name
+#localityName = Locality Name
+#0.organizationName = Organization Name
+# CAB Baseline (BR) v2.0.0
+# OU name must not present
+# Email address is not recommended (as per Jimmy)
+#organizationalUnitName = Organizational Unit Name
+#emailAddress = Email Address
+
+commonName_default = Test Root CA
+countryName_default = CA
+#stateOrProvinceName_default = British Columbia
+#localityName_default = Vancouver
+#0.organizationName_default = Yuuta Home
+#organizationalUnitName_default = IT
+#emailAddress_default = yuuta@yuuta.moe
+
+[ extensions ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+# Seems like it is completely unnecessary to put CRL and AIA in RootCA
+# because they point to the issuer's info.
+# crlDistributionPoints = crldp
+# Because I don't have a real OID
+#certificatePolicies = @polset
+# Seems like it is unnecessary.
+#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
+
+[ extensions_sub ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen: 0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+crlDistributionPoints = crldp
+authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
+
+#[ polset ]
+#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1
+#CPS.1 = "http://home.yuuta.moe/pki/policy"
+#userNotice.1 = @polset_notice
+#
+#[ polset_notice ]
+#explicitText = "This certificate authority is for internal use only."
+
+[ crldp ]
+fullname = URI:http://home.yuuta.moe/pki/rootca.crl
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 10:26:49 +0000