--- /dev/null
+ SERVICE = www
+ HOME = .
+ RANDFILE = var/sec/x509/openssl.rand
+ oid_section = extra_oids
+[ extra_oids ]
+ # NOTE: pour une éventuelle validation étendue (Extended Validation (EV))
+ jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1
+ jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2
+ jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
+[ req ]
+ prompt = no
+ distinguished_name = service_distinguished_name
+ string_mask = pkix
+ #x509_extensions = root_extensions
+ #req_extensions = service_extension
+ #attributes = req_attributes
+[ service_distinguished_name ]
+ countryName = $ENV::x509_country
+ stateOrProvinceName = $ENV::x509_state_or_province
+ localityName = $ENV::x509_state_or_province
+ 0.organizationName = $ENV::x509_organization
+ organizationalUnitName = Service Web
+ commonName = $SERVICE.$ENV::x509_host
+ businessCategory = $ENV::x509_business_category
+ jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province
+ jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province
+ jurisdictionOfIncorporationCountryName = $ENV::x509_country
+[ service_extensions ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
+ subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
+ subjectKeyIdentifier = hash
+ issuerAltName = issuer:copy
+ authorityKeyIdentifier = keyid:always,issuer:always
+ authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/crt.pem
+ crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem
+ certificatePolicies = @service_certificate_policies
+[ service_self_signed_extensions ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment
+ subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:$ENV::x509_host
+ subjectKeyIdentifier = hash
+ issuerAltName = issuer:copy
+ authorityKeyIdentifier = keyid:always,issuer:always
+ authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem
+ crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem
+[ user_extensions ]
+ basicConstraints = critical,CA:FALSE,pathlen:0
+ keyUsage = digitalSignature,keyEncipherment
+ subjectAltName = email:$ENV::USER@$ENV::x509_host
+ subjectKeyIdentifier = hash
+ issuerAltName = issuer:copy
+ authorityKeyIdentifier = keyid:always,issuer:always
+ authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem
+[ service_certificate_policies ]
+ policyIdentifier = 1.2.250.1.42
+ CPS.1 = https://www.$ENV::x509_host/tls/cps
+[ service_ca ]
+ private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem
+ dir = $HOME/var/pub/x509/service/$SERVICE
+ crl_dir = $dir
+ crlnumber = $dir/crl.num
+ crl = $dir/crl.pem
+ database = $dir/idx.txt
+[ service_self_signed_ca ]
+ private_key = $HOME/var/sec/x509/service/$SERVICE/key.pem
+ dir = $HOME/var/pub/x509/service/$SERVICE
+ crl_dir = $dir
+ crlnumber = $dir/crl.self-signed.num
+ crl = $dir/crl.self-signed.pem
+ database = $dir/idx.self-signed.txt
dépôts / lhc / ateliers.git / blobdiff