+++ /dev/null
- SERVICE = git
- RANDFILE = var/sec/x509/openssl.rand
- oid_section = extra_oids
-[ extra_oids ]
- # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
- jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1
- jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
- jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
-[ req ]
- prompt = no
- distinguished_name = distinguished_name
- string_mask = pkix
- #x509_extensions = root_extensions
- #req_extensions = extension
- #attributes = req_attributes
-[ distinguished_name ]
- countryName = $ENV::x509_country
- stateOrProvinceName = $ENV::x509_state_or_province
- localityName = $ENV::x509_state_or_province
- 0.organizationName = $ENV::x509_organization
- organizationalUnitName = Service Git
- commonName = $SERVICE.$ENV::x509_host
- businessCategory = $ENV::x509_business_category
- jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationCountryName = $ENV::x509_country
-[ extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:0
- keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
- certificatePolicies = @certificate_policies
-[ self_signed_extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:0
- keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
-[ user_extensions ]
- basicConstraints = critical,CA:FALSE,pathlen:0
- keyUsage = digitalSignature,keyEncipherment
- subjectAltName = email:$ENV::user@$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
-[ certificate_policies ]
- policyIdentifier = 1.2.250.1.42
- CPS.1 = https://www.$ENV::x509_host/x509/cps
-[ ca ]
- private_key = var/sec/x509/$ENV::x509/key.pem
- dir = var/pub/x509/$ENV::x509
- crl_dir = $dir
- crlnumber = $dir/crl.num
- crl = $dir/crl.pem
- database = $dir/idx.txt
-[ self_signed_ca ]
- private_key = var/sec/x509/$ENV::x509/key.pem
- dir = var/pub/x509/$ENV::x509
- crl_dir = $dir
- crlnumber = $dir/crl.self-signed.num
- crl = $dir/crl.self-signed.pem
- database = $dir/idx.self-signed.txt