| # OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA) |
| |
| HOME = . |
| RANDFILE = $ENV::HOME/.rnd |
| oid_section = new_oids |
| |
| [ new_oids ] |
| |
| #logotypeoid=1.3.6.1.5.5.7.1.12 |
| |
| #################################################################### |
| [ ca ] |
| default_ca = CA_default # The default ca section |
| |
| #################################################################### |
| [ CA_default ] |
| |
| dir = ./demoCA # Where everything is kept |
| certs = $dir/certs # Where the issued certs are kept |
| crl_dir = $dir/crl # Where the issued crl are kept |
| database = $dir/index.txt # database index file. |
| #unique_subject = no # Set to 'no' to allow creation of |
| # several certificates with same subject |
| new_certs_dir = $dir/newcerts # default place for new certs. |
| |
| certificate = $dir/cacert.pem # The CA certificate |
| serial = $dir/serial # The current serial number |
| crlnumber = $dir/crlnumber # the current crl number |
| # must be commented out to leave a V1 CRL |
| crl = $dir/crl.pem # The current CRL |
| private_key = $dir/private/cakey.pem# The private key |
| RANDFILE = $dir/private/.rand # private random number file |
| |
| x509_extensions = ext_client # The extentions to add to the cert |
| |
| name_opt = ca_default # Subject Name options |
| cert_opt = ca_default # Certificate field options |
| |
| # Extension copying option: use with caution. |
| copy_extensions = copy |
| |
| default_days = 365 # how long to certify for |
| default_crl_days= 30 # how long before next CRL |
| default_md = default # use public key default MD |
| preserve = no # keep passed DN ordering |
| |
| policy = policy_match |
| |
| # For the CA policy |
| [ policy_match ] |
| countryName = supplied |
| stateOrProvinceName = optional |
| organizationName = supplied |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| [ policy_osu_server ] |
| countryName = match |
| stateOrProvinceName = optional |
| organizationName = match |
| organizationalUnitName = supplied |
| commonName = supplied |
| emailAddress = optional |
| |
| [ policy_anything ] |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| #################################################################### |
| [ req ] |
| default_bits = 2048 |
| default_keyfile = privkey.pem |
| distinguished_name = req_distinguished_name |
| attributes = req_attributes |
| x509_extensions = v3_ca # The extentions to add to the self signed cert |
| |
| input_password = @PASSWORD@ |
| output_password = @PASSWORD@ |
| |
| string_mask = utf8only |
| |
| [ req_distinguished_name ] |
| countryName = Country Name (2 letter code) |
| countryName_default = FI |
| countryName_min = 2 |
| countryName_max = 2 |
| |
| localityName = Locality Name (eg, city) |
| localityName_default = Tuusula |
| |
| 0.organizationName = Organization Name (eg, company) |
| 0.organizationName_default = @DOMAIN@ |
| |
| ##organizationalUnitName = Organizational Unit Name (eg, section) |
| #organizationalUnitName_default = |
| #@OU@ |
| |
| commonName = Common Name (e.g. server FQDN or YOUR name) |
| #@CN@ |
| commonName_max = 64 |
| |
| emailAddress = Email Address |
| emailAddress_max = 64 |
| |
| [ req_attributes ] |
| |
| [ v3_ca ] |
| |
| # Hotspot 2.0 PKI requirements |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid:always,issuer |
| basicConstraints = critical, CA:true, pathlen:0 |
| keyUsage = critical, cRLSign, keyCertSign |
| authorityInfoAccess = OCSP;URI:@OCSP_URI@ |
| # For SP intermediate CA |
| #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU |
| #nameConstraints=permitted;DNS:.@DOMAIN@ |
| #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn |
| |
| [ v3_osu_server ] |
| |
| basicConstraints = critical, CA:true, pathlen:0 |
| keyUsage = critical, keyEncipherment |
| #@ALTNAME@ |
| |
| #logotypeoid=ASN1:SEQUENCE:LogotypeExtn |
| 1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn |
| [LogotypeExtn] |
| communityLogos=EXP:0,SEQUENCE:LogotypeInfo |
| [LogotypeInfo] |
| # note: implicit tag converted to explicit for CHOICE |
| direct=EXP:0,SEQUENCE:LogotypeData |
| [LogotypeData] |
| image=SEQUENCE:LogotypeImage |
| [LogotypeImage] |
| imageDetails=SEQUENCE:LogotypeDetails |
| imageInfo=SEQUENCE:LogotypeImageInfo |
| [LogotypeDetails] |
| mediaType=IA5STRING:image/png |
| logotypeHash=SEQUENCE:HashAlgAndValues |
| logotypeURI=SEQUENCE:URI |
| [HashAlgAndValues] |
| value1=SEQUENCE:HashAlgAndValueSHA256 |
| #value2=SEQUENCE:HashAlgAndValueSHA1 |
| [HashAlgAndValueSHA256] |
| hashAlg=SEQUENCE:sha256_alg |
| hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@ |
| [HashAlgAndValueSHA1] |
| hashAlg=SEQUENCE:sha1_alg |
| hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@ |
| [sha256_alg] |
| algorithm=OID:sha256 |
| [sha1_alg] |
| algorithm=OID:sha1 |
| [URI] |
| uri=IA5STRING:@LOGO_URI@ |
| [LogotypeImageInfo] |
| # default value color(1), component optional |
| #type=IMP:0,INTEGER:1 |
| fileSize=INTEGER:7549 |
| xSize=INTEGER:128 |
| ySize=INTEGER:80 |
| language=IMP:4,IA5STRING:zxx |
| |
| [ crl_ext ] |
| |
| # issuerAltName=issuer:copy |
| authorityKeyIdentifier=keyid:always |
| |
| [ v3_OCSP ] |
| |
| basicConstraints = CA:FALSE |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| extendedKeyUsage = OCSPSigning |
| |
| [ ext_client ] |
| |
| basicConstraints=CA:FALSE |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid,issuer |
| authorityInfoAccess = OCSP;URI:@OCSP_URI@ |
| #@ALTNAME@ |
| extendedKeyUsage = clientAuth |
| |
| [ ext_server ] |
| |
| # Hotspot 2.0 PKI requirements |
| basicConstraints=critical, CA:FALSE |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid,issuer |
| authorityInfoAccess = OCSP;URI:@OCSP_URI@ |
| #@ALTNAME@ |
| extendedKeyUsage = critical, serverAuth |
| keyUsage = critical, keyEncipherment |
