libeap/hs20/server/ca/openssl.cnf

   1 # OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)
   2
   3 HOME                    = .
   4 RANDFILE                = $ENV::HOME/.rnd
   5 oid_section             = new_oids
   6
   7 [ new_oids ]
   8
   9 #logotypeoid=1.3.6.1.5.5.7.1.12
  10
  11 ####################################################################
  12 [ ca ]
  13 default_ca      = CA_default            # The default ca section
  14
  15 ####################################################################
  16 [ CA_default ]
  17
  18 dir             = ./demoCA              # Where everything is kept
  19 certs           = $dir/certs            # Where the issued certs are kept
  20 crl_dir         = $dir/crl              # Where the issued crl are kept
  21 database        = $dir/index.txt        # database index file.
  22 #unique_subject = no                    # Set to 'no' to allow creation of
  23                                         # several certificates with same subject
  24 new_certs_dir   = $dir/newcerts         # default place for new certs.
  25
  26 certificate     = $dir/cacert.pem       # The CA certificate
  27 serial          = $dir/serial           # The current serial number
  28 crlnumber       = $dir/crlnumber        # the current crl number
  29                                         # must be commented out to leave a V1 CRL
  30 crl             = $dir/crl.pem          # The current CRL
  31 private_key     = $dir/private/cakey.pem# The private key
  32 RANDFILE        = $dir/private/.rand    # private random number file
  33
  34 x509_extensions = ext_client            # The extentions to add to the cert
  35
  36 name_opt        = ca_default            # Subject Name options
  37 cert_opt        = ca_default            # Certificate field options
  38
  39 # Extension copying option: use with caution.
  40 copy_extensions = copy
  41
  42 default_days    = 365                   # how long to certify for
  43 default_crl_days= 30                    # how long before next CRL
  44 default_md      = default               # use public key default MD
  45 preserve        = no                    # keep passed DN ordering
  46
  47 policy          = policy_match
  48
  49 # For the CA policy
  50 [ policy_match ]
  51 countryName             = supplied
  52 stateOrProvinceName     = optional
  53 organizationName        = supplied
  54 organizationalUnitName  = optional
  55 commonName              = supplied
  56 emailAddress            = optional
  57
  58 [ policy_osu_server ]
  59 countryName             = match
  60 stateOrProvinceName     = optional
  61 organizationName        = match
  62 organizationalUnitName  = supplied
  63 commonName              = supplied
  64 emailAddress            = optional
  65
  66 [ policy_anything ]
  67 countryName             = optional
  68 stateOrProvinceName     = optional
  69 localityName            = optional
  70 organizationName        = optional
  71 organizationalUnitName  = optional
  72 commonName              = supplied
  73 emailAddress            = optional
  74
  75 ####################################################################
  76 [ req ]
  77 default_bits            = 2048
  78 default_keyfile         = privkey.pem
  79 distinguished_name      = req_distinguished_name
  80 attributes              = req_attributes
  81 x509_extensions = v3_ca # The extentions to add to the self signed cert
  82
  83 input_password = @PASSWORD@
  84 output_password = @PASSWORD@
  85
  86 string_mask = utf8only
  87
  88 [ req_distinguished_name ]
  89 countryName                     = Country Name (2 letter code)
  90 countryName_default             = FI
  91 countryName_min                 = 2
  92 countryName_max                 = 2
  93
  94 localityName                    = Locality Name (eg, city)
  95 localityName_default            = Tuusula
  96
  97 0.organizationName              = Organization Name (eg, company)
  98 0.organizationName_default      = @DOMAIN@
  99
 100 ##organizationalUnitName                = Organizational Unit Name (eg, section)
 101 #organizationalUnitName_default =
 102 #@OU@
 103
 104 commonName                      = Common Name (e.g. server FQDN or YOUR name)
 105 #@CN@
 106 commonName_max                  = 64
 107
 108 emailAddress                    = Email Address
 109 emailAddress_max                = 64
 110
 111 [ req_attributes ]
 112
 113 [ v3_ca ]
 114
 115 # Hotspot 2.0 PKI requirements
 116 subjectKeyIdentifier=hash
 117 authorityKeyIdentifier=keyid:always,issuer
 118 basicConstraints = critical, CA:true, pathlen:0
 119 keyUsage = critical, cRLSign, keyCertSign
 120 authorityInfoAccess = OCSP;URI:@OCSP_URI@
 121 # For SP intermediate CA
 122 #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
 123 #nameConstraints=permitted;DNS:.@DOMAIN@
 124 #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
 125
 126 [ v3_osu_server ]
 127
 128 basicConstraints = critical, CA:true, pathlen:0
 129 keyUsage = critical, keyEncipherment
 130 #@ALTNAME@
 131
 132 #logotypeoid=ASN1:SEQUENCE:LogotypeExtn
 133 1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
 134 [LogotypeExtn]
 135 communityLogos=EXP:0,SEQUENCE:LogotypeInfo
 136 [LogotypeInfo]
 137 # note: implicit tag converted to explicit for CHOICE
 138 direct=EXP:0,SEQUENCE:LogotypeData
 139 [LogotypeData]
 140 image=SEQUENCE:LogotypeImage
 141 [LogotypeImage]
 142 imageDetails=SEQUENCE:LogotypeDetails
 143 imageInfo=SEQUENCE:LogotypeImageInfo
 144 [LogotypeDetails]
 145 mediaType=IA5STRING:image/png
 146 logotypeHash=SEQUENCE:HashAlgAndValues
 147 logotypeURI=SEQUENCE:URI
 148 [HashAlgAndValues]
 149 value1=SEQUENCE:HashAlgAndValueSHA256
 150 #value2=SEQUENCE:HashAlgAndValueSHA1
 151 [HashAlgAndValueSHA256]
 152 hashAlg=SEQUENCE:sha256_alg
 153 hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
 154 [HashAlgAndValueSHA1]
 155 hashAlg=SEQUENCE:sha1_alg
 156 hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
 157 [sha256_alg]
 158 algorithm=OID:sha256
 159 [sha1_alg]
 160 algorithm=OID:sha1
 161 [URI]
 162 uri=IA5STRING:@LOGO_URI@
 163 [LogotypeImageInfo]
 164 # default value color(1), component optional
 165 #type=IMP:0,INTEGER:1
 166 fileSize=INTEGER:7549
 167 xSize=INTEGER:128
 168 ySize=INTEGER:80
 169 language=IMP:4,IA5STRING:zxx
 170
 171 [ crl_ext ]
 172
 173 # issuerAltName=issuer:copy
 174 authorityKeyIdentifier=keyid:always
 175
 176 [ v3_OCSP ]
 177
 178 basicConstraints = CA:FALSE
 179 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 180 extendedKeyUsage = OCSPSigning
 181
 182 [ ext_client ]
 183
 184 basicConstraints=CA:FALSE
 185 subjectKeyIdentifier=hash
 186 authorityKeyIdentifier=keyid,issuer
 187 authorityInfoAccess = OCSP;URI:@OCSP_URI@
 188 #@ALTNAME@
 189 extendedKeyUsage = clientAuth
 190
 191 [ ext_server ]
 192
 193 # Hotspot 2.0 PKI requirements
 194 basicConstraints=critical, CA:FALSE
 195 subjectKeyIdentifier=hash
 196 authorityKeyIdentifier=keyid,issuer
 197 authorityInfoAccess = OCSP;URI:@OCSP_URI@
 198 #@ALTNAME@
 199 extendedKeyUsage = critical, serverAuth
 200 keyUsage = critical, keyEncipherment