xref: /openbsd-src/regress/lib/libcrypto/CA/intermediate.cnf (revision 12acda8fd34ea043275f66d2a1427f6306610d87) 
1#	$OpenBSD: intermediate.cnf,v 1.5 2023/09/26 21:17:03 tb Exp $
2# For regression tests
3default_ca = CA_regress
4
5[ CA_regress ]
6# Directory and file locations.
7dir               = .
8certs             = $dir
9crl_dir           = $dir
10database          = $dir/intermediate.txt
11serial            = $dir/intermediate.serial
12new_certs_dir     = $dir
13
14# The root key and root certificate.
15private_key       = $dir/intermediate.key.pem
16certificate       = $dir/intermediate.cert.pem
17
18# For certificate revocation lists.
19crlnumber         = $dir/crlnumber
20crl               = $dir/ca.crl.pem
21crl_extensions    = crl_ext
22default_crl_days  = 30
23
24# SHA-1 is deprecated, so use SHA-2 instead.
25default_md        = sha256
26
27name_opt          = ca_default
28cert_opt          = ca_default
29default_days      = 10
30preserve          = no
31policy            = policy_loose
32
33[ policy_strict ]
34# The root CA should only sign intermediate certificates that match.
35# See the POLICY FORMAT section of `man ca`.
36countryName             = match
37stateOrProvinceName     = match
38organizationName        = match
39organizationalUnitName  = optional
40commonName              = supplied
41emailAddress            = optional
42
43[ policy_loose ]
44# Allow the intermediate CA to sign a more diverse range of certificates.
45# See the POLICY FORMAT section of the `ca` man page.
46countryName             = optional
47stateOrProvinceName     = optional
48localityName            = optional
49organizationName        = optional
50organizationalUnitName  = optional
51commonName              = supplied
52emailAddress            = optional
53
54[ req ]
55# Options for the `req` tool (`man req`).
56default_bits        = 2048
57distinguished_name  = req_distinguished_name
58string_mask         = utf8only
59
60# SHA-1 is deprecated, so use SHA-2 instead.
61default_md          = sha256
62
63# Extension to add when the -x509 option is used.
64x509_extensions     = v3_ca
65
66[ req_distinguished_name ]
67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
68countryName                     = Country Name (2 letter code)
69stateOrProvinceName             = State or Province Name
70localityName                    = Locality Name
710.organizationName              = Organization Name
72organizationalUnitName          = Organizational Unit Name
73commonName                      = Common Name
74emailAddress                    = Email Address
75
76# Optionally, specify some defaults.
77countryName_default             = CA
78stateOrProvinceName_default     = Alberta
79localityName_default            = Edmonton
800.organizationName_default      = OpenBSD
81organizationalUnitName_default  = So and Sos
82emailAddress_default            = evilsoandsos@openbsd.org
83commonName_default              = Regress Intermediate CA
84
85[ v3_ca ]
86# Extensions for a typical CA (`man x509v3.cnf`).
87subjectKeyIdentifier = hash
88authorityKeyIdentifier = keyid:always,issuer
89basicConstraints = critical, CA:true
90keyUsage = critical, digitalSignature, cRLSign, keyCertSign
91
92[ v3_intermediate_ca ]
93# Extensions for a typical intermediate CA (`man x509v3.cnf`).
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid:always,issuer
96basicConstraints = critical, CA:true, pathlen:0
97keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98
99[ usr_cert ]
100# Extensions for client certificates (`man x509v3.cnf`).
101basicConstraints = CA:FALSE
102nsCertType = client, email
103nsComment = "OpenSSL Generated Client Certificate"
104subjectKeyIdentifier = hash
105authorityKeyIdentifier = keyid,issuer
106keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
107extendedKeyUsage = clientAuth, emailProtection
108subjectAltName = critical, @usr_san
109
110[ usr_san ]
111email.0 = evilsoandsos@test.openbsd.org
112
113[ server_cert ]
114# Extensions for server certificates (`man x509v3.cnf`).
115basicConstraints = CA:FALSE
116nsCertType = server
117nsComment = "OpenSSL Generated Server Certificate"
118subjectKeyIdentifier = hash
119authorityKeyIdentifier = keyid,issuer:always
120keyUsage = critical, digitalSignature, keyEncipherment
121extendedKeyUsage = serverAuth
122
123[ crl_ext ]
124# Extension for CRLs (`man x509v3.cnf`).
125authorityKeyIdentifier=keyid:always
126
127[ ocsp ]
128# Extension for OCSP signing certificates (`man ocsp`).
129basicConstraints = CA:FALSE
130subjectKeyIdentifier = hash
131authorityKeyIdentifier = keyid,issuer
132keyUsage = critical, digitalSignature
133extendedKeyUsage = critical, OCSPSigning
134