├── scripts ├── cleanup ├── build_collection ├── createCA ├── newcert └── uCA-utils.sh ├── README.md ├── LICENSE └── openssl.cnf.template /scripts/cleanup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | function canonical_readlink () { 3 | # OS X doesn't ship with GNU readlink. 4 | # Adapted from martialboniou: 5 | # https://gist.github.com/martialboniou/1594712 6 | cd $(dirname $1) 2>/dev/null 7 | local rc=$? 8 | if [ ${rc} -ne 0 ]; then 9 | echo 2>&1 "No such directory $d" 10 | echo "" 11 | else 12 | __filename=$(basename $1); 13 | if [ -h "$__filename" ]; then 14 | canonical_readlink $(readlink ${__filename}); 15 | else 16 | echo "$(pwd -P)/${__filename}"; 17 | fi 18 | fi 19 | } 20 | 21 | scriptdir=$(dirname $(canonical_readlink $0)) 22 | cadir=$(dirname ${scriptdir}) 23 | 24 | . ${scriptdir}/uCA-utils.sh 25 | 26 | pushd ${cadir} >/dev/null 27 | destroy_file_structure 28 | popd >/dev/null 29 | -------------------------------------------------------------------------------- /scripts/build_collection: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | function canonical_readlink () { 3 | # OS X doesn't ship with GNU readlink. 4 | # Adapted from martialboniou: 5 | # https://gist.github.com/martialboniou/1594712 6 | cd $(dirname $1) 2>/dev/null 7 | local rc=$? 8 | if [ ${rc} -ne 0 ]; then 9 | echo 2>&1 "No such directory $d" 10 | echo "" 11 | else 12 | __filename=$(basename $1); 13 | if [ -h "$__filename" ]; then 14 | canonical_readlink $(readlink ${__filename}); 15 | else 16 | echo "$(pwd -P)/${__filename}"; 17 | fi 18 | fi 19 | } 20 | 21 | scriptdir=$(dirname $(canonical_readlink $0)) 22 | cadir=$(dirname ${scriptdir}) 23 | 24 | . ${scriptdir}/uCA-utils.sh 25 | 26 | init_globals 27 | pushd ${cadir} >/dev/null 28 | make_file_structure 29 | generate_CA 30 | while (( "$#" )); do 31 | make_cert $1 both 32 | shift 33 | done 34 | popd > /dev/null 35 | -------------------------------------------------------------------------------- /scripts/createCA: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | function canonical_readlink () { 3 | # OS X doesn't ship with GNU readlink. 4 | # Adapted from martialboniou: 5 | # https://gist.github.com/martialboniou/1594712 6 | cd $(dirname $1) 2>/dev/null 7 | local rc=$? 8 | if [ ${rc} -ne 0 ]; then 9 | echo 2>&1 "No such directory $d" 10 | echo "" 11 | else 12 | __filename=$(basename $1); 13 | if [ -h "$__filename" ]; then 14 | canonical_readlink $(readlink ${__filename}); 15 | else 16 | echo "$(pwd -P)/${__filename}"; 17 | fi 18 | fi 19 | } 20 | 21 | scriptdir=$(dirname $(canonical_readlink $0)) 22 | cadir=$(dirname ${scriptdir}) 23 | 24 | . ${scriptdir}/uCA-utils.sh 25 | 26 | init_globals 27 | pushd ${cadir} >/dev/null 28 | make_file_structure 29 | generate_CA 30 | ppf="${cadir}/private/cakey.passphrase" 31 | touch ${ppf} 32 | chmod 0600 ${ppf} 33 | echo ${pp} > ${ppf} 34 | chmod 0400 ${ppf} 35 | popd > /dev/null 36 | -------------------------------------------------------------------------------- /scripts/newcert: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | function canonical_readlink () { 3 | # OS X doesn't ship with GNU readlink. 4 | # Adapted from martialboniou: 5 | # https://gist.github.com/martialboniou/1594712 6 | cd $(dirname $1) 2>/dev/null 7 | local rc=$? 8 | if [ ${rc} -ne 0 ]; then 9 | echo 2>&1 "No such directory $d" 10 | echo "" 11 | else 12 | __filename=$(basename $1); 13 | if [ -h "$__filename" ]; then 14 | canonical_readlink $(readlink ${__filename}); 15 | else 16 | echo "$(pwd -P)/${__filename}"; 17 | fi 18 | fi 19 | } 20 | 21 | scriptdir=$(dirname $(canonical_readlink $0)) 22 | cadir=$(dirname ${scriptdir}) 23 | 24 | . ${scriptdir}/uCA-utils.sh 25 | 26 | ppf="${cadir}/private/cakey.passphrase" 27 | if ! [ -f ${ppf} ]; then 28 | echo "No CA passphrase in ${ppf}!" 