# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA) HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] #logotypeoid=1.3.6.1.5.5.7.1.12 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certificates with same subject new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = ext_client # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. copy_extensions = copy default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering policy = policy_match # For the CA policy [ policy_match ] countryName = supplied stateOrProvinceName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_osu_server ] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert input_password = @PASSWORD@ output_password = @PASSWORD@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FI countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) localityName_default = Tuusula 0.organizationName = Organization Name (eg, company) 0.organizationName_default = @DOMAIN@ ##organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = #@OU@ commonName = Common Name (e.g. server FQDN or YOUR name) #@CN@ commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] [ v3_ca ] # Hotspot 2.0 PKI requirements subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, cRLSign, keyCertSign authorityInfoAccess = OCSP;URI:@OCSP_URI@ # For SP intermediate CA #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU #nameConstraints=permitted;DNS:.@DOMAIN@ #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn [ v3_osu_server ] basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, keyEncipherment #@ALTNAME@ #logotypeoid=ASN1:SEQUENCE:LogotypeExtn 1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn [LogotypeExtn] communityLogos=EXP:0,SEQUENCE:LogotypeInfo [LogotypeInfo] # note: implicit tag converted to explicit for CHOICE direct=EXP:0,SEQUENCE:LogotypeData [LogotypeData] image=SEQUENCE:LogotypeImage [LogotypeImage] imageDetails=SEQUENCE:LogotypeDetails imageInfo=SEQUENCE:LogotypeImageInfo [LogotypeDetails] mediaType=IA5STRING:image/png logotypeHash=SEQUENCE:HashAlgAndValues logotypeURI=SEQUENCE:URI [HashAlgAndValues] value1=SEQUENCE:HashAlgAndValueSHA256 #value2=SEQUENCE:HashAlgAndValueSHA1 [HashAlgAndValueSHA256] hashAlg=SEQUENCE:sha256_alg hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@ [HashAlgAndValueSHA1] hashAlg=SEQUENCE:sha1_alg hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@ [sha256_alg] algorithm=OID:sha256 [sha1_alg] algorithm=OID:sha1 [URI] uri=IA5STRING:@LOGO_URI@ [LogotypeImageInfo] # default value color(1), component optional #type=IMP:0,INTEGER:1 fileSize=INTEGER:7549 xSize=INTEGER:128 ySize=INTEGER:80 language=IMP:4,IA5STRING:zxx [ crl_ext ] # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSPSigning [ ext_client ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = clientAuth [ ext_server ] # Hotspot 2.0 PKI requirements basicConstraints=critical, CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = critical, serverAuth keyUsage = critical, keyEncipherment