bin/tests/system/doth/CA/CA.cfg


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

## How To
# To issue a certificate:
#
# 1. Generate the next certificate serial (if the file does not exist):
# xxd -l 8 -u -ps /dev/urandom > ./serial
# 2. Create the new certificate request (e.g. for foo.example.com):
#  openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \
#                  -addext "subjectAltName=DNS:foo.example.com,IP=X.X.X.X" \
#                  -newkey rsa -keyout ./certs/foo.example.com.key \
#                  -out ./certs/foo.example.com.csr
#
# The above will generate request for an RSA-based certificate. One
# can issue an ECDSA-based certificate by replacing "-newkey rsa" with
# "-newkey ec -pkeyopt ec_paramgen_curve:secp384r1".
#
# 3. Issue the certificate:
# openssl ca -config ./CA.cfg -in ./certs/foo.example.com.csr \
#                             -out ./certs/foo.example.com.pem
#
# To cleanup the internal database from expired certificates:
#
# 1.  openssl ca -config ./CA.cfg -updatedb
#
# To revoke a certificate:
#
# 1. Revoke the certificate via file  (e.g. for foo.example.com):
# openssl ca -config ./CA.cfg -revoke ./certs/foo.example.com.pem
# 2. Optionally remove the certificate file if you do not need it anymore:
# rm ./certs/foo.example.com.pem
# 3. Generate the certificate revocation list file: CRL (e.g. revoked.crl):
# openssl ca -config ./CA.cfg -gencrl > ./revoked.crl
#
# The key for CA was generated like follows
# openssl genrsa -out ./CA.key 3072
# openssl req -x509 -new -key ./CA.key -days 10950 -out ./CA.pem
#
# See also:
#
# - https://jamielinux.com/docs/openssl-certificate-authority/index.html
# - https://www.openssl.org/docs/man1.1.1/man1/ca.html
# - https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html
# - https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
# - https://security.stackexchange.com/a/190646 - for ECDSA certificates
# - https://gist.github.com/Soarez/9688998
# - https://habr.com/ru/post/192446/ - Beware, your screen might "go Cyrillic"!

# certificate authority configuration
[ca]
default_ca      = CA_default               # The default ca section

[CA_default]
dir            = .
new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
certificate    = $dir/CA.pem           # The CA cert
private_key    = $dir/private/CA.key   # CA private key

serial         = $dir/serial           # serial number file for the next certificate
                                       # Update before issuing it:
                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
database = $dir/index.txt                 # (must be created manually: touch ./index.txt)

default_days   = 10950                 # how long to certify for

#default_crl_days = 30                 # the number of days before the
default_crl_days = 10950               # next CRL is due. That is the
                                       # days from now to place in the
                                       # CRL nextUpdate field.  If CRL
                                       # is expired, certificate
                                       # verifications will fail even
                                       # for otherwise valid
                                       # certificates. Clients might
                                       # cache the CRL, so the expiry
                                       # period should normally be
                                       # relatively short (default:
                                       # 30) for production CAs.

default_md     = sha256                # digest to use

policy         = policy_default        # default policy
email_in_dn    = no                    # Don't add the email into cert DN

name_opt       = ca_default            # Subject name display option
cert_opt       = ca_default            # Certificate display option

# We need the following in order to copy Subject Alt Name(s) from a
# request to the certificate.
copy_extensions = copy                 # copy extensions from request

[policy_default]
countryName            = optional
stateOrProvinceName    = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

# default certificate requests settings
[req]
# Options for the `req` tool (`man req`).
default_bits        = 3072 # for RSA only
distinguished_name  = req_default
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-256 instead.
default_md          = sha256
# do not encrypt the private key file
encrypt_key         = no

[req_default]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (e.g., city)
0.organizationName              = Organization Name (e.g., company)
organizationalUnitName          = Organizational Unit Name (e.g. department)
commonName                      = Common Name (e.g. server FQDN or YOUR name)
emailAddress                    = Email Address
# defaults
countryName_default                     = UA
stateOrProvinceName_default             = Kharkiv Oblast
localityName_default                    = Kharkiv
0.organizationName_default              = ISC
organizationalUnitName_default          = Software Engeneering (BIND 9)