summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl/ikeca.cnf
blob: 47207ac7df0cec65b5031523299189a16ac0ef22 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $

CERT_C			= DE
CERT_ST			= Lower Saxony
CERT_L			= Hanover
CERT_O			= OpenBSD
CERT_OU			= iked
CERT_CN			=
CERT_EMAIL		= reyk@openbsd.org

# default settings
CERTPATHLEN		= 1
CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
EXTCERTUSAGE		= serverAuth,clientAuth
CERTIP			= 0.0.0.0
CERTFQDN		= nohost.nodomain
CADB			= index.txt
CASERIAL		= serial.txt
NSCERTTYPE		= server,client

[ req ]
#default_bits		= 2048
#default_md		= sha256
#default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
#attributes		= req_attributes
req_extensions		= $ENV::REQ_EXT

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= $ENV::CERT_C
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= $ENV::CERT_ST

localityName			= Locality Name (eg, city)
localityName_default		= $ENV::CERT_L

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= $ENV::CERT_O

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= OpenBSD

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= $ENV::CERT_OU

commonName			= Common Name (eg, fully qualified host name)
commonName_max			= 64
commonName_default		= $ENV::CERT_CN

emailAddress			= Email Address
emailAddress_max		= 64
emailAddress_default		= $ENV::CERT_EMAIL

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name

[ x509v3_extensions ]
nsCaRevocationUrl		= http://127.0.0.1/ca-crl.pem
nsComment			= "This is a comment"

# under ASN.1, the 0 bit would be encoded as 80
nsCertType			= 0x40

[x509v3_CA]
basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
keyUsage=$ENV::CERTUSAGE

[x509v3_IPAddr]
keyUsage=$ENV::CERTUSAGE
nsCertType=$ENV::NSCERTTYPE
subjectAltName=IP:$ENV::CERTIP
extendedKeyUsage=$ENV::EXTCERTUSAGE

[x509v3_FQDN]
keyUsage=$ENV::CERTUSAGE
nsCertType=$ENV::NSCERTTYPE
subjectAltName=DNS:$ENV::CERTFQDN
extendedKeyUsage=$ENV::EXTCERTUSAGE

[ca]
default_ca			= CA_default

[CA_sign_policy]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional

[CA_default]
database			= $ENV::CADB
serial				= $ENV::CASERIAL
default_md			= sha256
default_days			= 365
default_crl_days		= 365
unique_subject			= yes
email_in_dn			= yes
policy				= CA_sign_policy