From 3b9b6d0b8e7f798023c9d109c490449d528fde80 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 17:59:48 +0200 Subject: Adding upstream version 1:9.18.19. Signed-off-by: Daniel Baumann --- bin/tests/system/doth/CA/CA.cfg | 121 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 bin/tests/system/doth/CA/CA.cfg (limited to 'bin/tests/system/doth/CA/CA.cfg') diff --git a/bin/tests/system/doth/CA/CA.cfg b/bin/tests/system/doth/CA/CA.cfg new file mode 100644 index 0000000..97ea088 --- /dev/null +++ b/bin/tests/system/doth/CA/CA.cfg @@ -0,0 +1,121 @@ +## How To +# To issue a certificate: +# +# 1. Generate the next certificate serial (if the file does not exist): +# xxd -l 8 -u -ps /dev/urandom > ./serial +# 2. Create the new certificate request (e.g. for foo.example.com): +# openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \ +# -addext "subjectAltName=DNS:foo.example.com,IP=X.X.X.X" \ +# -newkey rsa -keyout ./certs/foo.example.com.key \ +# -out ./certs/foo.example.com.csr +# +# The above will generate request for an RSA-based certificate. One +# can issue an ECDSA-based certificate by replacing "-newkey rsa" with +# "-newkey ec -pkeyopt ec_paramgen_curve:secp384r1". +# +# 3. Issue the certificate: +# openssl ca -config ./CA.cfg -in ./certs/foo.example.com.csr \ +# -out ./certs/foo.example.com.pem +# +# To cleanup the internal database from expired certificates: +# +# 1. openssl ca -config ./CA.cfg -updatedb +# +# To revoke a certificate: +# +# 1. Revoke the certificate via file (e.g. for foo.example.com): +# openssl ca -config ./CA.cfg -revoke ./certs/foo.example.com.pem +# 2. Optionally remove the certificate file if you do not need it anymore: +# rm ./certs/foo.example.com.pem +# 3. Generate the certificate revocation list file: CRL (e.g. revoked.crl): +# openssl ca -config ./CA.cfg -gencrl > ./revoked.crl +# +# The key for CA was generated like follows +# openssl genrsa -out ./CA.key 3072 +# openssl req -x509 -new -key ./CA.key -days 10950 -out ./CA.pem +# +# See also: +# +# - https://jamielinux.com/docs/openssl-certificate-authority/index.html +# - https://www.openssl.org/docs/man1.1.1/man1/ca.html +# - https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html +# - https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line +# - https://security.stackexchange.com/a/190646 - for ECDSA certificates +# - https://gist.github.com/Soarez/9688998 +# - https://habr.com/ru/post/192446/ - Beware, your screen might "go Cyrillic"! + +# certificate authority configuration +[ca] +default_ca = CA_default # The default ca section + +[CA_default] +dir = . +new_certs_dir = $dir/newcerts # new certs dir (must be created) +certificate = $dir/CA.pem # The CA cert +private_key = $dir/private/CA.key # CA private key + +serial = $dir/serial # serial number file for the next certificate + # Update before issuing it: + # xxd -l 8 -u -ps /dev/urandom > ./serial +database = $dir/index.txt # (must be created manually: touch ./index.txt) + +default_days = 10950 # how long to certify for + +#default_crl_days = 30 # the number of days before the +default_crl_days = 10950 # next CRL is due. That is the + # days from now to place in the + # CRL nextUpdate field. If CRL + # is expired, certificate + # verifications will fail even + # for otherwise valid + # certificates. Clients might + # cache the CRL, so the expiry + # period should normally be + # relatively short (default: + # 30) for production CAs. + +default_md = sha256 # digest to use + +policy = policy_default # default policy +email_in_dn = no # Don't add the email into cert DN + +name_opt = ca_default # Subject name display option +cert_opt = ca_default # Certificate display option + +# We need the following in order to copy Subject Alt Name(s) from a +# request to the certificate. +copy_extensions = copy # copy extensions from request + +[policy_default] +countryName = optional +stateOrProvinceName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# default certificate requests settings +[req] +# Options for the `req` tool (`man req`). +default_bits = 3072 # for RSA only +distinguished_name = req_default +string_mask = utf8only +# SHA-1 is deprecated, so use SHA-256 instead. +default_md = sha256 +# do not encrypt the private key file +encrypt_key = no + +[req_default] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (e.g., city) +0.organizationName = Organization Name (e.g., company) +organizationalUnitName = Organizational Unit Name (e.g. department) +commonName = Common Name (e.g. server FQDN or YOUR name) +emailAddress = Email Address +# defaults +countryName_default = UA +stateOrProvinceName_default = Kharkiv Oblast +localityName_default = Kharkiv +0.organizationName_default = ISC +organizationalUnitName_default = Software Engeneering (BIND 9) -- cgit v1.2.3