hostap/hs20/server/ca/openssl-root.cnf

# OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)

HOME			= .
RANDFILE		= $ENV::HOME/.rnd
oid_section		= new_oids

[ new_oids ]

#logotypeoid=1.3.6.1.5.5.7.1.12

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= ./rootCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several certificates with same subject
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= optional
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

input_password = @PASSWORD@
output_password = @PASSWORD@

string_mask = utf8only

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= US
countryName_min			= 2
countryName_max			= 2

localityName			= Locality Name (eg, city)
localityName_default		= Tuusula

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= WFA Hotspot 2.0

##organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
#@OU@

commonName			= Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

[ req_attributes ]

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=DNS:example.com,DNS:another.example.com

[ v3_ca ]

# Hotspot 2.0 PKI requirements
subjectKeyIdentifier=hash
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, keyCertSign

[ crl_ext ]

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ v3_OCSP ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
OSU server: Add example scripts for Hotspot 2.0 PKI These can be used to generate certificates for developer testing of the OSU protocol. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-10-25 16:54:25 +02:00			`# OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)`

			`HOME = .`
			`RANDFILE = $ENV::HOME/.rnd`
			`oid_section = new_oids`

			`[ new_oids ]`

			`#logotypeoid=1.3.6.1.5.5.7.1.12`

			`####################################################################`
			`[ ca ]`
			`default_ca = CA_default # The default ca section`

			`####################################################################`
			`[ CA_default ]`

			`dir = ./rootCA # Where everything is kept`
			`certs = $dir/certs # Where the issued certs are kept`
			`crl_dir = $dir/crl # Where the issued crl are kept`
			`database = $dir/index.txt # database index file.`
			`#unique_subject = no # Set to 'no' to allow creation of`
			`# several certificates with same subject`
			`new_certs_dir = $dir/newcerts # default place for new certs.`

			`certificate = $dir/cacert.pem # The CA certificate`
			`serial = $dir/serial # The current serial number`
			`crlnumber = $dir/crlnumber # the current crl number`
			`# must be commented out to leave a V1 CRL`
			`crl = $dir/crl.pem # The current CRL`
			`private_key = $dir/private/cakey.pem# The private key`
			`RANDFILE = $dir/private/.rand # private random number file`

			`x509_extensions = usr_cert # The extentions to add to the cert`

			`name_opt = ca_default # Subject Name options`
			`cert_opt = ca_default # Certificate field options`

			`default_days = 365 # how long to certify for`
			`default_crl_days= 30 # how long before next CRL`
			`default_md = default # use public key default MD`
			`preserve = no # keep passed DN ordering`

			`policy = policy_match`

			`# For the CA policy`
			`[ policy_match ]`
			`countryName = match`
			`stateOrProvinceName = optional`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ policy_anything ]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`####################################################################`
			`[ req ]`
			`default_bits = 2048`
			`default_keyfile = privkey.pem`
			`distinguished_name = req_distinguished_name`
			`attributes = req_attributes`
			`x509_extensions = v3_ca # The extentions to add to the self signed cert`

HS 2.0R2 CA: Improve setup.sh and .conf for more flexibility This gives more flexibility when generating keys so that users do not have to edit files to generate their own specific keys. Update HS 2.0 OSU server notes as well. Signed-off-by: Ben Greear <greearb@candelatech.com> 2015-04-01 02:14:17 +02:00			`input_password = @PASSWORD@`
			`output_password = @PASSWORD@`
OSU server: Add example scripts for Hotspot 2.0 PKI These can be used to generate certificates for developer testing of the OSU protocol. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2013-10-25 16:54:25 +02:00
			`string_mask = utf8only`

			`[ req_distinguished_name ]`
			`countryName = Country Name (2 letter code)`
			`countryName_default = US`
			`countryName_min = 2`
			`countryName_max = 2`

			`localityName = Locality Name (eg, city)`
			`localityName_default = Tuusula`

			`0.organizationName = Organization Name (eg, company)`
			`0.organizationName_default = WFA Hotspot 2.0`

			`##organizationalUnitName = Organizational Unit Name (eg, section)`
			`#organizationalUnitName_default =`
			`#@OU@`

			`commonName = Common Name (e.g. server FQDN or YOUR name)`
			`#@CN@`
			`commonName_max = 64`

			`emailAddress = Email Address`
			`emailAddress_max = 64`

			`[ req_attributes ]`

			`[ v3_req ]`

			`# Extensions to add to a certificate request`
			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`subjectAltName=DNS:example.com,DNS:another.example.com`

			`[ v3_ca ]`

			`# Hotspot 2.0 PKI requirements`
			`subjectKeyIdentifier=hash`
			`basicConstraints = critical,CA:true`
			`keyUsage = critical, cRLSign, keyCertSign`

			`[ crl_ext ]`

			`# issuerAltName=issuer:copy`
			`authorityKeyIdentifier=keyid:always`

			`[ v3_OCSP ]`

			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`extendedKeyUsage = OCSPSigning`