X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=etc%2Fopenssl%2Fwww.rouepet.org%2Fhost.cfg;h=b31eeb4a51865542de35e6e1dddcf1dae0a7c7e5;hp=b5b11751de91e1b2277ffdc9c4b57eba9588107e;hb=a31174bc0d3a7aafb7c0f71b200a97437fbddae3;hpb=c38e6b3f45945499195ffaa672989cbdc8780006

diff --git a/etc/openssl/www.rouepet.org/host.cfg b/etc/openssl/www.rouepet.org/host.cfg
index b5b1175..b31eeb4 100644
--- a/etc/openssl/www.rouepet.org/host.cfg
+++ b/etc/openssl/www.rouepet.org/host.cfg
@@ -1,51 +1,59 @@
-	HOME        = .
+	SERVICE     = www
 	RANDFILE    = var/sec/x509/openssl.rand
 	oid_section = extra_oids
 [ extra_oids ]
-	# Pour EVSSL
-	trustList       = 2.16.840.1.113730.1.900
-	telephoneNumber = 2.5.4.20
-	initials        = 2.5.4.43
-	logotype        = 1.3.6.1.5.5.7.1.12
+	# NOTE: pour une Ã©ventuelle validation Ã©tendue (Extended Validation (EV))
+	jurisdictionOfIncorporationLocalityName        = 1.3.6.1.4.1.311.60.2.1.1
+	jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
+	jurisdictionOfIncorporationCountryName         = 1.3.6.1.4.1.311.60.2.1.3
 [ req ]
 	prompt             = no
 	distinguished_name = distinguished_name
 	string_mask        = pkix
+	#x509_extensions    = root_extensions
+	#req_extensions     = extension
+	#attributes         = req_attributes
 [ distinguished_name ]
-	commonName             = $ENV::x509_host
 	countryName            = $ENV::x509_country
-	initials               = $ENV::x509_initials
-	0.organizationName     = $ENV::x509_organization
-	organizationalUnitName = Anti-autoritÃ© de certification primaire
-	postalCode             = $ENV::x509_postal_code
 	stateOrProvinceName    = $ENV::x509_state_or_province
-	streetAddress          = $ENV::x509_street_address
-	telephoneNumber        = $ENV::x509_telephone_number
+	localityName           = $ENV::x509_state_or_province
+	0.organizationName     = $ENV::x509_organization
+	organizationalUnitName = Service Web
+	commonName             = $SERVICE.$ENV::x509_host
+	businessCategory                               = $ENV::x509_business_category
+	jurisdictionOfIncorporationLocalityName        = $ENV::x509_state_or_province
+	jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
+	jurisdictionOfIncorporationCountryName         = $ENV::x509_country
 [ extensions ]
-	basicConstraints       = critical,CA:TRUE,pathlen:1
-	keyUsage               = keyCertSign,cRLSign
-	subjectAltName         = email:contact@$ENV::x509_host
+	basicConstraints       = critical,CA:FALSE,pathlen:0
+	keyUsage               = keyEncipherment
+	subjectAltName         = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
 	subjectKeyIdentifier   = hash
 	issuerAltName          = issuer:copy
 	authorityKeyIdentifier = keyid:always,issuer:always
 	authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
-	crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/crl.pem
-	#certificatePolicies    = @certificate_policies
-	#trustList              = ASN1:UTF8String:https://www.$ENV::x509_host/x509/trust.etl
-	#policyConstraints      =
-	#extendedKeyUsage       =
-	#inhibitAnyPolicy       =
-	#nameConstraints        =
-	#noCheck                =
+	crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+	certificatePolicies    = @certificate_policies
 [ self_signed_extensions ]
-	basicConstraints       = critical,CA:TRUE,pathlen:1
-	keyUsage               = keyCertSign,cRLSign
-	subjectAltName         = email:contact@$ENV::x509_host
+	basicConstraints       = critical,CA:TRUE,pathlen:0
+	keyUsage               = keyCertSign,cRLSign,digitalSignature,keyEncipherment
+	subjectAltName         = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
 	subjectKeyIdentifier   = hash
 	issuerAltName          = issuer:copy
 	authorityKeyIdentifier = keyid:always,issuer:always
-	authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
-	crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/crl.pem
+	authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+	crlDistributionPoints  = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+[ user_extensions ]
+	basicConstraints       = critical,CA:FALSE,pathlen:0
+	keyUsage               = digitalSignature,keyEncipherment
+	subjectAltName         = email:$ENV::user@$ENV::x509_host
+	subjectKeyIdentifier   = hash
+	issuerAltName          = issuer:copy
+	authorityKeyIdentifier = keyid:always,issuer:always
+	authorityInfoAccess    = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+[ certificate_policies ]
+	policyIdentifier = 1.2.250.1.42
+	CPS.1            = https://www.$ENV::x509_host/x509/cps
 [ ca ]
 	private_key      = var/sec/x509/$ENV::x509/key.pem
 	dir              = var/pub/x509/$ENV::x509