Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki
/var/CA/computerisms.com/computerisms.ssl.conf: Difference between revisions
Jump to navigation
Jump to search
m (1 revision) |
No edit summary |
||
| Line 84: | Line 84: | ||
basicConstraints = CA:FALSE | basicConstraints = CA:FALSE | ||
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment ##Use this line for everything except CAs | #keyUsage = nonRepudiation, digitalSignature, keyEncipherment ##Use this line for everything except CAs | ||
#extendedKeyUsage = serverAuth ## Enable this line for VPN firewall certs | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign, cRLSign ## Use this line for CAs | keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign, cRLSign ## Use this line for CAs | ||
[ v3_ca ] | [ v3_ca ] | ||
Latest revision as of 13:11, 10 June 2015
HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ./CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days = 10 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match copy_extensions = copy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = default req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CA countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Yukon localityName = Locality Name (eg, city) localityName_default = Whitehorse 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Computerisms organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Administrator commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] [ usr_cert ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer crlDistributionPoints = URI:http://crl.computerisms.com/Computerisms.Certificate.Authority.crl [ usr_cert_has_san ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer crlDistributionPoints = URI:http://crl.computerisms.com/Computerisms.Certificate.Authority.crl [ v3_req ] #subjectAltName = DNS:fqdn.computerisms.com ## use this for machines subjectAltName = email:move ## use this for CA or person basicConstraints = CA:FALSE #keyUsage = nonRepudiation, digitalSignature, keyEncipherment ##Use this line for everything except CAs #extendedKeyUsage = serverAuth ## Enable this line for VPN firewall certs keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign, cRLSign ## Use this line for CAs [ v3_ca ] subjectAltName = email:move subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true crlDistributionPoints = URI:http://crl.computerisms.com/Computerisms.Certificate.Authority.crl [ v3_ca_has_san ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true crlDistributionPoints = URI:http://crl.computerisms.com/Computerisms.Certificate.Authority.crl [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always