xref: /openbsd-src/regress/lib/libcrypto/CA/root.cnf (revision ec6255da85552bf751b869fb3348d464e0554c73)
1#	$OpenBSD: root.cnf,v 1.5 2023/09/26 21:18:01 tb Exp $
2# For regression tests
3default_ca = CA_regress
4
5[ CA_regress ]
6# Directory and file locations.
7dir               = .
8certs             = $dir
9crl_dir           = $dir
10database          = $dir/root.txt
11serial            = $dir/root.serial
12new_certs_dir     = $dir
13
14# The root key and root certificate.
15private_key       = $dir/root.key.pem
16certificate       = $dir/root.cert.pem
17
18# For certificate revocation lists.
19crlnumber         = $dir/crlnumber
20crl               = $dir/ca.crl.pem
21crl_extensions    = crl_ext
22default_crl_days  = 30
23
24# SHA-1 is deprecated, so use SHA-2 instead.
25default_md        = sha256
26
27name_opt          = ca_default
28cert_opt          = ca_default
29default_days      = 375
30preserve          = no
31policy            = policy_strict
32
33[ policy_strict ]
34# The root CA should only sign intermediate certificates that match.
35# See the POLICY FORMAT section of `man ca`.
36countryName             = match
37stateOrProvinceName     = match
38organizationName        = match
39organizationalUnitName  = optional
40commonName              = supplied
41emailAddress            = optional
42
43[ policy_loose ]
44# Allow the intermediate CA to sign a more diverse range of certificates.
45# See the POLICY FORMAT section of the `ca` man page.
46countryName             = optional
47stateOrProvinceName     = optional
48localityName            = optional
49organizationName        = optional
50organizationalUnitName  = optional
51commonName              = supplied
52emailAddress            = optional
53
54[ req ]
55# Options for the `req` tool (`man req`).
56default_bits        = 2048
57distinguished_name  = req_distinguished_name
58string_mask         = utf8only
59
60# SHA-1 is deprecated, so use SHA-2 instead.
61default_md          = sha256
62
63# Extension to add when the -x509 option is used.
64x509_extensions     = v3_ca
65
66[ req_distinguished_name ]
67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
68countryName                     = Country Name (2 letter code)
69stateOrProvinceName             = State or Province Name
70localityName                    = Locality Name
710.organizationName              = Organization Name
72organizationalUnitName          = Organizational Unit Name
73commonName                      = Common Name
74emailAddress                    = Email Address
75
76# Optionally, specify some defaults.
77countryName_default             = CA
78stateOrProvinceName_default     = Alberta
79localityName_default            = Edmonton
800.organizationName_default      = OpenBSD
81organizationalUnitName_default  = So and Sos
82emailAddress_default            = evilsoandsos@openbsd.org
83commonName_default              = Regress Root CA
84
85[ v3_ca ]
86# Extensions for a typical CA (`man x509v3.cnf`).
87subjectKeyIdentifier = hash
88authorityKeyIdentifier = keyid:always,issuer
89basicConstraints = critical, CA:true
90keyUsage = critical, digitalSignature, cRLSign, keyCertSign
91
92[ v3_intermediate_ca ]
93# Extensions for a typical intermediate CA (`man x509v3.cnf`).
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid:always,issuer
96basicConstraints = critical, CA:true, pathlen:0
97keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98nameConstraints = critical, @ca_name_constraints
99
100[ ca_name_constraints ]
101permitted;DNS.0 = .openbsd.org
102permitted;DNS.1 = client
103permitted;email.0 = openbsd.org
104permitted;email.1 = @test.openbsd.org
105permitted;URI.0 = .openbsd.org
106permitted;dirName.0 = openbsd_dn
107permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org
108excluded;IP.0 = 0.0.0.0/0.0.0.0
109excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
110
111[ openbsd_dn ]
112C = CA
113O = OpenBSD
114
115[ usr_cert ]
116# Extensions for client certificates (`man x509v3.cnf`).
117basicConstraints = CA:FALSE
118nsCertType = client, email
119nsComment = "OpenSSL Generated Client Certificate"
120subjectKeyIdentifier = hash
121authorityKeyIdentifier = keyid,issuer
122keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
123extendedKeyUsage = clientAuth, emailProtection
124
125[ server_cert ]
126# Extensions for server certificates (`man x509v3.cnf`).
127basicConstraints = CA:FALSE
128nsCertType = server
129nsComment = "OpenSSL Generated Server Certificate"
130subjectKeyIdentifier = hash
131authorityKeyIdentifier = keyid,issuer:always
132keyUsage = critical, digitalSignature, keyEncipherment
133extendedKeyUsage = serverAuth
134
135[ crl_ext ]
136# Extension for CRLs (`man x509v3.cnf`).
137authorityKeyIdentifier=keyid:always
138
139[ ocsp ]
140# Extension for OCSP signing certificates (`man ocsp`).
141basicConstraints = CA:FALSE
142subjectKeyIdentifier = hash
143authorityKeyIdentifier = keyid,issuer
144keyUsage = critical, digitalSignature
145extendedKeyUsage = critical, OCSPSigning
146