ca

ca.git
git clone git://git.lenczewski.org/ca.git
Log | Files | Refs | README

frag.cnf (2146B)

      1 # strict policy for signing intermediate certificates
      2 # see policy format for `man ca` 
      3 [ CA_policy_strict ]
      4 countryName		= match
      5 stateOrProvinceName	= match
      6 organizationName	= match
      7 organizationalUnitName	= optional
      8 commonName		= supplied
      9 emailAddress		= optional
     10 
     11 # loose policy for signing generic certificates (signed by intermediate certs)
     12 # see policy format for `man ca`
     13 [ CA_policy_loose ]
     14 countryName		= optional
     15 stateOrProvinceName	= optional
     16 localityName		= optional
     17 organizationName	= optional
     18 organizationalUnitName	= optional
     19 commonName		= supplied
     20 emailAddress		= optional
     21 
     22 # extensions for the root ca certificate (`man x509v3_config`)
     23 [ v3_ca ]
     24 subjectKeyIdentifier	= hash
     25 authorityKeyIdentifier	= keyid:always,issuer
     26 basicConstraints	= critical, CA:true
     27 keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
     28 
     29 # extensions for intermediate ca certificates (`man x509v3_config`)
     30 [ v3_intermediate_ca ]
     31 subjectKeyIdentifier	= hash
     32 authorityKeyIdentifier	= keyid:always,issuer
     33 basicConstraints	= critical, CA:true, pathlen:0
     34 keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
     35 
     36 # extensions for client certificates (`man x509v3_config`)
     37 [ client_cert ]
     38 subjectKeyIdentifier	= hash
     39 authorityKeyIdentifier	= keyid,issuer
     40 basicConstraints	= CA:false
     41 keyUsage		= critical, nonRepudiation, digitalSignature, keyEncipherment
     42 extendedKeyUsage	= clientAuth, emailProtection
     43 nsCertType		= client, email
     44 nsComment		= "Generated Client Certificate"
     45 
     46 # extensions for server certificates (`man x509v3_config`)
     47 [ server_cert ]
     48 subjectKeyIdentifier	= hash
     49 authorityKeyIdentifier	= keyid,issuer:always
     50 basicConstraints	= CA:false
     51 keyUsage		= critical, digitalSignature, keyEncipherment
     52 extendedKeyUsage	= serverAuth
     53 nsCertType		= server
     54 nsComment		= "Generated Server Certificate"
     55 
     56 # extensions for the revocation list (`man x509v3_config`)
     57 [ crl_ext ]
     58 authorityKeyIdentifier	= keyid:always
     59 
     60 # extensions for OSCP signing certificates (`man ocsp`)
     61 [ ocsp ]
     62 subjectKeyIdentifier	= hash
     63 authorityKeyIdentifier	= keyid,issuer
     64 basicConstraints	= CA:false
     65 keyUsage		= critical, digitalSignature
     66 extendedKeyUsage	= critical, OCSPSigning