2013-10-25 16:54:25 +02:00
|
|
|
# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)
|
|
|
|
|
|
|
|
HOME = .
|
|
|
|
RANDFILE = $ENV::HOME/.rnd
|
|
|
|
oid_section = new_oids
|
|
|
|
|
|
|
|
[ new_oids ]
|
|
|
|
|
|
|
|
#logotypeoid=1.3.6.1.5.5.7.1.12
|
|
|
|
|
|
|
|
####################################################################
|
|
|
|
[ ca ]
|
|
|
|
default_ca = CA_default # The default ca section
|
|
|
|
|
|
|
|
####################################################################
|
|
|
|
[ CA_default ]
|
|
|
|
|
|
|
|
dir = ./demoCA # Where everything is kept
|
|
|
|
certs = $dir/certs # Where the issued certs are kept
|
|
|
|
crl_dir = $dir/crl # Where the issued crl are kept
|
|
|
|
database = $dir/index.txt # database index file.
|
|
|
|
#unique_subject = no # Set to 'no' to allow creation of
|
|
|
|
# several certificates with same subject
|
|
|
|
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
|
|
|
|
|
|
certificate = $dir/cacert.pem # The CA certificate
|
|
|
|
serial = $dir/serial # The current serial number
|
|
|
|
crlnumber = $dir/crlnumber # the current crl number
|
|
|
|
# must be commented out to leave a V1 CRL
|
|
|
|
crl = $dir/crl.pem # The current CRL
|
|
|
|
private_key = $dir/private/cakey.pem# The private key
|
|
|
|
RANDFILE = $dir/private/.rand # private random number file
|
|
|
|
|
|
|
|
x509_extensions = ext_client # The extentions to add to the cert
|
|
|
|
|
|
|
|
name_opt = ca_default # Subject Name options
|
|
|
|
cert_opt = ca_default # Certificate field options
|
|
|
|
|
|
|
|
# Extension copying option: use with caution.
|
|
|
|
copy_extensions = copy
|
|
|
|
|
|
|
|
default_days = 365 # how long to certify for
|
|
|
|
default_crl_days= 30 # how long before next CRL
|
|
|
|
default_md = default # use public key default MD
|
|
|
|
preserve = no # keep passed DN ordering
|
|
|
|
|
|
|
|
policy = policy_match
|
|
|
|
|
|
|
|
# For the CA policy
|
|
|
|
[ policy_match ]
|
|
|
|
countryName = supplied
|
|
|
|
stateOrProvinceName = optional
|
|
|
|
organizationName = supplied
|
|
|
|
organizationalUnitName = optional
|
|
|
|
commonName = supplied
|
|
|
|
emailAddress = optional
|
|
|
|
|
|
|
|
[ policy_osu_server ]
|
|
|
|
countryName = match
|
|
|
|
stateOrProvinceName = optional
|
|
|
|
organizationName = match
|
|
|
|
organizationalUnitName = supplied
|
|
|
|
commonName = supplied
|
|
|
|
emailAddress = optional
|
|
|
|
|
|
|
|
[ policy_anything ]
|
|
|
|
countryName = optional
|
|
|
|
stateOrProvinceName = optional
|
|
|
|
localityName = optional
|
|
|
|
organizationName = optional
|
|
|
|
organizationalUnitName = optional
|
|
|
|
commonName = supplied
|
|
|
|
emailAddress = optional
|
|
|
|
|
|
|
|
####################################################################
|
|
|
|
[ req ]
|
|
|
|
default_bits = 2048
|
|
|
|
default_keyfile = privkey.pem
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
attributes = req_attributes
|
|
|
|
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
|
|
|
|
2015-04-01 02:14:17 +02:00
|
|
|
input_password = @PASSWORD@
|
|
|
|
output_password = @PASSWORD@
|
2013-10-25 16:54:25 +02:00
|
|
|
|
|
|
|
string_mask = utf8only
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
countryName = Country Name (2 letter code)
|
|
|
|
countryName_default = FI
|
|
|
|
countryName_min = 2
|
|
|
|
countryName_max = 2
|
|
|
|
|
|
|
|
localityName = Locality Name (eg, city)
|
|
|
|
localityName_default = Tuusula
|
|
|
|
|
|
|
|
0.organizationName = Organization Name (eg, company)
|
2015-04-01 02:14:17 +02:00
|
|
|
0.organizationName_default = @DOMAIN@