29 | exit 2 30 | fi 31 | CA_PASSPHRASE=$(<${ppf}) 32 | 33 | init_globals 34 | pushd ${cadir} >/dev/null 35 | make_cert $1 $2 36 | popd > /dev/null 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # uCA 2 | uCA is a micro-CA that uses OpenSSL to allow you to easily create signed certificates with multiple SubjectAltNames 3 | 4 | ## tl;dr 5 | 6 | Teeny tiny CA that lets you do algorithmically-determined SubjectAltNames, and which runs just fine on CoreOS, in case, I dunno, you need some way for a bunch of Docker containers to talk securely to each other. 7 | 8 | ## Why 9 | 10 | Have you ever tried to sign certificates with SubjectAltNames using OpenSSL's CA? It's a gigantic pain. 11 | 12 | All I wanted to do was create my own little internal PKI, so my apps could do mutual-auth SSL with each other. 13 | They needed to trust one another but not necessarily anything else. 14 | However, to make things easy to scale, I wanted to make it so that I could have, for instance, rmq1, rmq2, and rmq3, and all of those would present a cert that *also* said the host was rmq. 15 | Then I could just use haproxy or something in TCP mode and forward connections to whichever backend I chose, hit it as "rmq", and have everything work nicely. 16 | 17 | Shoulda been easy. 18 | 19 | Wasn't. 20 | 21 | Almost all of the extant OpenSSL documentation that talks about how to do SANs assumes you don't mind editing openssl.cnf in between every single time you generate a certificate. 22 | Sure, I could have automated that too with some template markers and a loop around it, but that felt really gross. 23 | 24 | ### Why not ditch OpenSSL? 25 | 26 | Everything else is even worse. 27 | 28 | The small things, like xCA, either don't do SANs at all, or they require some stupid interactive X client to work, or both. I wanted something I could trivially script. 29 | 30 | Dogtag is cool, but it proved to be too hard for me to separate from the rest of the Fedora machinery, and I don't want Fedora. 31 | 32 | EJBCA and OpenCA are way, *way*, **way** too big and complex and featureful for what I wanted to do. 33 | 34 | CoreOS already has OpenSSL and bash on it. This, therefore, runs fine on CoreOS, which is where I happen to be doing most of my Docker deployment. 35 | 36 | ## What 37 | 38 | So I dug through a whole bunch of conflicting web pages, and played with how OpenSSL interacts with the environment, and eventually I came up with a set of recipes that use a grotesque and finicky dance between openssl.cnf and its environment to let you programmatically generate SANs for your certs and sign 'em. 39 | Then you can use them as client certificates and have everything work more-or-less cheerfully. 40 | 41 | And now, by using uCA, *you* don't have to bang *your* head on those particular bricks anymore! 42 | 43 | ## How 44 | 45 | First thing, copy openssl.cnf.template to openssl.cnf, and edit the organization stuff (lines 133-160) to reflect your use case. Unless, of course, you do want to be the Garden Weasel Attack Squad from Cuba, Missouri. 46 | 47 | Next, start running the things in scripts. 48 | 49 | * If you want to build a CA and keep it around for a while, use createCA. If you want a particular passphrase, stick it in CA_PASSPHRASE in the environment; if you don't a random passphrase will be generated. 50 | * Then run newcert name [ **server** | client | both ] # (server is the default) 51 | * If on the other hand you want to do all your certs at once, use build_collection and feed it a list of cert names. You may want to change "both" (for the cert usage) in that script. 52 | * Currently, SAN generation is controlled in the function build_subj_and_san in uCA-utils.sh ; edit this to change the rules I'm using (which are to make anything with trailing digits also accept the same name with no digits). This function is likely to get broken out into its own file soon. 53 | 54 | ## Bene/valediction 55 | I hope you find uCA as useful as I have! 56 | 57 | Adam 58 | -------------------------------------------------------------------------------- /scripts/uCA-utils.