Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
214 lines (177 sloc) 7.17 KB
## OpenSSL Configuration for PAM, Kerberos and VPN authentication
## REF: https://www.openssl.org/docs/man1.1.0/apps/config.html
## Environment (default)
OPENSSL_ROOT = "."
OPENSSL_RANDOM = "/dev/urandom"
OPENSSL_DIR_CA = ${ENV::OPENSSL_ROOT}/CA
OPENSSL_FILE_CA_KEY = ${ENV::OPENSSL_DIR_CA}/key.pem
OPENSSL_FILE_CA_CERT = ${ENV::OPENSSL_DIR_CA}/cert.pem
OPENSSL_FILE_CA_DATABASE = ${ENV::OPENSSL_DIR_CA}/database
OPENSSL_FILE_CA_SERIAL = ${ENV::OPENSSL_DIR_CA}/serial
OPENSSL_FILE_CA_CRLNUMBER = ${ENV::OPENSSL_DIR_CA}/crlnumber
OPENSSL_DIR_CA_CERTS = ${ENV::OPENSSL_DIR_CA}/certs
OPENSSL_DN_ORGANIZATIONALUNIT = "UNDEFINED::OPENSSL_DN_ORGANIZATIONALUNIT"
OPENSSL_DN_COMMONNAME = "UNDEFINED::OPENSSL_DN_COMMONNAME"
OPENSSL_EXT_SAN = "UNDEFINED::OPENSSL_EXT_SAN"
# ... Kerberos-specific
KERBEROS_REALM = ${ENV::OPENSSL_DN_ORGANIZATIONALUNIT}
# ... ActiveDirectory-specific
ACTIVEDIRECTORY_DOMAIN = ${ENV::OPENSSL_DN_ORGANIZATIONALUNIT}
## Initialization
openssl_conf = SSL_Configuration
[ SSL_Configuration ]
engines = SSL_Engines
## Engines
[ SSL_Engines ]
pkcs11 = ENG_PKCS11
# PKCS#11
# REF: https://github.com/OpenSC/libp11
[ ENG_PKCS11 ]
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
## Certificate authority (CA) <-> openssl ca ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/ca.html
# OpenSSL entry point
[ ca ]
default_ca = CA_Certificate
# Certificate (CA-signed)
[ CA_Certificate ]
RANDFILE = ${ENV::OPENSSL_RANDOM}
# ... key pair
private_key = ${ENV::OPENSSL_FILE_CA_KEY}
certificate = ${ENV::OPENSSL_FILE_CA_CERT}
# ... database
database = ${ENV::OPENSSL_FILE_CA_DATABASE}
serial = ${ENV::OPENSSL_FILE_CA_SERIAL}
crlnumber = ${ENV::OPENSSL_FILE_CA_CRLNUMBER}
# ... certificates
new_certs_dir = ${ENV::OPENSSL_DIR_CA_CERTS}
unique_subject = yes
default_md = sha256
default_days = 365
name_opt = ca_default
cert_opt = ca_default
preserve = no
policy = CA_Certificate_Policy
copy_extensions = none
x509_extensions = CA_Client_Certificate_Extensions
string_mask = utf8only
utf8 = yes
# ... certificates revocation list (CRL)
default_crl_days = 7
crl_extensions = CA_CRL_Extensions
# Subject (distinguished name, DN) policy
[ CA_Certificate_Policy ]
#countryName = match
#stateOrProvinceName = match
#localityName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# REF: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_generate_v3.html
