1#
2# Based on the OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME            = .
9RANDFILE        = $ENV::HOME/.rnd
10
11#CRLDISTPT       = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
12CRLDISTPT       = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
13
14# Extra OBJECT IDENTIFIER info:
15oid_section     = new_oids
16
17# To use this configuration file with the "-extfile" option of the
18# "openssl x509" utility, name here the section containing the
19# X.509v3 extensions to use:
20# extensions        =
21# (Alternatively, use a configuration file that has only
22# X.509v3 extensions in its main [= default] section.)
23
24[ new_oids ]
25# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
26scardLogin=1.3.6.1.4.1.311.20.2.2
27# Used in a smart card login certificate's subject alternative name
28msUPN=1.3.6.1.4.1.311.20.2.3
29# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
30msKDC=1.3.6.1.5.2.3.5
31# Identifies the AD GUID
32msADGUID=1.3.6.1.4.1.311.25.1
33
34####################################################################
35[ ca ]
36default_ca  = CA_default        # The default ca section
37
38####################################################################
39[ CA_default ]
40
41dir         = CA-samba.example.com         # Where everything is kept
42certs       = $dir/_none_certs        # Where the issued certs are kept
43crl_dir     = $dir/_none_crl          # Where the issued crl are kept
44database    = $dir/Private/CA-samba.example.com-index.txt    # database index file.
45unique_subject  = yes           # Set to 'no' to allow creation of
46                                # several certificates with same subject.
47new_certs_dir   = $dir/NewCerts     # default place for new certs.
48
49certificate = $dir/Public/CA-samba.example.com-cert.pem   # The CA certificate
50serial      = $dir/Private/CA-samba.example.com-serial.txt       # The current serial number
51crlnumber   = $dir/Private/CA-samba.example.com-crlnumber.txt    # the current crl number
52                                # must be commented out to leave a V1 CRL
53
54#crl         = $dir/Public/CA-samba.example.com-crl.pem           # The current CRL
55crl         = $dir/Public/CA-samba.example.com-crl.crl           # The current CRL
56private_key = $dir/Private/CA-samba.example.com-private-key.pem    # The private key
57RANDFILE    = $dir/Private/CA-samba.example.com.rand        # private random number file
58
59#x509_extensions    =   # The extensions to add to the cert
60x509_extensions = template_x509_extensions
61
62# Comment out the following two lines for the "traditional"
63# (and highly broken) format.
64name_opt    = ca_default        # Subject Name options
65cert_opt    = ca_default        # Certificate field options
66
67# Extension copying option: use with caution.
68# copy_extensions = copy
69
70# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
71# so this is commented out by default to leave a V1 CRL.
72# crlnumber must also be commented out to leave a V1 CRL.
73crl_extensions  = crl_ext
74
75default_days    = 7300           # how long to certify for
76default_crl_days= 7300            # how long before next CRL
77default_md  = sha256            # use public key default MD
78preserve    = no                # keep passed DN ordering
79
80# A few difference way of specifying how similar the request should look
81# For type CA, the listed attributes must be the same, and the optional
82# and supplied fields are just that :-)
83policy      = policy_match
84
85# For the CA policy
86[ policy_match ]
87countryName     = match
88stateOrProvinceName = match
89organizationName    = match
90organizationalUnitName  = optional
91commonName      = supplied
92emailAddress        = optional
93
94# For the 'anything' policy
95# At this point in time, you must list all acceptable 'object'
96# types.
97[ policy_anything ]
98countryName     = match
99stateOrProvinceName = match
100localityName        = match
101organizationName    = match
102organizationalUnitName  = match
103commonName      = supplied
104emailAddress        = supplied
105
106####################################################################
107[ req ]
108default_bits        = 4096
109distinguished_name  = req_distinguished_name
110attributes      = req_attributes
111x509_extensions = v3_ca # The extensions to add to the self signed cert
112
113# Passwords for private keys if not present they will be prompted for
114# input_password = secret
115# output_password = secret
116
117# This sets a mask for permitted string types. There are several options.
118# default: PrintableString, T61String, BMPString.
119# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
120# utf8only: only UTF8Strings (PKIX recommendation after 2004).
121# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
122# MASK:XXXX a literal mask value.
123# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
124string_mask = utf8only
125
126# req_extensions = v3_req # The extensions to add to a certificate request
127
128[ req_distinguished_name ]
129countryName         = Country Name (2 letter code)
130countryName_default     = US
131countryName_min         = 2
132countryName_max         = 2
133
134stateOrProvinceName     = State or Province Name (full name)
135stateOrProvinceName_default = SambaState
136
137localityName            = Locality Name (eg, city)
138localityName_default    = SambaCity
139
140organizationName        = Organization Name (eg, company)
141organizationName_default    = SambaSelfTesting
142
143organizationalUnitName      = Organizational Unit Name (eg, section)
144organizationalUnitName_default = Domain Controllers
145
146commonName          = Common Name (eg, YOUR name)
147commonName_default  = addc.addom.samba.example.com
148commonName_max          = 64
149
150emailAddress            = Email Address
151emailAddress_default    = ca-samba.example.com@samba.example.com
152emailAddress_max        = 64
153
154# SET-ex3           = SET extension number 3
155
156[ req_attributes ]
157#challengePassword       = A challenge password
158#challengePassword_min       = 4
159#challengePassword_max       = 20
160#
161#unstructuredName        = An optional company name
162
163[ v3_req ]
164
165# Extensions to add to a certificate request
166
167basicConstraints = CA:FALSE
168keyUsage = nonRepudiation, digitalSignature, keyEncipherment
169
170[ v3_ca ]
171# Extensions for a typical CA
172# PKIX recommendation.
173subjectKeyIdentifier=hash
174authorityKeyIdentifier=keyid:always,issuer
175
176# This is what PKIX recommends but some broken software chokes on critical
177# extensions.
178#basicConstraints = critical,CA:true
179# So we do this instead.
180basicConstraints = CA:true
181
182# Key usage: this is typical for a CA certificate.
183keyUsage = cRLSign, keyCertSign
184
185crlDistributionPoints=URI:$CRLDISTPT
186
187# Some might want this also
188nsCertType = sslCA, emailCA
189
190# Include email address in subject alt name: another PKIX recommendation
191subjectAltName=email:copy
192# Copy issuer details
193issuerAltName=issuer:copy
194
195[ crl_ext ]
196# CRL extensions.
197# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
198
199issuerAltName=issuer:copy
200authorityKeyIdentifier=keyid:always
201
202#[ usr_cert_mskdc ]
203[ template_x509_extensions ]
204
205# These extensions are added when 'ca' signs a request for a domain controller certificate.
206
207# This goes against PKIX guidelines but some CAs do it and some software
208# requires this to avoid interpreting an end user certificate as a CA.
209
210basicConstraints=CA:FALSE
211crlDistributionPoints=URI:$CRLDISTPT
212
213# Here are some examples of the usage of nsCertType. If it is omitted
214# the certificate can be used for anything *except* object signing.
215
216# This is OK for an SSL server.
217nsCertType          = server
218
219# This is typical in keyUsage for a client certificate.
220keyUsage = nonRepudiation, digitalSignature, keyEncipherment
221
222# This will be displayed in Netscape's comment listbox.
223nsComment           = "Domain Controller Certificate addc.addom.samba.example.com"
224
225# PKIX recommendations harmless if included in all certificates.
226subjectKeyIdentifier=hash
227authorityKeyIdentifier=keyid,issuer
228
229# This stuff is for subjectAltName and issuerAltname.
230
231subjectAltName=@dc_subjalt
232
233# Copy subject details
234issuerAltName=issuer:copy
235
236nsCaRevocationUrl       = $CRLDISTPT
237#nsBaseUrl
238#nsRevocationUrl
239#nsRenewalUrl
240#nsCaPolicyUrl
241#nsSslServerName
242
243#Extended Key requirements for our domain controller certs
244# serverAuth - says cert can be used to identify an ssl/tls server
245# msKDC - says cert can be used to identify a Kerberos Domain Controller.
246extendedKeyUsage = clientAuth,serverAuth,msKDC
247
248[dc_subjalt]
249DNS=addc.addom.samba.example.com
250otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF
251