v0.1

2 years ago · 404a9f0428
parent c75f9f8f37
commit 404a9f0428
6 changed files with 149 additions and 0 deletions
--- a/ca1/index.txt
+++ b/ca1/index.txt
--- a/ca1/openssl.conf
+++ b/ca1/openssl.conf
@ -0,0 +1,84 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = /mnt/d/cert/ca1 # папка промежуточного цс
+certs             = $dir/pub
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/priv/.rand
+
+private_key       = $dir/priv/ca1.key
+certificate       = $dir/pub/ca1.crt
+
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+unique_subject = no
+
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# значения по-умолчанию
+countryName_default             = RU
+stateOrProvinceName_default     = Russia
+localityName_default            = Russia
+organizationName_default        = MyHomeLab1
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName=${ENV::SAN}
--- a/ca1/serial
+++ b/ca1/serial
@ -0,0 +1 @@
+1000
--- a/ca_root/index.txt
+++ b/ca_root/index.txt
--- a/ca_root/openssl.conf
+++ b/ca_root/openssl.conf
@ -0,0 +1,63 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = /mnt/d/cert/ca_root #папка с нашим УЦ
+certs             = $dir/priv
+#crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/priv/.rand
+#подписывающие серты
+private_key       = $dir/priv/ca.key
+certificate       = $dir/pub/ca.crt
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# дефолтные значения
+countryName_default             = RU
+stateOrProvinceName_default     = Russia
+localityName_default            = Russia
+organizationName_default       = MyHomeLab
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
--- a/ca_root/serial
+++ b/ca_root/serial
@ -0,0 +1 @@
+1000