# REF: http://k5wiki.kerberos.org/wiki/Pkinit_configuration
# REF: https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio
# DEBUG: openssl asn1parse -dump -strictpem -in <cert.pem>
# WARNING: order matters!
# ... client certificate (default)
[ CA_Client_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = clientAuth, 1.3.6.1.5.2.3.4, 1.3.6.1.4.1.311.20.2.2
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:SAN_Client_KerberosPrincipal, otherName:1.3.6.1.4.1.311.20.2.3;SEQUENCE:SAN_Client_ActiveDirectoryPrincipal, ${ENV::OPENSSL_EXT_SAN}
crlDistributionPoints = URI:http://example.org/pki/authentication-crl.der
nsCaPolicyUrl = http://example.org/pki/authentication-cp+cps.html
[ SAN_Client_KerberosPrincipal ]
realmName = EXPLICIT:0, GeneralString:${ENV::KERBEROS_REALM}
principalSequence = EXPLICIT:1, SEQUENCE:SAN_Client_KerberosPrincipalSequence
[ SAN_Client_KerberosPrincipalSequence ]
nameType = EXPLICIT:0, INTEGER:1
nameSequence = EXPLICIT:1, SEQUENCE:SAN_Client_KerberosPrincipalNames
[ SAN_Client_KerberosPrincipalNames ]
principalName = GeneralString:${ENV::OPENSSL_DN_COMMONNAME}
[ SAN_Client_ActiveDirectoryPrincipal ]
principalName = UTF8:${ENV::OPENSSL_DN_COMMONNAME}@${ENV::ACTIVEDIRECTORY_DOMAIN}
# ... Kerberos server (KDC) certificate
[ CA_KDC_Server_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:SAN_KDC_KerberosPrincipal,${ENV::OPENSSL_EXT_SAN}
crlDistributionPoints = URI:http://example.org/pki/authentication-crl.der
nsCaPolicyUrl = http://example.org/pki/authentication-cp+cps.html
[ SAN_KDC_KerberosPrincipal ]
realmName = EXPLICIT:0, GeneralString:${ENV::KERBEROS_REALM}
principalSequence = EXPLICIT:1, SEQUENCE:SAN_KDC_KerberosPrincipalSequence
[ SAN_KDC_KerberosPrincipalSequence ]
nameType = EXPLICIT:0, INTEGER:1
nameSequence = EXPLICIT:1, SEQUENCE:SAN_KDC_KerberosPrincipalNames
[ SAN_KDC_KerberosPrincipalNames ]
principalName1 = GeneralString:krbtgt
principalName2 = GeneralString:${ENV::KERBEROS_REALM}
# ... VPN server certificate
[ CA_VPN_Server_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://example.org/pki/authentication-crl.der
nsCaPolicyUrl = http://example.org/pki/authentication-cp+cps.html
# ... VPN (host) client certificate
[ CA_VPN_Client_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = clientAuth
crlDistributionPoints = URI:http://example.org/pki/authentication-crl.der
nsCaPolicyUrl = http://example.org/pki/authentication-cp+cps.html
# ... certificates revocation list (CRL)
[ CA_CRL_Extensions ]
authorityKeyIdentifier = keyid:always
## Certificate signing request (CSR) <-> openssl req -new ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/req.html
# OpenSSL entry point
[ req ]
RANDFILE = ${ENV::OPENSSL_RANDOM}
default_md = sha256
prompt = no
distinguished_name = REQ_Certificate_Subject
req_extensions = REQ_Certificate_Extensions
#x509_extensions = #no self-signed certificate default#
string_mask = utf8only
utf8 = yes
# Subject (distinguished name, DN)
[ REQ_Certificate_Subject ]
#countryName = "CH"
#stateOrProvinceName = "State"
#localityName = "City"
0.organizationName = "Example Corp."
organizationalUnitName = ${ENV::OPENSSL_DN_ORGANIZATIONALUNIT}
commonName = ${ENV::OPENSSL_DN_COMMONNAME}
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# NOTE: Most CAs will ignore these and enforce their own ('copy_extensions = none')
# ... certificate (default)
[ REQ_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectAltName = ${ENV::OPENSSL_EXT_SAN}
# -> also see CA(-enforced) extensions
## Certificate (self-signed) <-> openssl req -new -x509 ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/req.html
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# WARNING: order matters!
# ... CA certificate
[ CA_Authority_Extensions ]
basicConstraints = critical,CA:TRUE,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, keyCertSign, cRLSign
nsCaPolicyUrl = http://example.org/pki/authentication-cp+cps.html
You can’t perform that action at this time.