Support SSL client authentication

[lgpl/argeo-commons.git] / demo / ssl / openssl.cnf
diff --git a/demo/ssl/openssl.cnf b/demo/ssl/openssl.cnf

index 45cfea08cd46cf8d2cccf17df05b36b0cf9a3406..05bb6f77f6eee365410da003bb4da7274360079b 100644 (file)
--- a/demo/ssl/openssl.cnf
+++ b/demo/ssl/openssl.cnf
@@ -17,18 +17,18 @@ x509_extensions     = usr_cert              # The extentions to add to the cert
  name_opt       = ca_default            # Subject Name options
  cert_opt       = ca_default            # Certificate field options
  crl_extensions = crl_ext
-default_days   = 3650                  # how long to certify for
+default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
  default_md     = default               # use public key default MD
  preserve       = no                    # keep passed DN ordering
  policy         = policy_match
  
  [ policy_match ]
-countryName            = match
-stateOrProvinceName    = match
-organizationName       = match
+countryName            = optional
+stateOrProvinceName    = optional
+organizationName       = optional
  organizationalUnitName = optional
-commonName             = supplied
+commonName             = optional
  emailAddress           = optional
  
  [ policy_anything ]
@@ -37,11 +37,11 @@ stateOrProvinceName = optional
  localityName           = optional
  organizationName       = optional
  organizationalUnitName = optional
-commonName             = supplied
+commonName             = optional
  emailAddress           = optional
  
  [ req ]
-default_bits           = 1024
+default_bits           = 4096
  default_md             = sha1
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
@@ -49,8 +49,8 @@ attributes            = req_attributes
  x509_extensions        = v3_ca # The extensions to add to the self signed cert
  
  # Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
+input_password = demo
+output_password = demo
  
  string_mask = utf8only
  req_extensions = v3_req # The extensions to add to a certificate request
@@ -59,7 +59,7 @@ req_extensions = v3_req # The extensions to add to a certificate request
  countryName                    = Country Name (2 letter code)
  countryName_min                        = 2
  countryName_max                        = 2
-stateOrProvinceName            = State or Province Name (full name)
+#stateOrProvinceName           = State or Province Name (full name)
  #localityName                  = Locality Name (eg, city)
  0.organizationName             = Organization Name (eg, company)
  organizationalUnitName         = Organizational Unit Name (eg, section)
@@ -73,10 +73,11 @@ emailAddress_max            = 64
  ## DEFAULT VALUES
  ##
  countryName_default            = DE
-stateOrProvinceName_default    = Berlin
+#stateOrProvinceName_default   = Berlin
  #localityName_default  = Berlin
  0.organizationName_default     = Example
-organizationalUnitName_default = People
+organizationalUnitName_default = Certificate Authorities
+commonName_default     = Intermediate CA
  
  [ req_attributes ]
  #challengePassword             = A challenge password
@@ -98,11 +99,15 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  [ v3_ca ]
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical,CA:true
-# keyUsage = cRLSign, keyCertSign
-
-subjectAltName=email:copy
-issuerAltName=issuer:copy
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  
  [ crl_ext ]
  issuerAltName=issuer:copy