hostap/tests/hwsim/auth_serv/ec-ca-openssl.cnf
Jouni Malinen eec147dccb tests: Update RSA 3k certificates before the previous ones expire
In addition, update the generation script to allow convenient update of
the server and user certificates without having to generate new keys.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 16:40:36 +03:00

111 lines
2.2 KiB
INI

# OpenSSL configuration file for Suite B
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./ec-ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = ext_client
name_opt = ca_default
cert_opt = ca_default
copy_extensions = copy
default_days = 3650
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
#emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
#emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FI
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
localityName_default = Helsinki
0.organizationName = Organization Name (eg, company)
0.organizationName_default = w1.fi
commonName = Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max = 64
[ req_attributes ]
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
[ crl_ext ]
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ ext_client ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#@ALTNAME@
extendedKeyUsage = clientAuth
keyUsage = digitalSignature, keyEncipherment
[ ext_server ]
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#@ALTNAME@
extendedKeyUsage = critical, serverAuth
keyUsage = digitalSignature, keyEncipherment