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Bash makes echo's behavior the same on OS X and Linux, while sh differs 3 | 4 | function init_globals () { 5 | # Globals 6 | # Do we have CA_PASSPHRASE defined in the environment already? 7 | if [ -z ${cadir} ]; then 8 | echo 1>&2 "CA directory is not set! Cannot continue." 9 | exit 2 10 | fi 11 | if [ -z "${CA_PASSPHRASE}" ]; then 12 | pp=$(openssl rand -hex 32) 13 | else 14 | pp="${CA_PASSPHRASE}" 15 | fi 16 | ocf="${cadir}/openssl.cnf" 17 | cfg="-config ${ocf}" 18 | cakey="${cadir}/private/ca.key" 19 | cacert="${cadir}/certs/ca.crt" 20 | } 21 | 22 | function make_file_structure () { 23 | destroy_file_structure 24 | pushd ${cadir} >/dev/null 25 | mkdir certs crl csrs newcerts private 26 | chmod 0700 private 27 | touch index.txt crlnumber 28 | echo 1000 > serial 29 | popd >/dev/null 30 | } 31 | 32 | function destroy_file_structure () { 33 | pushd ${cadir} >/dev/null 34 | rm -rf certs crl crl.pem csrs newcerts private index.txt crlnumber \ 35 | index.txt.attr index.txt.attr.old serial serial.old index.txt.old \ 36 | 2>/dev/null 37 | popd >/dev/null 38 | } 39 | 40 | function generate_CA () { 41 | touch ${cakey} 42 | chmod 0600 ${cakey} 43 | export PP=${pp} 44 | openssl genrsa -aes256 -out ${cakey} -passout env:PP 4096 45 | unset PP 46 | chmod 0400 ${cakey} 47 | touch ${cacert} 48 | chmod 0644 ${cacert} 49 | export PP=${pp} 50 | openssl req ${cfg} -new -x509 -days 1825 -key ${cakey} -sha256 \ 51 | -extensions v3_ca -out ${cacert} -passin env:PP -batch 52 | unset PP 53 | chmod 0444 ${cacert} 54 | } 55 | 56 | function make_cert () { 57 | local cn=$1 58 | local ctype=$2 59 | create_key ${cn} 60 | create_csr ${cn} 61 | sign_csr ${cn} ${ctype} 62 | } 63 | 64 | function create_key () { 65 | local cn=$1 66 | local f="${cadir}/private/${cn}.key" 67 | touch ${f} 68 | chmod 0600 ${f} 69 | openssl genrsa -out ${f} 4096 70 | chmod 0400 ${f} 71 | } 72 | 73 | function create_csr () { 74 | local cn=$1 75 | subj="" 76 | san="" 77 | build_subj_and_san ${cn} 78 | csr="${cadir}/csrs/${cn}.csr" 79 | touch ${csr} 80 | chmod 0644 ${csr} 81 | export SAN="DNS:${san}" 82 | openssl req ${cfg} -new -key private/${cn}.key -out csrs/${cn}.csr \ 83 | -subj "${subj}" -passin pass: -batch 84 | unset SAN 85 | chmod 0444 ${csr} 86 | } 87 | 88 | function build_subj_and_san () { 89 | local CN=$1 90 | local C=$(read_config "countryName_default") 91 | local ST=$(read_config "stateOrProvinceName_default") 92 | local L=$(read_config "localityName_default") 93 | local O=$(read_config "0.organizationName_default") 94 | local OU=$(read_config "organizationalUnitName_default") 95 | subj="/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}" 96 | san=$(echo $CN | sed -e 's/[[:digit:]]$//' ) 97 | } 98 | 99 | function read_config () { 100 | local arg=$1 101 | if [ -z "${ocfcache}" ] ; then 102 | ocfcache=$(<${ocf}) 103 | fi 104 | local item=$(echo "${ocfcache}" | grep "^$arg" ${ocf} | \ 105 | cut -d '=' -f 2 | sed -e 's/^ *//' -e 's/ *$//') 106 | echo ${item} 107 | } 108 | 109 | function sign_csr () { 110 | local cn=$1 111 | local ctype=$2 112 | local ct="srvr_cert" 113 | case $ctype in 114 | client ) 115 | ct="usr_cert" 116 | ;; 117 | both ) 118 | ct="both_cert" 119 | ;; 120 | * ) 121 | ;; 122 | esac 123 | 124 | local cert="${cadir}/certs/${cn}.crt" 125 | touch ${cert} 126 | chmod 0644 ${cert} 127 | export PP=${pp} 128 | openssl ca ${cfg} -keyfile ${cakey} -cert ${cacert} -extensions ${ct} \ 129 | -notext -md sha256 -in ${cadir}/csrs/${cn}.csr \ 130 | -out ${cadir}/certs/${cn}.crt -key ${PP} -batch 131 | unset PP 132 | chmod 0444 ${cert} 133 | } 134 | 135 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /openssl.cnf.template: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # SAN must be defined here, so we throw it a dummy address 7 | SAN = "email:devnull@example.com" 8 | 9 | # This definition stops the following lines choking if HOME isn't 10 | # defined. 