From 0bcc057e741af3fbc108f42b75f9d42f48f6a51e Mon Sep 17 00:00:00 2001 From: Yuuta Liang Date: Sat, 14 Oct 2023 05:12:06 +0800 Subject: Implement the CA Signed-off-by: Yuuta Liang --- tests/ca.cnf | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 tests/ca.cnf (limited to 'tests/ca.cnf') diff --git a/tests/ca.cnf b/tests/ca.cnf new file mode 100644 index 0000000..ef5a9c9 --- /dev/null +++ b/tests/ca.cnf @@ -0,0 +1,108 @@ +[ ca ] +default_ca = CA + +[ CA ] +# Database +dir = . +certs = $dir/certs/ +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +# Although we use $ openssl ca -rand_serial, this seems necessary. +serial = $dir/serial +RANDFILE = $dir/.rand + +private_key = $dir/ca.key +certificate = $dir/ca.crt + +# CRL +crlnumber = $dir/crlnumber +crl = $dir/ca.crl +crl_extensions = crl_ext +# Root CA CRL: 1 year +default_crl_days = 365 + +# Cryptography +default_md = sha512 + +# Policy +name_opt = ca_default +cert_opt = ca_default +# Intermediate CA: 10 years +default_days = 3650 +preserve = no +policy = policy_ca + +[ policy_ca ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 4096 +distinguished_name = req_dn +string_mask = utf8only + +# s/sha512/sha256/, according to Jimmy (isrg uses sha256) +default_md = sha256 + +x509_extensions = extensions + +[ req_dn ] +commonName = Common Name +countryName = Country Name (2 letter code) +# For simplicity +#stateOrProvinceName = State or Province Name +#localityName = Locality Name +#0.organizationName = Organization Name +# CAB Baseline (BR) v2.0.0 +# OU name must not present +# Email address is not recommended (as per Jimmy) +#organizationalUnitName = Organizational Unit Name +#emailAddress = Email Address + +commonName_default = Test Root CA +countryName_default = CA +#stateOrProvinceName_default = British Columbia +#localityName_default = Vancouver +#0.organizationName_default = Yuuta Home +#organizationalUnitName_default = IT +#emailAddress_default = yuuta@yuuta.moe + +[ extensions ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +# Seems like it is completely unnecessary to put CRL and AIA in RootCA +# because they point to the issuer's info. +# crlDistributionPoints = crldp +# Because I don't have a real OID +#certificatePolicies = @polset +# Seems like it is unnecessary. +#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt + +[ extensions_sub ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen: 0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +crlDistributionPoints = crldp +authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt + +#[ polset ] +#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1 +#CPS.1 = "http://home.yuuta.moe/pki/policy" +#userNotice.1 = @polset_notice +# +#[ polset_notice ] +#explicitText = "This certificate authority is for internal use only." + +[ crldp ] +fullname = URI:http://home.yuuta.moe/pki/rootca.crl + +[ crl_ext ] +authorityKeyIdentifier = keyid:always -- cgit v1.2.3