diff options
Diffstat (limited to 'net/data/ssl/scripts/ca.cnf')
-rw-r--r-- | net/data/ssl/scripts/ca.cnf | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf index 8a1d1e7..1b78e01 100644 --- a/net/data/ssl/scripts/ca.cnf +++ b/net/data/ssl/scripts/ca.cnf @@ -1,7 +1,7 @@ # Defaults in the event they're not set in the environment CA_DIR = out KEY_SIZE = 2048 -ALGO = sha1 +ALGO = sha256 CERT_TYPE = root CA_NAME = req_env_dn @@ -24,7 +24,7 @@ private_key = $dir/$type.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 30 -default_md = sha1 +default_md = sha256 policy = policy_anything unique_subject = no copy_extensions = copy @@ -36,6 +36,30 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always extendedKeyUsage = serverAuth,clientAuth +[name_constraint_bad] +# A leaf cert that will violate the root's imposed name constraints +basicConstraints = critical, CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +extendedKeyUsage = serverAuth,clientAuth +subjectAltName = @san_name_constraint_bad + +[name_constraint_good] +# A leaf cert that will match the root's imposed name constraints +basicConstraints = critical, CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +extendedKeyUsage = serverAuth,clientAuth +subjectAltName = @san_name_constraint_good + +[san_name_constraint_bad] +DNS.1 = test.ExAmPlE.CoM +DNS.2 = test.ExAmPlE.OrG + +[san_name_constraint_good] +DNS.1 = test.ExAmPlE.CoM +DNS.2 = example.notarealtld + [ca_cert] # Extensions to add when signing a request for an intermediate/CA cert basicConstraints = critical, CA:true @@ -63,7 +87,7 @@ emailAddress = optional # than the root CA, see README to find the appropriate configuration file # (ie: openssl_cert.cnf). default_bits = $ENV::KEY_SIZE -default_md = sha1 +default_md = sha256 string_mask = utf8only prompt = no encrypt_key = no |