dépôts / lhc / ateliers.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Correction : X.509 Key Usage.
[lhc/ateliers.git] / etc / openssl / www.rouepet.org / host.cfg
diff --git a/etc/openssl/www.rouepet.org/host.cfg b/etc/openssl/www.rouepet.org/host.cfg
index b5b1175..b31eeb4 100644 (file)
--- a/etc/openssl/www.rouepet.org/host.cfg
+++ b/etc/openssl/www.rouepet.org/host.cfg
@@ -1,51 +1,59 @@
-       HOME        = .
+       SERVICE     = www
        RANDFILE    = var/sec/x509/openssl.rand
        oid_section = extra_oids
 [ extra_oids ]
-       # Pour EVSSL
-       trustList       = 2.16.840.1.113730.1.900
-       telephoneNumber = 2.5.4.20
-       initials        = 2.5.4.43
-       logotype        = 1.3.6.1.5.5.7.1.12
+       # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
+       jurisdictionOfIncorporationLocalityName        = 1.3.6.1.4.1.311.60.2.1.1
+       jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
+       jurisdictionOfIncorporationCountryName         = 1.3.6.1.4.1.311.60.2.1.3
 [ req ]
        prompt             = no
        distinguished_name = distinguished_name
        string_mask        = pkix
+       #x509_extensions    = root_extensions
+       #req_extensions     = extension
+       #attributes         = req_attributes
 [ distinguished_name ]
-       commonName             = $ENV::x509_host
        countryName            = $ENV::x509_country
-       initials               = $ENV::x509_initials
-       0.organizationName     = $ENV::x509_organization
-       organizationalUnitName = Anti-autorité de certification primaire
-       postalCode             = $ENV::x509_postal_code
        stateOrProvinceName    = $ENV::x509_state_or_province
-       streetAddress          = $ENV::x509_street_address
-       telephoneNumber        = $ENV::x509_telephone_number
+       localityName           = $ENV::x509_state_or_province
+       0.organizationName     = $ENV::x509_organization
+       organizationalUnitName = Service Web
+       commonName             = $SERVICE.$ENV::x509_host
+       businessCategory                               = $ENV::x509_business_category
+       jurisdictionOfIncorporationLocalityName        = $ENV::x509_state_or_province
+       jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
+       jurisdictionOfIncorporationCountryName         = $ENV::x509_country
 [ extensions ]
-       basicConstraints       = critical,CA:TRUE,pathlen:1
-       keyUsage               = keyCertSign,cRLSign
-       subjectAltName         = email:contact@$ENV::x509_host
+       basicConstraints       = critical,CA:FALSE,pathlen:0
+       keyUsage               = keyEncipherment
+       subjectAltName         = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
        subjectKeyIdentifier   = hash
        issuerAltName          = issuer:copy
        authorityKeyIdentifier = keyid:always,issuer:always
        authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
-       crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/crl.pem
-       #certificatePolicies    = @certificate_policies
-       #trustList              = ASN1:UTF8String:https://www.$ENV::x509_host/x509/trust.etl
-       #policyConstraints      =
-       #extendedKeyUsage       =
-       #inhibitAnyPolicy       =
-       #nameConstraints        =
-       #noCheck                =
+       crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+       certificatePolicies    = @certificate_policies
 [ self_signed_extensions ]
-       basicConstraints       = critical,CA:TRUE,pathlen:1
-       keyUsage               = keyCertSign,cRLSign
-       subjectAltName         = email:contact@$ENV::x509_host
+       basicConstraints       = critical,CA:TRUE,pathlen:0
+       keyUsage               = keyCertSign,cRLSign,digitalSignature,keyEncipherment
+       subjectAltName         = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
        subjectKeyIdentifier   = hash
        issuerAltName          = issuer:copy
        authorityKeyIdentifier = keyid:always,issuer:always
-       authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
-       crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/crl.pem
+       authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+       crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+[ user_extensions ]
+       basicConstraints       = critical,CA:FALSE,pathlen:0
+       keyUsage               = digitalSignature,keyEncipherment
+       subjectAltName         = email:$ENV::user@$ENV::x509_host
+       subjectKeyIdentifier   = hash
+       issuerAltName          = issuer:copy
+       authorityKeyIdentifier = keyid:always,issuer:always
+       authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+[ certificate_policies ]
+       policyIdentifier = 1.2.250.1.42
+       CPS.1            = https://www.$ENV::x509_host/x509/cps
 [ ca ]
        private_key      = var/sec/x509/$ENV::x509/key.pem
        dir              = var/pub/x509/$ENV::x509
outils d'administration d'ateliers.heureux-cyclage.org