xref: /openbsd/usr.sbin/ikectl/ikeca.cnf (revision 4cfece93) 
1# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $
2
3CERT_C			= DE
4CERT_ST			= Lower Saxony
5CERT_L			= Hanover
6CERT_O			= OpenBSD
7CERT_OU			= iked
8CERT_CN			=
9CERT_EMAIL		= reyk@openbsd.org
10
11# default settings
12CERTPATHLEN		= 1
13CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
14EXTCERTUSAGE		= serverAuth,clientAuth
15CERTIP			= 0.0.0.0
16CERTFQDN		= nohost.nodomain
17CADB			= index.txt
18CASERIAL		= serial.txt
19NSCERTTYPE		= server,client
20
21[ req ]
22#default_bits		= 2048
23#default_md		= sha256
24#default_keyfile 	= privkey.pem
25distinguished_name	= req_distinguished_name
26#attributes		= req_attributes
27req_extensions		= $ENV::REQ_EXT
28
29[ req_distinguished_name ]
30countryName			= Country Name (2 letter code)
31countryName_default		= $ENV::CERT_C
32countryName_min			= 2
33countryName_max			= 2
34
35stateOrProvinceName		= State or Province Name (full name)
36stateOrProvinceName_default	= $ENV::CERT_ST
37
38localityName			= Locality Name (eg, city)
39localityName_default		= $ENV::CERT_L
40
410.organizationName		= Organization Name (eg, company)
420.organizationName_default	= $ENV::CERT_O
43
44# we can do this but it is not needed normally :-)
45#1.organizationName		= Second Organization Name (eg, company)
46#1.organizationName_default	= OpenBSD
47
48organizationalUnitName		= Organizational Unit Name (eg, section)
49organizationalUnitName_default	= $ENV::CERT_OU
50
51commonName			= Common Name (eg, fully qualified host name)
52commonName_max			= 64
53commonName_default		= $ENV::CERT_CN
54
55emailAddress			= Email Address
56emailAddress_max		= 64
57emailAddress_default		= $ENV::CERT_EMAIL
58
59[ req_attributes ]
60challengePassword		= A challenge password
61challengePassword_min		= 4
62challengePassword_max		= 20
63
64unstructuredName		= An optional company name
65
66[ x509v3_extensions ]
67nsCaRevocationUrl		= http://127.0.0.1/ca-crl.pem
68nsComment			= "This is a comment"
69
70# under ASN.1, the 0 bit would be encoded as 80
71nsCertType			= 0x40
72
73[x509v3_CA]
74basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
75keyUsage=$ENV::CERTUSAGE
76
77[x509v3_IPAddr]
78keyUsage=$ENV::CERTUSAGE
79nsCertType=$ENV::NSCERTTYPE
80subjectAltName=IP:$ENV::CERTIP
81extendedKeyUsage=$ENV::EXTCERTUSAGE
82
83[x509v3_FQDN]
84keyUsage=$ENV::CERTUSAGE
85nsCertType=$ENV::NSCERTTYPE
86subjectAltName=DNS:$ENV::CERTFQDN
87extendedKeyUsage=$ENV::EXTCERTUSAGE
88
89[ca]
90default_ca			= CA_default
91
92[CA_sign_policy]
93countryName			= optional
94stateOrProvinceName		= optional
95localityName			= optional
96organizationName		= optional
97organizationalUnitName		= optional
98commonName			= supplied
99emailAddress			= optional
100
101[CA_default]
102database			= $ENV::CADB
103serial				= $ENV::CASERIAL
104default_md			= sha256
105default_days			= 365
106default_crl_days		= 365
107unique_subject			= yes
108email_in_dn			= yes
109policy				= CA_sign_policy
110