always revoke the certificate, even if it is already expired
[stack/cam.git] / cam / templates / openssl_config
index 4583fca..68296ff 100644 (file)
@@ -1,10 +1,10 @@
-RANDFILE = %(basedir)s/.random
+RANDFILE = ${ENV::CAROOT}/.random
 
 [ ca ]
 default_ca              = CA_default
 
 [ CA_default ]
-dir                     = %(basedir)s
+dir                     = ${ENV::CAROOT}
 certs                   = $dir/public/certs
 crl_dir                 = $dir/public/crl
 crl                     = $dir/public/crl.pem
@@ -27,7 +27,7 @@ countryName             = supplied
 organizationName        = supplied
 organizationalUnitName  = optional
 commonName              = supplied
-emailAddress            = supplied
+emailAddress            = optional
 
 [ policy_anything ]
 countryName             = optional
@@ -56,9 +56,6 @@ organizationalUnitName_default  = "%(ou)s"
 commonName                      = Common Name
 commonName_max                  = 64
 commonName_default              = "%(cn)s"
-emailAddress                    = Email Address
-emailAddress_max                = 60
-emailAddress_default            = "%(email)s"
 SET-ex3                         = SET extension number 3
 
 [ req_attributes ]
@@ -72,6 +69,8 @@ basicConstraints        = critical, CA:true
 keyUsage                = cRLSign, keyCertSign
 nsCertType              = sslCA, emailCA, objCA
 nsComment               = "%(cn)s"
-subjectAltName          = email:copy
+subjectAltName          = @ca_alt_name
 issuerAltName           = issuer:copy
 
+[ ca_alt_name ]
+email = "%(email)s"