1# 2# OpenSSL configuration for the Intermediate Certification Authority. 3# 4 5# 6# This definition doesn't work if HOME isn't defined. 7CA_HOME = . 8RANDFILE = $ENV::CA_HOME/private/.rnd 9oid_section = new_oids 10 11# 12# XMPP address Support 13[ new_oids ] 14xmppAddr = 1.3.6.1.5.5.7.8.5 15dnsSRV = 1.3.6.1.5.5.7.8.7 16 17# 18# Default Certification Authority 19[ ca ] 20default_ca = intermed_ca 21 22# 23# Intermediate Certification Authority 24[ intermed_ca ] 25dir = $ENV::CA_HOME 26certs = $dir/certs 27serial = $dir/intermed-ca.serial 28database = $dir/intermed-ca.index 29new_certs_dir = $dir/newcerts 30certificate = $dir/intermed-ca.cert.pem 31private_key = $dir/private/intermed-ca.key.pem 32default_days = 730 # Two years 33crl = $dir/crl/intermed-ca.crl 34crl_dir = $dir/crl 35crlnumber = $dir/intermed-ca.crlnum 36name_opt = multiline, align 37cert_opt = no_pubkey 38copy_extensions = copy 39crl_extensions = crl_ext 40default_crl_days = 30 41default_md = sha256 42preserve = no 43email_in_dn = no 44policy = policy 45unique_subject = no 46 47# 48# Distinguished Name Policy 49[ policy ] 50countryName = optional 51stateOrProvinceName = optional 52localityName = optional 53organizationName = optional 54organizationalUnitName = optional 55commonName = supplied 56 57# 58# Distinguished Name Policy for Personal Certificates 59[ user_policy ] 60countryName = supplied 61stateOrProvinceName = optional 62localityName = supplied 63organizationName = optional 64organizationalUnitName = optional 65commonName = supplied 66emailAddress = supplied 67#xmppAddr = optional # Added to SubjAltName by req 68 69# 70# Intermediate CA request options 71[ req ] 72default_bits = 2048 73default_keyfile = private/intermed-ca.key.pem 74encrypt_key = yes 75default_md = sha256 76string_mask = utf8only 77utf8 = yes 78prompt = no 79req_extensions = req_ext 80distinguished_name = distinguished_name 81subjectAltName = subject_alt_name 82 83# 84# Intermediate CA Request Extensions 85[ req_ext ] 86subjectKeyIdentifier = hash 87subjectAltName = @subject_alt_name 88 89# 90# Distinguished Name (DN) 91[ distinguished_name ] 92organizationName = tpm2-software 93commonName = intermed ek ca 94 95# 96# Server Certificate Extensions 97[ server_ext ] 98basicConstraints = CA:FALSE 99keyUsage = critical, digitalSignature, keyEncipherment 100extendedKeyUsage = critical, serverAuth, clientAuth 101subjectKeyIdentifier = hash 102authorityKeyIdentifier = keyid:always 103issuerAltName = issuer:copy 104authorityInfoAccess = @auth_info_access 105crlDistributionPoints = crl_dist 106 107# 108# Client Certificate Extensions 109[ client_ext ] 110basicConstraints = CA:FALSE 111keyUsage = critical, digitalSignature 112extendedKeyUsage = critical, clientAuth 113subjectKeyIdentifier = hash 114authorityKeyIdentifier = keyid:always 115issuerAltName = issuer:copy 116authorityInfoAccess = @auth_info_access 117crlDistributionPoints = crl_dist 118 119# 120# User Certificate Extensions 121[ user_ext ] 122basicConstraints = CA:FALSE 123keyUsage = critical, digitalSignature 124extendedKeyUsage = critical, clientAuth, emailProtection 125subjectKeyIdentifier = hash 126authorityKeyIdentifier = keyid:always 127issuerAltName = issuer:copy 128authorityInfoAccess = @auth_info_access 129crlDistributionPoints = crl_dist 130 131# 132# CRL Certificate Extensions 133[ crl_ext ] 134authorityKeyIdentifier = keyid:always 135issuerAltName = issuer:copy 136 137# 138# Certificate Authorities Alternative Names 139[ subject_alt_name ] 140URI = http://ca.example.net/ 141email = certmaster@example.net 142 143# 144# Certificate download addresses for the intermediate CA 145[ auth_info_access ] 146caIssuers;URI = INTERMEDCRT 147 148# 149# CRL Download address for the intermediate CA 150[ crl_dist ] 151fullname = INTERMEDCRL 152 153# EOF 154