xref: /netbsd-src/external/bsd/pkg_install/dist/x509/pkgsrc.cnf (revision f8cf1a9151c7af1cb0bd8b09c13c66bca599c027) 
1# $NetBSD: pkgsrc.cnf,v 1.4 2024/06/11 09:26:58 wiz Exp $
2#
3# OpenSSL sample configuration file for use by pkgsrc.sh
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11####################################################################
12[ ca ]
13default_ca	= CA_default		# The default ca section
14
15####################################################################
16[ CA_default ]
17
18dir		= ./pkgsrc		# Where everything is kept
19certs		= $dir/certs		# Where the issued certs are kept
20crl_dir		= $dir/crl		# Where the issued crl are kept
21database	= $dir/index.txt	# database index file.
22#unique_subject	= no			# Set to 'no' to allow creation of
23					# several ctificates with same subject.
24new_certs_dir	= $dir/newcerts		# default place for new certs.
25
26certificate	= $dir/cacert.pem 	# The CA certificate
27serial		= $dir/serial 		# The current serial number
28crlnumber	= $dir/crlnumber	# the current crl number
29					# must be commented out to leave a V1 CRL
30crl		= $dir/crl.pem 		# The current CRL
31private_key	= $dir/private/cakey.pem# The private key
32RANDFILE	= $dir/private/.rand	# private random number file
33
34# Comment out the following two lines for the "traditional"
35# (and highly broken) format.
36name_opt 	= ca_default		# Subject Name options
37cert_opt 	= ca_default		# Certificate field options
38
39# Extension copying option: use with caution.
40# copy_extensions = copy
41
42# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
43# so this is commented out by default to leave a V1 CRL.
44# crlnumber must also be commented out to leave a V1 CRL.
45# crl_extensions	= crl_ext
46
47default_days	= 365			# how long to certify for
48default_crl_days= 30			# how long before next CRL
49default_md	= default		# use public key default MD
50preserve	= no			# keep passed DN ordering
51
52# A few difference way of specifying how similar the request should look
53# For type CA, the listed attributes must be the same, and the optional
54# and supplied fields are just that :-)
55policy		= policy_match
56
57# For the CA policy
58[ policy_match ]
59countryName		= match
60stateOrProvinceName	= match
61organizationName	= match
62organizationalUnitName	= optional
63commonName		= supplied
64emailAddress		= optional
65
66# For the 'anything' policy
67# At this point in time, you must list all acceptable 'object'
68# types.
69[ policy_anything ]
70countryName		= optional
71stateOrProvinceName	= optional
72localityName		= optional
73organizationName	= optional
74organizationalUnitName	= optional
75commonName		= supplied
76emailAddress		= optional
77
78####################################################################
79[ req ]
80default_bits		= 4096
81default_keyfile 	= privkey.pem
82distinguished_name	= req_distinguished_name
83x509_extensions	= v3_ca	# The extentions to add to the self signed cert
84
85string_mask = utf8only
86
87[ req_distinguished_name ]
88countryName			= Country Name (2 letter code)
89countryName_default		= AU
90countryName_min			= 2
91countryName_max			= 2
92
93stateOrProvinceName		= State or Province Name (full name)
94stateOrProvinceName_default	= Some-State
95
96localityName			= Locality Name (eg, city)
97
980.organizationName		= Organization Name (eg, company)
990.organizationName_default	= Internet Widgits Pty Ltd
100
101# we can do this but it is not needed normally :-)
102#1.organizationName		= Second Organization Name (eg, company)
103#1.organizationName_default	= World Wide Web Pty Ltd
104
105organizationalUnitName		= Organizational Unit Name (eg, section)
106#organizationalUnitName_default	=
107
108commonName			= Common Name (eg, YOUR name)
109commonName_max			= 64
110
111emailAddress			= Email Address
112emailAddress_max		= 64
113
114[ pkgkey ]
115nsComment			= "Certificate for binary pkgsrc packages"
116
117subjectKeyIdentifier=hash
118authorityKeyIdentifier=keyid,issuer
119
120subjectAltName=email:move
121
122extendedKeyUsage = codeSigning, emailProtection
123
124[ pkgsec ]
125nsComment			= "Certificate for pkg-vulnerabilities"
126
127subjectKeyIdentifier=hash
128authorityKeyIdentifier=keyid,issuer
129
130subjectAltName=email:move
131
132[ v3_ca ]
133subjectKeyIdentifier=hash
134authorityKeyIdentifier=keyid:always,issuer:always
135basicConstraints = critical,CA:true
136