ohadlevy · May 13, 2010 01:57
diff --git a/openssl.cnf b/openssl.cnf
 # $Id: openssl.cnf,v 1.3 2007/06/03 18:15:11 jmates Exp $
 #
 HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd

 [ ca ]
 default_ca      = CA_default

 [ CA_default ]
 dir             = /var/lib/puppet/ssl
 # unsed at present, and my limited certs can be kept in current dir
 #certs          = $dir/certs
 new_certs_dir   = $dir/ca/signed
 crl_dir         = $dir/ca
 database        = $dir/index

 certificate     = $dir/ca/ca_crt.pem
 serial          = $dir/ca/serial
 crl             = $dir/ca/ca_crl.pem
 private_key     = $dir/ca/ca_key.pem
 RANDFILE        = $dir/private/.rand

 x509_extensions = usr_cert

 unique_subject  = no

 name_opt        = ca_default
 cert_opt        = ca_default

 default_crl_days= 30
 default_days    = 3650
 default_md      = sha1
 preserve        = no

 policy          = policy_anything

 # For the CA policy
 [ policy_match ]
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 # For the 'anything' policy
 # At this point in time, you must list all acceptable 'object'
 # types.
 [ policy_anything ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 ####################################################################
 [ req ]
 default_bits            = 2048
 default_keyfile         = ./ca/ca_key.pem
 default_md              = sha1

 prompt                  = no
 distinguished_name      = root_ca_distinguished_name

 x509_extensions = v3_ca

 string_mask = nombstr

 # req_extensions = v3_req

 [ root_ca_distinguished_name ]
 commonName = XXXXXXXX

 [ usr_cert ]
 basicConstraints=CA:FALSE

 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always

 nsCaRevocationUrl               = https://puppeteer.domain/ca_crl.pem

 [ v3_req ]

 # Extensions to add to a certificate request

 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 [ v3_ca ]

 # Extensions for a typical CA

 # PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
 basicConstraints = critical,CA:true
 # So we do this instead.
 #basicConstraints = CA:true
 keyUsage = keyCertSign, cRLSign

 [ crl_ext ]

 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
	# $Id: openssl.cnf,v 1.3 2007/06/03 18:15:11 jmates Exp $
	#
	HOME = .
	RANDFILE = $ENV::HOME/.rnd

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = /var/lib/puppet/ssl
	# unsed at present, and my limited certs can be kept in current dir
	#certs = $dir/certs
	new_certs_dir = $dir/ca/signed
	crl_dir = $dir/ca
	database = $dir/index

	certificate = $dir/ca/ca_crt.pem
	serial = $dir/ca/serial
	crl = $dir/ca/ca_crl.pem
	private_key = $dir/ca/ca_key.pem
	RANDFILE = $dir/private/.rand

	x509_extensions = usr_cert

	unique_subject = no

	name_opt = ca_default
	cert_opt = ca_default

	default_crl_days= 30
	default_days = 3650
	default_md = sha1
	preserve = no

	policy = policy_anything

	# For the CA policy
	[ policy_match ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	# For the 'anything' policy
	# At this point in time, you must list all acceptable 'object'
	# types.
	[ policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	####################################################################
	[ req ]
	default_bits = 2048
	default_keyfile = ./ca/ca_key.pem
	default_md = sha1

	prompt = no
	distinguished_name = root_ca_distinguished_name

	x509_extensions = v3_ca

	string_mask = nombstr

	# req_extensions = v3_req

	[ root_ca_distinguished_name ]
	commonName = XXXXXXXX

	[ usr_cert ]
	basicConstraints=CA:FALSE

	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer:always

	nsCaRevocationUrl = https://puppeteer.domain/ca_crl.pem

	[ v3_req ]

	# Extensions to add to a certificate request

	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment

	[ v3_ca ]

	# Extensions for a typical CA

	# PKIX recommendation.
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer:always
	# This is what PKIX recommends but some broken software chokes on critical
	# extensions.
	basicConstraints = critical,CA:true
	# So we do this instead.
	#basicConstraints = CA:true
	keyUsage = keyCertSign, cRLSign

	[ crl_ext ]

	# CRL extensions.
	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

	# issuerAltName=issuer:copy
	authorityKeyIdentifier=keyid:always,issuer:always
No results found