11 | HOME = . 12 | RANDFILE = $ENV::HOME/.rnd 13 | 14 | # Extra OBJECT IDENTIFIER info: 15 | #oid_file = $ENV::HOME/.oid 16 | oid_section = new_oids 17 | 18 | # To use this configuration file with the "-extfile" option of the 19 | # "openssl x509" utility, name here the section containing the 20 | # X.509v3 extensions to use: 21 | # extensions = 22 | # (Alternatively, use a configuration file that has only 23 | # X.509v3 extensions in its main [= default] section.) 24 | 25 | [ new_oids ] 26 | 27 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 28 | # Add a simple OID like this: 29 | # testoid1=1.2.3.4 30 | # Or use config file substitution like this: 31 | # testoid2=${testoid1}.5.6 32 | 33 | # Policies used by the TSA examples. 34 | tsa_policy1 = 1.2.3.4.1 35 | tsa_policy2 = 1.2.3.4.5.6 36 | tsa_policy3 = 1.2.3.4.5.7 37 | 38 | #################################################################### 39 | [ ca ] 40 | default_ca = uCA 41 | 42 | #################################################################### 43 | [ uCA ] 44 | 45 | dir = . # Where everything is kept 46 | certs = $dir/certs # Where the issued certs are kept 47 | crl_dir = $dir/crl # Where the issued crl are kept 48 | database = $dir/index.txt # database index file. 49 | #unique_subject = no # Set to 'no' to allow creation of 50 | # several ctificates with same subject. 51 | new_certs_dir = $dir/newcerts # default place for new certs. 52 | 53 | certificate = $dir/ca.crt # The CA certificate 54 | serial = $dir/serial # The current serial number 55 | crlnumber = $dir/crlnumber # the current crl number 56 | # must be commented out to leave a V1 CRL 57 | crl = $dir/crl.pem # The current CRL 58 | private_key = $dir/private/ca.key # The private key 59 | RANDFILE = $dir/private/.rand # private random number file 60 | 61 | x509_extensions = both_cert # The extensions to add to the 62 | # cert. By default, we get a 63 | # cert usable for both client 64 | # and server usage. 65 | 66 | name_opt = ca_default # Subject Name options 67 | cert_opt = ca_default # Certificate field options 68 | 69 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 70 | # so this is commented out by default to leave a V1 CRL. 71 | # crlnumber must also be commented out to leave a V1 CRL. 72 | # crl_extensions = crl_ext 73 | 74 | default_days = 420 # how long to certify for 75 | default_crl_days= 30 # how long before next CRL 76 | default_md = default # use public key default MD 77 | preserve = no # keep passed DN ordering 78 | 79 | # A few difference way of specifying how similar the request should look 80 | # For type CA, the listed attributes must be the same, and the optional 81 | # and supplied fields are just that :-) 82 | policy = policy_match 83 | 84 | # 85 | # You need this if you want your SAN copied into the resulting cert. 86 | # 87 | copy_extensions = copy 88 | 89 | # For the CA policy 90 | [ policy_match ] 91 | countryName = match 92 | stateOrProvinceName = match 93 | organizationName = match 94 | organizationalUnitName = optional 95 | commonName = supplied 96 | emailAddress = optional 97 | 98 | # For the 'anything' policy 99 | # At this point in time, you must list all acceptable 'object' 100 | # types. 