support relocatable ca roots
[stack/cam.git] / cam / templates / openssl_config
1 RANDFILE = ${ENV::CAROOT}/.random
2
3 [ ca ]
4 default_ca              = CA_default
5
6 [ CA_default ]
7 dir                     = ${ENV::CAROOT}
8 certs                   = $dir/public/certs
9 crl_dir                 = $dir/public/crl
10 crl                     = $dir/public/crl.pem
11 crlnumber               = $dir/crlnumber
12 database                = $dir/index
13 serial                  = $dir/serial
14 new_certs_dir           = $dir/newcerts
15 certificate             = $dir/public/ca.pem
16 private_key             = $dir/private/ca.key
17 x509_extensions         = certificate_extensions
18 email_in_dn             = no
19 default_days            = %(default_days)s
20 default_crl_days        = 31
21 default_md              = sha1
22 preserve                = yes
23 policy                  = policy_match
24
25 [ policy_match ]
26 countryName             = supplied
27 organizationName        = supplied
28 organizationalUnitName  = optional
29 commonName              = supplied
30 emailAddress            = optional
31
32 [ policy_anything ]
33 countryName             = optional
34 organizationName        = optional
35 organizationalUnitName  = optional
36 commonName              = supplied
37 emailAddress            = optional
38
39 [ req ]
40 default_bits            = %(bits)s
41 default_md              = sha1
42 distinguished_name      = req_distinguished_name
43 attributes              = req_attributes
44 x509_extensions         = v3_ca
45 string_mask             = nombstr
46
47 [ req_distinguished_name ]
48 countryName                     = Country Name
49 countryName_default             = "%(country)s"
50 countryName_min                 = 2
51 countryName_max                 = 2
52 0.organizationName              = Organization Name
53 0.organizationName_default      = "%(org)s"
54 organizationalUnitName          = Organizational Unit Name
55 organizationalUnitName_default  = "%(ou)s"
56 commonName                      = Common Name
57 commonName_max                  = 64
58 commonName_default              = "%(cn)s"
59 SET-ex3                         = SET extension number 3
60
61 [ req_attributes ]
62
63 [ certificate_extensions ]
64
65 [ v3_ca ]
66 subjectKeyIdentifier    = hash
67 authorityKeyIdentifier  = keyid:always,issuer:always
68 basicConstraints        = critical, CA:true
69 keyUsage                = cRLSign, keyCertSign
70 nsCertType              = sslCA, emailCA, objCA
71 nsComment               = "%(cn)s"
72 subjectAltName          = @ca_alt_name
73 issuerAltName           = issuer:copy
74
75 [ ca_alt_name ]
76 email = "%(email)s"