- HOME = .
+ SERVICE = www
RANDFILE = var/sec/x509/openssl.rand
oid_section = extra_oids
[ extra_oids ]
- # Pour EVSSL
- trustList = 2.16.840.1.113730.1.900
- telephoneNumber = 2.5.4.20
- initials = 2.5.4.43
- logotype = 1.3.6.1.5.5.7.1.12
+ # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
+ jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1
+ jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
+ jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
[ req ]
prompt = no
distinguished_name = distinguished_name
string_mask = pkix
+ #x509_extensions = root_extensions
+ #req_extensions = extension
+ #attributes = req_attributes
[ distinguished_name ]
- commonName = $ENV::x509_host
countryName = $ENV::x509_country
- initials = $ENV::x509_initials
- 0.organizationName = $ENV::x509_organization
- organizationalUnitName = Anti-autorité de certification primaire
- postalCode = $ENV::x509_postal_code
stateOrProvinceName = $ENV::x509_state_or_province
- streetAddress = $ENV::x509_street_address
- telephoneNumber = $ENV::x509_telephone_number
+ localityName = $ENV::x509_state_or_province
+ 0.organizationName = $ENV::x509_organization
+ organizationalUnitName = Service Web
+ commonName = $SERVICE.$ENV::x509_host
+ businessCategory = $ENV::x509_business_category
+ jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province
+ jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
+ jurisdictionOfIncorporationCountryName = $ENV::x509_country
[ extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:1
- keyUsage = keyCertSign,cRLSign
- subjectAltName = email:contact@$ENV::x509_host
+ basicConstraints = critical,CA:FALSE,pathlen:0
+ keyUsage = keyEncipherment
+ subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
subjectKeyIdentifier = hash
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/crl.pem
- #certificatePolicies = @certificate_policies
- #trustList = ASN1:UTF8String:https://www.$ENV::x509_host/x509/trust.etl
- #policyConstraints =
- #extendedKeyUsage =
- #inhibitAnyPolicy =
- #nameConstraints =
- #noCheck =
+ crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+ certificatePolicies = @certificate_policies
[ self_signed_extensions ]
- basicConstraints = critical,CA:TRUE,pathlen:1
- keyUsage = keyCertSign,cRLSign
- subjectAltName = email:contact@$ENV::x509_host
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
+ subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host,DNS:rouepet.heureux-cyclage.org
subjectKeyIdentifier = hash
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
- authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/crt.pem
- crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/crl.pem
+ authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+ crlDistributionPoints = URI:http://www.$ENV::x509_host/x509/$SERVICE/crl.pem
+[ user_extensions ]
+ basicConstraints = critical,CA:FALSE,pathlen:0
+ keyUsage = digitalSignature,keyEncipherment
+ subjectAltName = email:$ENV::user@$ENV::x509_host
+ subjectKeyIdentifier = hash
+ issuerAltName = issuer:copy
+ authorityKeyIdentifier = keyid:always,issuer:always
+ authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/x509/$SERVICE/crt.pem
+[ certificate_policies ]
+ policyIdentifier = 1.2.250.1.42
+ CPS.1 = https://www.$ENV::x509_host/x509/cps
[ ca ]
private_key = var/sec/x509/$ENV::x509/key.pem
dir = var/pub/x509/$ENV::x509