101 | [ policy_anything ] 102 | countryName = optional 103 | stateOrProvinceName = optional 104 | localityName = optional 105 | organizationName = optional 106 | organizationalUnitName = optional 107 | commonName = supplied 108 | emailAddress = optional 109 | 110 | #################################################################### 111 | [ req ] 112 | default_bits = 4096 113 | default_keyfile = privkey.pem 114 | distinguished_name = req_distinguished_name 115 | attributes = req_attributes 116 | x509_extensions = v3_req # The extentions to add to the self signed cert 117 | 118 | # Passwords for private keys if not present they will be prompted for 119 | # input_password = secret 120 | # output_password = secret 121 | 122 | # This sets a mask for permitted string types. There are several options. 123 | # default: PrintableString, T61String, BMPString. 124 | # pkix : PrintableString, BMPString (PKIX recommendation before 2004) 125 | # utf8only: only UTF8Strings (PKIX recommendation after 2004). 126 | # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 127 | # MASK:XXXX a literal mask value. 128 | # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 129 | string_mask = utf8only 130 | 131 | req_extensions = v3_req # The extensions to add to a certificate request 132 | 133 | # 134 | # THIS IS THE PART YOU REALLY REALLY WANT TO MODIFY SO IT'S YOUR 135 | # CERTIFICATE AND NOT THE EXAMPLE COMPANY'S 136 | # 137 | 138 | [ req_distinguished_name ] 139 | countryName = Country Name (2 letter code) 140 | countryName_default = US 141 | countryName_min = 2 142 | countryName_max = 2 143 | 144 | stateOrProvinceName = State or Province Name (full name) 145 | stateOrProvinceName_default = Missouri 146 | 147 | localityName = Locality Name (eg, city) 148 | localityName_default = Cuba 149 | 150 | 0.organizationName = Organization Name (eg, company) 151 | 0.organizationName_default = Garden Weasel Attack Squad 152 | 153 | organizationalUnitName = Organizational Unit Name (eg, section) 154 | organizationalUnitName_default = Steam-Powered Division 155 | 156 | commonName = Common Name (FQDN or name for personal cert) 157 | commonName_max = 64 158 | 159 | emailAddress = Email Address 160 | emailAddress_max = 64 161 | 162 | # SET-ex3 = SET extension number 3 163 | 164 | [ req_attributes ] 165 | challengePassword = A challenge password 166 | challengePassword_min = 4 167 | challengePassword_max = 20 168 | 169 | unstructuredName = An optional company name 170 | subjectAltName = Alternative certificate names 171 | 172 | [ srvr_cert ] 173 | 174 | # These extensions are added when 'ca' signs a request. 175 | 176 | # This goes against PKIX guidelines but some CAs do it and some software 177 | # requires this to avoid interpreting an end user certificate as a CA. 178 | 179 | basicConstraints=CA:FALSE 180 | 181 | # Here are some examples of the usage of nsCertType. If it is omitted 182 | # the certificate can be used for anything *except* object signing. 183 | 184 | # This is OK for an SSL server. 185 | nsCertType = server 186 | 187 | nsComment = "Autogenerated server certificate" 188 | 189 | # PKIX recommendations harmless if included in all certificates. 190 | subjectKeyIdentifier=hash 191 | authorityKeyIdentifier=keyid,issuer 192 | extendedKeyUsage = serverAuth 193 | 194 | [ usr_cert ] 195 | 196 | basicConstraints=CA:FALSE 197 | # This is typical in keyUsage for a client certificate. 198 | nsCertType = client 199 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 200 | 201 | # This will be displayed in Netscape's comment listbox. 202 | nsComment = "Autogenerated client certificate" 203 | 204 | # PKIX recommendations harmless if included in all certificates. 205 | subjectKeyIdentifier=hash 206 | authorityKeyIdentifier=keyid,issuer 207 | extendedKeyUsage = clientAuth 208 | 209 | [ both_cert ] 210 | 211 | basicConstraints=CA:FALSE 212 | # This is for something (like the ibuiserver) that is both an SSL client 213 | # and and SSL server 214 | 215 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 216 | 217 | # This will be displayed in Netscape's comment listbox. 218 | nsComment = "Autogenerated client/server certificate" 219 | 220 | # PKIX recommendations harmless if included in all certificates. 