xref: /openbsd/usr.sbin/ikectl/ikeca.cnf (revision 898184e3) 
1# $OpenBSD: ikeca.cnf,v 1.5 2012/10/25 12:35:55 reyk Exp $
2
3RANDFILE		= /dev/arandom
4
5CERT_C			= DE
6CERT_ST			= Lower Saxony
7CERT_L			= Hanover
8CERT_O			= OpenBSD
9CERT_OU			= iked
10CERT_CN			=
11CERT_EMAIL		= reyk@openbsd.org
12
13# default settings
14CERTPATHLEN		= 1
15CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
16EXTCERTUSAGE		= serverAuth,clientAuth
17CERTIP			= 0.0.0.0
18CERTFQDN		= nohost.nodomain
19CADB			= index.txt
20NSCERTTYPE		= server,client
21
22[ req ]
23default_bits		= 2048
24default_keyfile 	= privkey.pem
25distinguished_name	= req_distinguished_name
26#attributes		= req_attributes
27
28[ req_distinguished_name ]
29countryName			= Country Name (2 letter code)
30countryName_default		= $ENV::CERT_C
31countryName_min			= 2
32countryName_max			= 2
33
34stateOrProvinceName		= State or Province Name (full name)
35stateOrProvinceName_default	= $ENV::CERT_ST
36
37localityName			= Locality Name (eg, city)
38localityName_default		= $ENV::CERT_L
39
400.organizationName		= Organization Name (eg, company)
410.organizationName_default	= $ENV::CERT_O
42
43# we can do this but it is not needed normally :-)
44#1.organizationName		= Second Organization Name (eg, company)
45#1.organizationName_default	= OpenBSD
46
47organizationalUnitName		= Organizational Unit Name (eg, section)
48organizationalUnitName_default	= $ENV::CERT_OU
49
50commonName			= Common Name (eg, fully qualified host name)
51commonName_max			= 64
52commonName_default		= $ENV::CERT_CN
53
54emailAddress			= Email Address
55emailAddress_max		= 64
56emailAddress_default		= $ENV::CERT_EMAIL
57
58[ req_attributes ]
59challengePassword		= A challenge password
60challengePassword_min		= 4
61challengePassword_max		= 20
62
63unstructuredName		= An optional company name
64
65[ x509v3_extensions ]
66nsCaRevocationUrl		= http://127.0.0.1/ca-crl.pem
67nsComment			= "This is a comment"
68
69# under ASN.1, the 0 bit would be encoded as 80
70nsCertType			= 0x40
71
72[x509v3_CA]
73basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
74keyUsage=$ENV::CERTUSAGE
75
76[x509v3_IPAddr]
77keyUsage=$ENV::CERTUSAGE
78nsCertType=$ENV::NSCERTTYPE
79subjectAltName=IP:$ENV::CERTIP
80extendedKeyUsage=$ENV::EXTCERTUSAGE
81
82[x509v3_FQDN]
83keyUsage=$ENV::CERTUSAGE
84nsCertType=$ENV::NSCERTTYPE
85subjectAltName=DNS:$ENV::CERTFQDN
86extendedKeyUsage=$ENV::EXTCERTUSAGE
87
88[ca]
89default_ca			= CA_default
90
91[CA_default]
92database			= $ENV::CADB
93default_md			= sha1
94default_crl_days		= 365
95
96