summaryrefslogtreecommitdiff
path: root/main/openvpn/sample/sample-keys/openssl.cnf
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2014-11-25 23:19:29 +0100
committerArne Schwabe <arne@rfc2549.org>2014-11-25 23:19:29 +0100
commitd02a647cda48441ab0f6f1c5d00d5b3fdb74b691 (patch)
tree6ab7e280385da7b9d7bb8fc720282ceeb15f8d23 /main/openvpn/sample/sample-keys/openssl.cnf
parentbd7c4e1bfec496255522b38c490d795badcf954f (diff)
Update OpenVPN to -master
--HG-- extra : rebase_source : cc844ae1a812fce0244f7e381fcee8c2db7e8bc2
Diffstat (limited to 'main/openvpn/sample/sample-keys/openssl.cnf')
-rw-r--r--main/openvpn/sample/sample-keys/openssl.cnf139
1 files changed, 139 insertions, 0 deletions
diff --git a/main/openvpn/sample/sample-keys/openssl.cnf b/main/openvpn/sample/sample-keys/openssl.cnf
new file mode 100644
index 00000000..aabfd48f
--- /dev/null
+++ b/main/openvpn/sample/sample-keys/openssl.cnf
@@ -0,0 +1,139 @@
+# Heavily borrowed from EasyRSA 3, for use with OpenSSL 1.0.*
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sample-ca # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = basic_exts # The extentions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions = crl_ext
+
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+default_md = sha256
+distinguished_name = cn_only
+x509_extensions = easyrsa_ca # The extentions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = changeme
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName = Country Name (2 letter code)
+countryName_default = KG
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = NA
+
+localityName = Locality Name (eg, city)
+localityName_default = BISHKEK
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = OpenVPN-TEST
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default =
+
+emailAddress = Email Address
+emailAddress_default = me@myhost.mydomain
+emailAddress_max = 64
+
+####################################################################
+
+[ basic_exts ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+
+# Server extensions.
+[ server ]
+
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature, keyEncipherment