Skip to content

Commit

Permalink
Update CA test config to use NonCFSSLSigner (#5344)
Browse files Browse the repository at this point in the history 
This config is now live in production.

Part of #5115
  • Loading branch information
@aarongable
aarongable committed Mar 17, 2021
1 parent 8315393 commit bae699f
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 190 deletions.
139 changes: 44 additions & 95 deletions test/config/ca-a.json
View file
Expand Up @@ -26,109 +26,57 @@
"serverAddress": "sa.boulder:9095",
"timeout": "15s"
},
"cfssl": {
"signing": {
"profiles": {
"rsaEE": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"backdate": "1h",
"ca_constraint": { "is_ca": false },
"issuer_urls": [
"http://boulder:4430/acme/issuer-cert"
],
"ocsp_url": "http://127.0.0.1:4002/",
"crl_url": "http://example.com/crl",
"policies": [
{
"ID": "2.23.140.1.2.1"
},
{
"ID": "1.2.3.4",
"Qualifiers": [ {
"type": "id-qt-cps",
"value": "http://example.com/cps"
} ]
}
],
"expiry": "2160h",
"CSRWhitelist": {
"PublicKeyAlgorithm": true,
"PublicKey": true,
"SignatureAlgorithm": true
},
"ClientProvidesSerialNumbers": true,
"allowed_extensions": [ "1.3.6.1.5.5.7.1.24" ],
"lint_error_level": "pass",
"ignored_lints": [
"n_subject_common_name_included"
]
"issuance": {
"profile": {
"allowMustStaple": true,
"allowCTPoison": true,
"allowSCTList": true,
"allowCommonName": true,
"policies": [
{
"oid": "2.23.140.1.2.1"
},
"ecdsaEE": {
"usages": [
"digital signature",
"server auth",
"client auth"
],
"backdate": "1h",
"is_ca": false,
"issuer_urls": [
"http://127.0.0.1:4000/acme/issuer-cert"
],
"ocsp_url": "http://127.0.0.1:4002/",
"crl_url": "http://example.com/crl",
"policies": [
{
"oid": "1.2.3.4",
"qualifiers": [
{
"ID": "2.23.140.1.2.1"
},
{
"ID": "1.2.3.4",
"Qualifiers": [ {
"type": "id-qt-cps",
"value": "http://example.com/cps"
}, {
"type": "id-qt-unotice",
"value": "Do What Thou Wilt"
} ]
"type": "id-qt-cps",
"value": "http://example.com/cps"
}
],
"expiry": "2160h",
"CSRWhitelist": {
"PublicKeyAlgorithm": true,
"PublicKey": true,
"SignatureAlgorithm": true
},
"ClientProvidesSerialNumbers": true,
"allowed_extensions": [ "1.3.6.1.5.5.7.1.24" ],
"lint_error_level": "pass",
"ignored_lints": [
"n_subject_common_name_included"
]
}
],
"maxValidityPeriod": "2160h",
"maxValidityBackdate": "1h5m"
},
"issuers": [
{
"useForRSALeaves": true,
"useForECDSALeaves": true,
"issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
"ocspURL": "http://127.0.0.1:4002/",
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem",
"numSessions": 2
}
},
"default": {
"usages": [
"digital signature"
],
"expiry": "8760h"
{
"useForRSALeaves": false,
"useForECDSALeaves": false,
"issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
"ocspURL": "http://127.0.0.1:4002/",
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem",
"numSessions": 2
}
}
}
],
"ignoredLints": ["n_subject_common_name_included"]
},
"rsaProfile": "rsaEE",
"ecdsaProfile": "ecdsaEE",
"issuers": [{
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem",
"numSessions": 2
},{
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem",
"numSessions": 2
}],
"expiry": "2160h",
"backdate": "1h",
"serialPrefix": 255,
Expand All @@ -138,6 +86,7 @@
"blockedKeyFile": "test/example-blocked-keys.yaml",
