libest/example/server/estExampleCA.cnf at 33fbd8d8221be3814efbf18d73df2de6c17b8c2f · cisco/libest · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#
# This config file used as an Ugly Simple CA for EST demonstration purposes
#
# Normally one would replace the ESTserver callout scripts with scripts that
# talk to your own fully armed and operational CA. (e.g. something real with some
# meat behind it, not just some demo CA).
#

[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]
# Some of these values are duplicates of the settings in the estScript_variables.sh file (keep them in sync!)
dir            = ./estCA               # top dir (aka EST_OPENSSL_CADIR)
database       = $dir/index.txt        # index file (aka EST_OPENSSL_CADATABASE)
new_certs_dir  = $dir/newcerts         # new certs dir

certificate    = $dir/cacert.crt       # The CA cert (aka EST_OPENSSL_CACERT)
serial         = $dir/serial           # serial no file (aka EST_OPENSSL_CASERIAL)
private_key    = $dir/private/cakey.pem# CA private key (aka EST_OPENSSL_CAPRIVATE)
RANDFILE       = $dir/private/.rnd     # random number file

default_days   = 365                   # how long to certify for
default_crl_days= 30                   # how long before next CRL
default_md     =  sha1                 # md to use

policy         = policy_any            # default policy
email_in_dn    = no                    # Don't add the email into cert DN

name_opt       = ca_default            # Subject name display option
cert_opt       = ca_default            # Certificate display option
copy_extensions = none                 # Don't copy extensions from request
#copy_extensions = copyall              # copy all extensions from request
x509_extensions = client_cert          # The extensions to add to certs issued

# to enable a demo client to be run multiple time we DISABLE unique subject
# checking. This significantly reduces the security of this CA!!
unique_subject=no

# This policy applies to clients *and* it apples to the CA cert itself
[ policy_any ]
commonName              = supplied
serialNumber            = optional

# this section is used when issuing certs from simpleEnroll.sh
[ client_cert ]
# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
keyUsage=digitalSignature
crlDistributionPoints=URI:file:../server/estCA/crl.pem
# Add the id-kp-cmcRA usage.  This isn't defined in OpenSSL, so we
# Need to use the OID value
#extendedKeyUsage=critical,serverAuth,clientAuth,1.3.6.1.5.5.7.3.28

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid,issuer
authorityKeyIdentifier=keyid

[ req_distinguished_name ]
x509_extensions        = v3_ca

# estExample_setup.sh references this section for initial CA values
[ v3_ca ]
basicConstraints    = CA:TRUE
subjectKeyIdentifier=hash
crlDistributionPoints=URI:file:../server/estCA/crl.pem

[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
# NOTE: this must be the last section and last lines
# because the ESThandler_clientgenp10.sh extends this file for
# setting the challenge password attribute