SERVICE = www HOME = . RANDFILE = var/sec/x509/openssl.rand oid_section = extra_oids [ extra_oids ] # NOTE: pour une éventuelle validation étendue (Extended Validation (EV)) jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3 [ req ] prompt = no distinguished_name = service_distinguished_name string_mask = pkix #x509_extensions = root_extensions #req_extensions = service_extension #attributes = req_attributes [ service_distinguished_name ] countryName = $ENV::x509_country stateOrProvinceName = $ENV::x509_state_or_province localityName = $ENV::x509_state_or_province 0.organizationName = $ENV::x509_organization organizationalUnitName = Service Web commonName = $SERVICE.$ENV::x509_host businessCategory = $ENV::x509_business_category jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province jurisdictionOfIncorporationCountryName = $ENV::x509_country [ service_extensions ] basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host subjectKeyIdentifier = hash issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/crt.pem crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem certificatePolicies = @service_certificate_policies [ service_self_signed_extensions ] basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host subjectKeyIdentifier = hash issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem [ user_extensions ] basicConstraints = critical,CA:FALSE,pathlen:0 keyUsage = digitalSignature,keyEncipherment subjectAltName = email:$ENV::USER@$ENV::x509_host subjectKeyIdentifier = hash issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem [ service_certificate_policies ] policyIdentifier = 1.2.250.1.42 CPS.1 = https://www.$ENV::x509_host/tls/cps [ service_ca ] private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem dir = $HOME/var/pub/x509/service/$SERVICE crl_dir = $dir crlnumber = $dir/crl.num crl = $dir/crl.pem database = $dir/idx.txt [ service_self_signed_ca ] private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem dir = $HOME/var/pub/x509/service/$SERVICE crl_dir = $dir crlnumber = $dir/crl.self-signed.num crl = $dir/crl.self-signed.pem database = $dir/idx.self-signed.txt