|
2013-10-25 16:54:25 +02:00
|
|
|
|
|
|
|
##organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
|
#organizationalUnitName_default =
|
|
|
|
#@OU@
|
|
|
|
|
|
|
|
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
|
|
#@CN@
|
|
|
|
commonName_max = 64
|
|
|
|
|
|
|
|
emailAddress = Email Address
|
|
|
|
emailAddress_max = 64
|
|
|
|
|
|
|
|
[ req_attributes ]
|
|
|
|
|
|
|
|
[ v3_ca ]
|
|
|
|
|
|
|
|
# Hotspot 2.0 PKI requirements
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
|
|
basicConstraints = critical, CA:true, pathlen:0
|
|
|
|
keyUsage = critical, cRLSign, keyCertSign
|
2015-04-01 02:14:17 +02:00
|
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
2013-10-25 16:54:25 +02:00
|
|
|
# For SP intermediate CA
|
|
|
|
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
|
2015-04-01 02:14:17 +02:00
|
|
|
#nameConstraints=permitted;DNS:.@DOMAIN@
|
2013-10-25 16:54:25 +02:00
|
|
|
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
|
|
|
|
|
|
|
|
[ v3_osu_server ]
|
|
|
|
|
|
|
|
basicConstraints = critical, CA:true, pathlen:0
|
|
|
|
keyUsage = critical, keyEncipherment
|
|
|
|
#@ALTNAME@
|
|
|
|
|
|
|
|
#logotypeoid=ASN1:SEQUENCE:LogotypeExtn
|
|
|
|
1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
|
|
|
|
[LogotypeExtn]
|
|
|
|
communityLogos=EXP:0,SEQUENCE:LogotypeInfo
|
|
|
|
[LogotypeInfo]
|
|
|
|
# note: implicit tag converted to explicit for CHOICE
|
|
|
|
direct=EXP:0,SEQUENCE:LogotypeData
|
|
|
|
[LogotypeData]
|
|
|
|
image=SEQUENCE:LogotypeImage
|
|
|
|
[LogotypeImage]
|
|
|
|
imageDetails=SEQUENCE:LogotypeDetails
|
|
|
|
imageInfo=SEQUENCE:LogotypeImageInfo
|
|
|
|
[LogotypeDetails]
|
|
|
|
mediaType=IA5STRING:image/png
|
|
|
|
logotypeHash=SEQUENCE:HashAlgAndValues
|
|
|
|
logotypeURI=SEQUENCE:URI
|
|
|
|
[HashAlgAndValues]
|
|
|
|
value1=SEQUENCE:HashAlgAndValueSHA256
|
|
|
|
#value2=SEQUENCE:HashAlgAndValueSHA1
|
|
|
|
[HashAlgAndValueSHA256]
|
|
|
|
hashAlg=SEQUENCE:sha256_alg
|
2015-04-01 02:14:17 +02:00
|
|
|
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
|
2013-10-25 16:54:25 +02:00
|
|
|
[HashAlgAndValueSHA1]
|
|
|
|
hashAlg=SEQUENCE:sha1_alg
|
2015-04-01 02:14:17 +02:00
|
|
|
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
|
2013-10-25 16:54:25 +02:00
|
|
|
[sha256_alg]
|
|
|
|
algorithm=OID:sha256
|
|
|
|
[sha1_alg]
|
|
|
|
algorithm=OID:sha1
|
|
|
|
[URI]
|
2015-04-01 02:14:17 +02:00
|
|
|
uri=IA5STRING:@LOGO_URI@
|
2013-10-25 16:54:25 +02:00
|
|
|
[LogotypeImageInfo]
|
|
|
|
# default value color(1), component optional
|
|
|
|
#type=IMP:0,INTEGER:1
|
|
|
|
fileSize=INTEGER:7549
|
|
|
|
xSize=INTEGER:128
|
|
|
|
ySize=INTEGER:80
|
|
|
|
language=IMP:4,IA5STRING:zxx
|
|
|
|
|
|
|
|
[ crl_ext ]
|
|
|
|
|
|
|
|
# issuerAltName=issuer:copy
|
|
|
|
authorityKeyIdentifier=keyid:always
|
|
|
|
|
|
|
|
[ v3_OCSP ]
|
|
|
|
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
extendedKeyUsage = OCSPSigning
|
|
|
|
|
|
|
|
[ ext_client ]
|
|
|
|
|
|
|
|
basicConstraints=CA:FALSE
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid,issuer
|
2015-04-01 02:14:17 +02:00
|
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
2013-10-25 16:54:25 +02:00
|
|
|
#@ALTNAME@
|
|
|
|
extendedKeyUsage = clientAuth
|
|
|
|
|
|
|
|
[ ext_server ]
|
|
|
|
|
|
|
|
# Hotspot 2.0 PKI requirements
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid,issuer
|
2015-04-01 02:14:17 +02:00
|
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
2013-10-25 16:54:25 +02:00
|
|
|
#@ALTNAME@
|
|
|
|
extendedKeyUsage = critical, serverAuth
|
|
|
|
keyUsage = critical, keyEncipherment
|