"orphanQueueDir": "/tmp/orphaned-certificates-a",
"features": {
"NonCFSSLSigner": true,
"StoreIssuerInfo": true
}
},
Expand Down
139 changes: 44 additions & 95 deletions test/config/ca-b.json
View file
Expand Up @@ -26,109 +26,57 @@
"serverAddress": "sa.boulder:9095",
"timeout": "15s"
},
"cfssl": {
"signing": {
"profiles": {
"rsaEE": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"backdate": "1h",
"ca_constraint": { "is_ca": false },
"issuer_urls": [
"http://boulder:4430/acme/issuer-cert"
],
"ocsp_url": "http://127.0.0.1:4002/",
"crl_url": "http://example.com/crl",
"policies": [
{
"ID": "2.23.140.1.2.1"
},
{
"ID": "1.2.3.4",
"Qualifiers": [ {
"type": "id-qt-cps",
"value": "http://example.com/cps"
} ]
}
],
"expiry": "2160h",
"CSRWhitelist": {
"PublicKeyAlgorithm": true,
"PublicKey": true,
"SignatureAlgorithm": true
},
"ClientProvidesSerialNumbers": true,
"allowed_extensions": [ "1.3.6.1.5.5.7.1.24" ],
"lint_error_level": "pass",
"ignored_lints": [
"n_subject_common_name_included"
]
"issuance": {
"profile": {
"allowMustStaple": true,
"allowCTPoison": true,
"allowSCTList": true,
"allowCommonName": true,
"policies": [
{
"oid": "2.23.140.1.2.1"
},
"ecdsaEE": {
"usages": [
"digital signature",
"server auth",
"client auth"
],
"backdate": "1h",
"is_ca": false,
"issuer_urls": [
"http://127.0.0.1:4000/acme/issuer-cert"
],
"ocsp_url": "http://127.0.0.1:4002/",
"crl_url": "http://example.com/crl",
"policies": [
{
"oid": "1.2.3.4",
"qualifiers": [
{
"ID": "2.23.140.1.2.1"
},
{
"ID": "1.2.3.4",
"Qualifiers": [ {
"type": "id-qt-cps",
"value": "http://example.com/cps"
}, {
"type": "id-qt-unotice",
"value": "Do What Thou Wilt"
} ]
"type": "id-qt-cps",
"value": "http://example.com/cps"
}
],
"expiry": "2160h",
"CSRWhitelist": {
"PublicKeyAlgorithm": true,
"PublicKey": true,
"SignatureAlgorithm": true
},
"ClientProvidesSerialNumbers": true,
"allowed_extensions": [ "1.3.6.1.5.5.7.1.24" ],
"lint_error_level": "pass",
"ignored_lints": [
"n_subject_common_name_included"
]
}
],
"maxValidityPeriod": "2160h",
"maxValidityBackdate": "1h5m"
},
"issuers": [
{
"useForRSALeaves": true,
"useForECDSALeaves": true,
"issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
"ocspURL": "http://127.0.0.1:4002/",
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem",
"numSessions": 2
}
},
"default": {
"usages": [
"digital signature"
],
"expiry": "8760h"
{
"useForRSALeaves": false,
"useForECDSALeaves": false,
"issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
"ocspURL": "http://127.0.0.1:4002/",
"crlURL": "http://example.com/crl",
"location": {
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem",
"numSessions": 2
}
}
}
],
"ignoredLints": ["n_subject_common_name_included"]
},
"rsaProfile": "rsaEE",
"ecdsaProfile": "ecdsaEE",
"issuers": [{
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem",
"numSessions": 2
},{
"configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem",
"numSessions": 2
}],
"expiry": "2160h",
"backdate": "1h",
"serialPrefix": 255,
Expand All @@ -138,6 +86,7 @@
"blockedKeyFile": "test/example-blocked-keys.yaml",
"orphanQueueDir": "/tmp/orphaned-certificates-b",
"features": {
"NonCFSSLSigner": true,
"StoreIssuerInfo": true
}
},
Expand Down

0 comments on commit bae699f

Please sign in to comment.