# $Id: openssl.cnf,v 1.3 2007/06/03 18:15:11 jmates Exp $
#
# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
# this one is for use only in Certificate Authority operations (csr ->
# cert, cert revocation, revocation list generation).
#
# Be sure to customize this file prior to use, e.g. the commonName and
# other options under the root_ca_distinguished_name section.
#
# http://sial.org/howto/openssl/ca/
# http://www.openssl.org/docs/apps/ca.html

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = /srv/CertAuth
# unsed at present, and my limited certs can be kept in current dir
certs           = $dir/certs
new_certs_dir   = $dir/newcerts
crl_dir         = $dir/crl
database        = $dir/index

certificate     = $dir/cyberleo-ca.crt
serial          = $dir/serial
crl             = $dir/cyberleo-ca.crl
private_key     = $dir/private/cyberleo-ca.key
RANDFILE        = $dir/private/.rand

x509_extensions = usr_cert

# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject  = no

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default
cert_opt        = ca_default

default_crl_days= 365
default_days    = 365
# if need to be compatible with older software, use weaker md5
default_md      = sha1
# MSIE may need following set to yes?
preserve        = no

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_anything

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = ./private/cyberleo-ca.key
default_md              = sha1

prompt                  = no
distinguished_name      = root_ca_distinguished_name

x509_extensions = v3_ca

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req

[ root_ca_distinguished_name ]
commonName = CyberLeo.Net CA
countryName = US
stateOrProvinceName = Illinois
localityName = Chicago
0.organizationName = CyberLeo.Net
emailAddress = cyberleo@cyberleo.net

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

nsCaRevocationUrl               = https://secure.cyberleo.net/cyberleo-ca.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA

# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

[ server ]
basicConstraints = CA:false
nsCertType = server

[ client ]
basicConstraints = CA: false
nsCertType = client