libeap/hs20/server/ca/openssl-root.cnf

   1 # OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)
   2
   3 HOME                    = .
   4 RANDFILE                = $ENV::HOME/.rnd
   5 oid_section             = new_oids
   6
   7 [ new_oids ]
   8
   9 #logotypeoid=1.3.6.1.5.5.7.1.12
  10
  11 ####################################################################
  12 [ ca ]
  13 default_ca      = CA_default            # The default ca section
  14
  15 ####################################################################
  16 [ CA_default ]
  17
  18 dir             = ./rootCA              # Where everything is kept
  19 certs           = $dir/certs            # Where the issued certs are kept
  20 crl_dir         = $dir/crl              # Where the issued crl are kept
  21 database        = $dir/index.txt        # database index file.
  22 #unique_subject = no                    # Set to 'no' to allow creation of
  23                                         # several certificates with same subject
  24 new_certs_dir   = $dir/newcerts         # default place for new certs.
  25
  26 certificate     = $dir/cacert.pem       # The CA certificate
  27 serial          = $dir/serial           # The current serial number
  28 crlnumber       = $dir/crlnumber        # the current crl number
  29                                         # must be commented out to leave a V1 CRL
  30 crl             = $dir/crl.pem          # The current CRL
  31 private_key     = $dir/private/cakey.pem# The private key
  32 RANDFILE        = $dir/private/.rand    # private random number file
  33
  34 x509_extensions = usr_cert              # The extentions to add to the cert
  35
  36 name_opt        = ca_default            # Subject Name options
  37 cert_opt        = ca_default            # Certificate field options
  38
  39 default_days    = 365                   # how long to certify for
  40 default_crl_days= 30                    # how long before next CRL
  41 default_md      = default               # use public key default MD
  42 preserve        = no                    # keep passed DN ordering
  43
  44 policy          = policy_match
  45
  46 # For the CA policy
  47 [ policy_match ]
  48 countryName             = match
  49 stateOrProvinceName     = optional
  50 organizationName        = match
  51 organizationalUnitName  = optional
  52 commonName              = supplied
  53 emailAddress            = optional
  54
  55 [ policy_anything ]
  56 countryName             = optional
  57 stateOrProvinceName     = optional
  58 localityName            = optional
  59 organizationName        = optional
  60 organizationalUnitName  = optional
  61 commonName              = supplied
  62 emailAddress            = optional
  63
  64 ####################################################################
  65 [ req ]
  66 default_bits            = 2048
  67 default_keyfile         = privkey.pem
  68 distinguished_name      = req_distinguished_name
  69 attributes              = req_attributes
  70 x509_extensions = v3_ca # The extentions to add to the self signed cert
  71
  72 input_password = @PASSWORD@
  73 output_password = @PASSWORD@
  74
  75 string_mask = utf8only
  76
  77 [ req_distinguished_name ]
  78 countryName                     = Country Name (2 letter code)
  79 countryName_default             = US
  80 countryName_min                 = 2
  81 countryName_max                 = 2
  82
  83 localityName                    = Locality Name (eg, city)
  84 localityName_default            = Tuusula
  85
  86 0.organizationName              = Organization Name (eg, company)
  87 0.organizationName_default      = WFA Hotspot 2.0
  88
  89 ##organizationalUnitName                = Organizational Unit Name (eg, section)
  90 #organizationalUnitName_default =
  91 #@OU@
  92
  93 commonName                      = Common Name (e.g. server FQDN or YOUR name)
  94 #@CN@
  95 commonName_max                  = 64
  96
  97 emailAddress                    = Email Address
  98 emailAddress_max                = 64
  99
 100 [ req_attributes ]
 101
 102 [ v3_req ]
 103
 104 # Extensions to add to a certificate request
 105 basicConstraints = CA:FALSE
 106 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 107 subjectAltName=DNS:example.com,DNS:another.example.com
 108
 109 [ v3_ca ]
 110
 111 # Hotspot 2.0 PKI requirements
 112 subjectKeyIdentifier=hash
 113 basicConstraints = critical,CA:true
 114 keyUsage = critical, cRLSign, keyCertSign
 115
 116 [ crl_ext ]
 117
 118 # issuerAltName=issuer:copy
 119 authorityKeyIdentifier=keyid:always
 120
 121 [ v3_OCSP ]
 122
 123 basicConstraints = CA:FALSE
 124 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 125 extendedKeyUsage = OCSPSigning