+++ /dev/null
- SERVICE = www
- HOME = .
- RANDFILE = var/sec/x509/openssl.rand
- oid_section = extra_oids
-[ extra_oids ]
- # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
- jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1
- jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
- jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
-[ req ]
- prompt = no
- distinguished_name = service_distinguished_name
- string_mask = pkix
- #x509_extensions = root_extensions
- #req_extensions = service_extension
- #attributes = req_attributes
-[ service_distinguished_name ]
- countryName = $ENV::x509_country
- stateOrProvinceName = $ENV::x509_state_or_province
- localityName = $ENV::x509_state_or_province
- 0.organizationName = $ENV::x509_organization
- organizationalUnitName = Service Web
- commonName = $SERVICE.$ENV::x509_host
- businessCategory = $ENV::x509_business_category
- jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
- jurisdictionOfIncorporationCountryName = $ENV::x509_country
-[ service_extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:0
- keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
- certificatePolicies = @service_certificate_policies
-[ service_self_signed_extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:0
- keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
- subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
-[ user_extensions ]
- basicConstraints = critical,CA:FALSE,pathlen:0
- keyUsage = digitalSignature,keyEncipherment
- subjectAltName = email:$ENV::USER@$ENV::x509_host
- subjectKeyIdentifier = hash
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
-[ service_certificate_policies ]
- policyIdentifier = 1.2.250.1.42
- CPS.1 = https://www.$ENV::x509_host/x509/cps
-[ service_ca ]
- private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem
- dir = $HOME/var/pub/x509/service/$SERVICE
- crl_dir = $dir
- crlnumber = $dir/crl.num
- crl = $dir/crl.pem
- database = $dir/idx.txt
-[ service_self_signed_ca ]
- private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem
- dir = $HOME/var/pub/x509/service/$SERVICE
- crl_dir = $dir
- crlnumber = $dir/crl.self-signed.num
- crl = $dir/crl.self-signed.pem
- database = $dir/idx.self-signed.txt