tests/ca.cnf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

[ ca ]
default_ca = CA

[ CA ]
# Database
dir		= .
certs		= $dir/certs/
crl_dir		= $dir/crl
new_certs_dir	= $dir/newcerts
database	= $dir/index.txt
# Although we use $ openssl ca -rand_serial, this seems necessary.
serial		= $dir/serial
RANDFILE	= $dir/.rand

private_key	= $dir/ca.key
certificate	= $dir/ca.crt

# Cryptography
default_md	= sha512

# Policy
name_opt	= ca_default
cert_opt	= ca_default
# Intermediate CA: 10 years
default_days	= 3650
preserve	= no
policy		= policy_ca

[ policy_ca ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 4096
distinguished_name	= req_dn
string_mask		= utf8only

# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
default_md		= sha256

x509_extensions		= extensions

[ req_dn ]
commonName		= Common Name
countryName		= Country Name (2 letter code)
commonName_default		= Test Root CA
countryName_default		= CA

[ extensions ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_normal ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_basic_constraints_no ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_basic_constraints_wrong ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:false
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_key_usage_missing ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true

[ extensions_sub_key_usage_wrong_1 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No digitalSignature
keyUsage		= critical, cRLSign, keyCertSign

[ extensions_sub_key_usage_wrong_2 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No cRLSign
keyUsage		= critical, digitalSignature, keyCertSign

[ extensions_sub_key_usage_wrong_3 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No keyCertSign
keyUsage		= critical, digitalSignature, cRLSign