summaryrefslogtreecommitdiffstats
path: root/net/data/ssl/scripts/ca.cnf
diff options
context:
space:
mode:
Diffstat (limited to 'net/data/ssl/scripts/ca.cnf')
-rw-r--r--net/data/ssl/scripts/ca.cnf30
1 files changed, 27 insertions, 3 deletions
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf
index 8a1d1e7..1b78e01 100644
--- a/net/data/ssl/scripts/ca.cnf
+++ b/net/data/ssl/scripts/ca.cnf
@@ -1,7 +1,7 @@
# Defaults in the event they're not set in the environment
CA_DIR = out
KEY_SIZE = 2048
-ALGO = sha1
+ALGO = sha256
CERT_TYPE = root
CA_NAME = req_env_dn
@@ -24,7 +24,7 @@ private_key = $dir/$type.key
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days = 30
-default_md = sha1
+default_md = sha256
policy = policy_anything
unique_subject = no
copy_extensions = copy
@@ -36,6 +36,30 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
+[name_constraint_bad]
+# A leaf cert that will violate the root's imposed name constraints
+basicConstraints = critical, CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @san_name_constraint_bad
+
+[name_constraint_good]
+# A leaf cert that will match the root's imposed name constraints
+basicConstraints = critical, CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @san_name_constraint_good
+
+[san_name_constraint_bad]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = test.ExAmPlE.OrG
+
+[san_name_constraint_good]
+DNS.1 = test.ExAmPlE.CoM
+DNS.2 = example.notarealtld
+
[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
@@ -63,7 +87,7 @@ emailAddress = optional
# than the root CA, see README to find the appropriate configuration file
# (ie: openssl_cert.cnf).
default_bits = $ENV::KEY_SIZE
-default_md = sha1
+default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no