summaryrefslogtreecommitdiff
path: root/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
commited7d79f96177044949744da10f4431c1d6242241 (patch)
tree3aabaa55ed3b5291daef891cfee9befb5235e2b8 /testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
parent7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff)
downloadvyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz
vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf')
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf214
1 files changed, 214 insertions, 0 deletions
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
new file mode 100644
index 000000000..133b2ea71
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -0,0 +1,214 @@
+# openssl.cnf - OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME = /etc/openssl/rfc3779
+RANDFILE = $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+[ new_oids ]
+SmartcardLogin = 1.3.6.1.4.1.311.20.2
+ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca = root_ca # The default ca section
+
+####################################################################
+
+[ root_ca ]
+
+dir = $CAHOME
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/strongswanCert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+crlnumber = $dir/crlnumber # The current CRL serial number
+private_key = $dir/strongswanKey.pem # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = host_ext # The extentions to add to the cert
+
+crl_extensions = crl_ext # The extentions to add to the CRL
+
+default_days = 1825 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+email_in_dn = no # allow/forbid EMail in DN
+
+policy = policy_match # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = optional
+localityName = optional
+organizationName = match
+organizationalUnitName = optional
+userId = optional
+serialNumber = optional
+commonName = supplied
+emailAddress = optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = ca_ext # The extentions to add to the self signed cert
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = CH
+countryName_min = 2
+countryName_max = 2
+
+#stateOrProvinceName = State or Province Name (full name)
+#stateOrProvinceName_default = ZH
+
+#localityName = Locality Name (eg, city)
+#localityName_default = Winterthur
+
+organizationName = Organization Name (eg, company)
+organizationName_default = Linux strongSwan
+
+0.organizationalUnitName = Organizational Unit Name (eg, section)
+0.organizationalUnitName_default = RFC3779
+
+#1.organizationalUnitName = Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId = UID
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = $ENV::COMMON_NAME
+commonName_max = 64
+
+#0.emailAddress = Email Address (eg, foo@bar.com)
+#0.emailAddress_min = 0
+#0.emailAddress_max = 40
+
+#1.emailAddress = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min = 0
+#1.emailAddress_max = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer:always
+subjectAltName = DNS:$ENV::COMMON_NAME
+#extendedKeyUsage = OCSPSigning
+extendedKeyUsage = serverAuth
+crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+sbgp-ipAddrBlock = critical, @host-addr-section
+
+[host-addr-section]
+
+IPv4.0 = 192.168.0.2
+IPv4.1 = 10.2.0.0/16
+IPv6.0 = fec0::2
+IPv6.1 = fec2::/16
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer:always
+subjectAltName = email:$ENV::COMMON_NAME
+#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
+crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+#sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit
+
+sbgp-ipAddrBlock = critical, @user-addr-section
+
+[user-addr-section]
+
+IPv4.0 = 192.168.0.200
+IPv4.1 = 10.3.0.2
+IPv6.0 = fec0::20
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints = critical, CA:TRUE, pathlen:1
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer:always
+
+sbgp-ipAddrBlock = critical, @ca-addr-section
+
+[ca-addr-section]
+
+IPv4.0 = 192.168.0.0/24
+IPv4.1 = 10.1.0.0/16
+IPv4.2 = 10.2.0.0/16
+IPv4.3 = 10.3.0.1 - 10.3.3.232
+IPv6.0 = fec0::/16
+IPv6.1 = fec1::/16
+IPv6.2 = fec2::/16
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName = issuer:copy
+authorityKeyIdentifier = keyid:always, issuer:always
+
+# eof