# openssl.cnf - OpenSSL configuration file for the ZHW PKI # Mario Strasser # # This definitions were set by the ca_init script DO NOT change # them manualy. CAHOME = /etc/openssl/rfc3779 RANDFILE = $CAHOME/.rand # Extra OBJECT IDENTIFIER info: oid_section = new_oids [ new_oids ] SmartcardLogin = 1.3.6.1.4.1.311.20.2 ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 #################################################################### [ ca ] default_ca = root_ca # The default ca section #################################################################### [ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/strongswanCert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL crlnumber = $dir/crlnumber # The current CRL serial number private_key = $dir/strongswanKey.pem # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = host_ext # The extensions to add to the cert crl_extensions = crl_ext # The extensions to add to the CRL default_days = 1820 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # which md to use. preserve = no # keep passed DN ordering email_in_dn = no # allow/forbid EMail in DN policy = policy_match # specifying how similar the request must look #################################################################### # the 'match' policy [ policy_match ] countryName = match stateOrProvinceName = optional localityName = optional organizationName = match organizationalUnitName = optional userId = optional serialNumber = optional commonName = supplied emailAddress = optional # the 'anything' policy [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request #################################################################### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CH countryName_min = 2 countryName_max = 2 #stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = ZH #localityName = Locality Name (eg, city) #localityName_default = Winterthur organizationName = Organization Name (eg, company) organizationName_default = Linux strongSwan 0.organizationalUnitName = Organizational Unit Name (eg, section) 0.organizationalUnitName_default = RFC3779 #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff #userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME commonName_max = 64 #0.emailAddress = Email Address (eg, foo@bar.com) #0.emailAddress_min = 0 #0.emailAddress_max = 40 #1.emailAddress = Second Email Address (eg, foo@bar.com) #1.emailAddress_min = 0 #1.emailAddress_max = 40 #################################################################### [ req_attributes ] #################################################################### [ host_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = DNS:$ENV::COMMON_NAME #extendedKeyUsage = OCSPSigning extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl sbgp-ipAddrBlock = critical, @host-addr-section [host-addr-section] #moon networks #IPv4.0 = 192.168.0.1 #IPv4.1 = 10.1.0.0/16 #IPv6.0 = fec0::1 #IPv6.1 = fec1::/16 #sun networks IPv4.0 = 192.168.0.2 IPv4.1 = 10.2.0.0/16 IPv6.0 = fec0::2 IPv6.1 = fec2::/16 #################################################################### [ user_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl #sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit sbgp-ipAddrBlock = critical, @user-addr-section [user-addr-section] #carol networks #IPv4.0 = 192.168.0.100 #IPv4.1 = 10.3.0.1 #IPv6.0 = fec0::10 #dave networks IPv4.0 = 192.168.0.200 IPv4.1 = 10.3.0.2 IPv6.0 = fec0::20 #################################################################### [ ca_ext ] basicConstraints = critical, CA:TRUE, pathlen:1 keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always sbgp-ipAddrBlock = critical, @ca-addr-section [ca-addr-section] IPv4.0 = 192.168.0.0/24 IPv4.1 = 10.1.0.0/16 IPv4.2 = 10.2.0.0/16 IPv4.3 = 10.3.0.1 - 10.3.3.232 IPv6.0 = fec0::/16 IPv6.1 = fec1::/16 IPv6.2 = fec2::/16 #################################################################### [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. #issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always, issuer:always # eof