Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
166 lines (138 sloc) 4.95 KB
## OpenSSL Configuration for personal certificates (Digital IDs)
## REF: https://www.openssl.org/docs/man1.1.0/apps/config.html
## Environment (default)
OPENSSL_ROOT = "."
OPENSSL_RANDOM = "/dev/urandom"
OPENSSL_DIR_CA = ${ENV::OPENSSL_ROOT}/CA
OPENSSL_FILE_CA_KEY = ${ENV::OPENSSL_DIR_CA}/key.pem
OPENSSL_FILE_CA_CERT = ${ENV::OPENSSL_DIR_CA}/cert.pem
OPENSSL_FILE_CA_DATABASE = ${ENV::OPENSSL_DIR_CA}/database
OPENSSL_FILE_CA_SERIAL = ${ENV::OPENSSL_DIR_CA}/serial
OPENSSL_FILE_CA_CRLNUMBER = ${ENV::OPENSSL_DIR_CA}/crlnumber
OPENSSL_DIR_CA_CERTS = ${ENV::OPENSSL_DIR_CA}/certs
OPENSSL_DN_ORGANIZATIONALUNIT = "UNDEFINED::OPENSSL_DN_ORGANIZATIONALUNIT"
OPENSSL_DN_COMMONNAME = "UNDEFINED::OPENSSL_DN_COMMONNAME"
OPENSSL_DN_EMAILADDRESS = "UNDEFINED::OPENSSL_DN_EMAILADDRESS"
OPENSSL_DN_TITLE = "UNDEFINED::OPENSSL_DN_TITLE"
OPENSSL_EXT_SAN = "UNDEFINED::OPENSSL_EXT_SAN"
## Initialization
openssl_conf = SSL_Configuration
[ SSL_Configuration ]
engines = SSL_Engines
## Engines
[ SSL_Engines ]
pkcs11 = ENG_PKCS11
# PKCS#11
# REF: https://github.com/OpenSC/libp11
[ ENG_PKCS11 ]
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
## Certificate authority (CA) <-> openssl ca ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/ca.html
# OpenSSL entry point
[ ca ]
default_ca = CA_Certificate
# Certificate (CA-signed)
[ CA_Certificate ]
RANDFILE = ${ENV::OPENSSL_RANDOM}
# ... key pair
private_key = ${ENV::OPENSSL_FILE_CA_KEY}
certificate = ${ENV::OPENSSL_FILE_CA_CERT}
# ... database
database = ${ENV::OPENSSL_FILE_CA_DATABASE}
serial = ${ENV::OPENSSL_FILE_CA_SERIAL}
crlnumber = ${ENV::OPENSSL_FILE_CA_CRLNUMBER}
# ... certificates
new_certs_dir = ${ENV::OPENSSL_DIR_CA_CERTS}
unique_subject = yes
default_md = sha256
default_days = 365
name_opt = ca_default
cert_opt = ca_default
preserve = no
email_in_dn = yes
policy = CA_Certificate_Policy
copy_extensions = none
x509_extensions = CA_Certificate_Extensions
string_mask = utf8only
utf8 = yes
# ... certificates revocation list (CRL)
default_crl_days = 7
crl_extensions = CA_CRL_Extensions
# Subject (distinguished name, DN) policy
[ CA_Certificate_Policy ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied
title = optional
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# WARNING: order matters!
# ... certificate (default)
[ CA_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = emailProtection, clientAuth
subjectAltName = email:copy,${ENV::OPENSSL_EXT_SAN}
crlDistributionPoints = URI:http://example.org/pki/personal-crl.der
nsCaPolicyUrl = http://example.org/pki/personal-cp+cps.html
# ... certificates revocation list (CRL)
[ CA_CRL_Extensions ]
authorityKeyIdentifier = keyid:always
## Certificate signing request (CSR) <-> openssl req -new ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/req.html
# OpenSSL entry point
[ req ]
RANDFILE = ${ENV::OPENSSL_RANDOM}
default_md = sha256
prompt = no
distinguished_name = REQ_Certificate_Subject
req_extensions = REQ_Certificate_Extensions
x509_extensions = X509_Certificate_Extensions
string_mask = utf8only
utf8 = yes
# Subject (distinguished name, DN)
[ REQ_Certificate_Subject ]
countryName = "CH"
stateOrProvinceName = "State"
localityName = "City"
0.organizationName = "Example Corp."
organizationalUnitName = ${ENV::OPENSSL_DN_ORGANIZATIONALUNIT}
commonName = ${ENV::OPENSSL_DN_COMMONNAME}
emailAddress = ${ENV::OPENSSL_DN_EMAILADDRESS}
title = ${ENV::OPENSSL_DN_TITLE}
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# NOTE: Most CAs will ignore these and enforce their own ('copy_extensions = none')
# ... certificate (default)
[ REQ_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectAltName = email:copy,${ENV::OPENSSL_EXT_SAN}
# -> also see CA(-enforced) extensions
## Certificate (self-signed) <-> openssl req -new -x509 ...
## REF: https://www.openssl.org/docs/man1.1.0/apps/req.html
# Extensions
# REF: https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html
# WARNING: order matters!
# ... individual certificate (default)
[ X509_Certificate_Extensions ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = emailProtection, clientAuth
subjectAltName = email:copy,${ENV::OPENSSL_EXT_SAN}
# ... CA certificate
[ CA_Authority_Extensions ]
basicConstraints = critical,CA:TRUE,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, keyCertSign, cRLSign
nsCaPolicyUrl = http://example.org/pki/personal-cp+cps.html
subjectAltName = ${ENV::OPENSSL_EXT_SAN}
You can’t perform that action at this time.