allow CA public key renewal
[stack/cam.git] / cam / templates / openssl_config
1 RANDFILE = ${ENV::CAROOT}/.random
2
3 [ ca ]
4 default_ca              = CA_default
5 unique_subject          = no
6
7 [ CA_default ]
8 dir                     = ${ENV::CAROOT}
9 certs                   = $dir/public/certs
10 crl_dir                 = $dir/public/crl
11 crl                     = $dir/public/crl.pem
12 crlnumber               = $dir/crlnumber
13 database                = $dir/index
14 serial                  = $dir/serial
15 new_certs_dir           = $dir/newcerts
16 certificate             = $dir/public/ca.pem
17 private_key             = $dir/private/ca.key
18 x509_extensions         = certificate_extensions
19 email_in_dn             = no
20 default_days            = %(default_days)s
21 default_crl_days        = 31
22 default_md              = sha1
23 preserve                = yes
24 policy                  = policy_match
25
26 [ policy_match ]
27 countryName             = supplied
28 organizationName        = supplied
29 organizationalUnitName  = optional
30 commonName              = supplied
31 emailAddress            = optional
32
33 [ policy_anything ]
34 countryName             = optional
35 organizationName        = optional
36 organizationalUnitName  = optional
37 commonName              = supplied
38 emailAddress            = optional
39
40 [ req ]
41 default_bits            = %(bits)s
42 default_md              = sha1
43 distinguished_name      = req_distinguished_name
44 attributes              = req_attributes
45 x509_extensions         = v3_ca
46 string_mask             = nombstr
47
48 [ req_distinguished_name ]
49 countryName                     = Country Name
50 countryName_default             = "%(country)s"
51 countryName_min                 = 2
52 countryName_max                 = 2
53 0.organizationName              = Organization Name
54 0.organizationName_default      = "%(org)s"
55 organizationalUnitName          = Organizational Unit Name
56 organizationalUnitName_default  = "%(ou)s"
57 commonName                      = Common Name
58 commonName_max                  = 64
59 commonName_default              = "%(cn)s"
60 SET-ex3                         = SET extension number 3
61
62 [ req_attributes ]
63
64 [ certificate_extensions ]
65
66 [ v3_ca ]
67 subjectKeyIdentifier    = hash
68 authorityKeyIdentifier  = keyid:always,issuer:always
69 basicConstraints        = critical, CA:true
70 keyUsage                = cRLSign, keyCertSign
71 nsCertType              = sslCA, emailCA, objCA
72 nsComment               = "%(cn)s"
73 subjectAltName          = @ca_alt_name
74 issuerAltName           = issuer:copy
75
76 [ ca_alt_name ]
77 email = "%(email)s"