221 | subjectKeyIdentifier=hash 222 | authorityKeyIdentifier=keyid,issuer 223 | extendedKeyUsage = clientAuth,serverAuth 224 | 225 | [ v3_req ] 226 | 227 | # Extensions to add to a certificate request 228 | 229 | basicConstraints = CA:FALSE 230 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 231 | # This next bit is the magic. Having it defined at the top is also 232 | # required magic. This was way harder to figure out than it needed 233 | # to be. 234 | subjectAltName = ${ENV::SAN} 235 | 236 | [ v3_ca ] 237 | 238 | # Extensions for a typical CA 239 | subjectKeyIdentifier=hash 240 | authorityKeyIdentifier=keyid:always,issuer 241 | # This is what PKIX recommends but some broken software chokes on critical 242 | # extensions. 243 | #basicConstraints = critical,CA:true 244 | # So we do this instead. 245 | basicConstraints = CA:true 246 | 247 | # Key usage: this is typical for a CA certificate. However since it will 248 | # prevent it being used as an test self-signed certificate it is best 249 | # left out by default. 250 | keyUsage = cRLSign, keyCertSign 251 | 252 | # Some might want this also 253 | # nsCertType = sslCA, emailCA 254 | 255 | # Include email address in subject alt name: another PKIX recommendation 256 | # subjectAltName=email:copy 257 | # Copy issuer details 258 | # issuerAltName=issuer:copy 259 | 260 | # DER hex encoding of an extension: beware experts only! 261 | # obj=DER:02:03 262 | # Where 'obj' is a standard or added object 263 | # You can even override a supported extension: 264 | # basicConstraints= critical, DER:30:03:01:01:FF 265 | 266 | [ crl_ext ] 267 | 268 | # CRL extensions. 269 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 270 | 271 | # issuerAltName=issuer:copy 272 | authorityKeyIdentifier=keyid:always 273 | 274 | # I haven't tested any of the stuff below here. Straight out of the 275 | # OpenSSL default config. -- AJT 20150116 276 | 277 | [ proxy_cert_ext ] 278 | # These extensions should be added when creating a proxy certificate 279 | 280 | # This goes against PKIX guidelines but some CAs do it and some software 281 | # requires this to avoid interpreting an end user certificate as a CA. 282 | 283 | basicConstraints=CA:FALSE 284 | 285 | # Here are some examples of the usage of nsCertType. If it is omitted 286 | # the certificate can be used for anything *except* object signing. 287 | 288 | # This is OK for an SSL server. 289 | # nsCertType = server 290 | 291 | # For an object signing certificate this would be used. 292 | # nsCertType = objsign 293 | 294 | # For normal client use this is typical 295 | # nsCertType = client, email 296 | 297 | # and for everything including object signing: 298 | # nsCertType = client, email, objsign 299 | 300 | # This is typical in keyUsage for a client certificate. 301 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 302 | 303 | # This will be displayed in Netscape's comment listbox. 304 | nsComment = "OpenSSL Generated Certificate" 305 | 306 | # PKIX recommendations harmless if included in all certificates. 307 | subjectKeyIdentifier=hash 308 | authorityKeyIdentifier=keyid,issuer 309 | 310 | # This stuff is for subjectAltName and issuerAltname. 311 | # Import the email address. 312 | # subjectAltName=email:copy 313 | # An alternative to produce certificates that aren't 314 | # deprecated according to PKIX. 315 | # subjectAltName=email:move 316 | 317 | # Copy subject details 318 | # issuerAltName=issuer:copy 319 | 320 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 321 | #nsBaseUrl 322 | #nsRevocationUrl 323 | #nsRenewalUrl 324 | #nsCaPolicyUrl 325 | #nsSslServerName 326 | 327 | # This really needs to be in place for it to be a proxy certificate. 328 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 329 | 330 | #################################################################### 331 | [ tsa ] 332 | 333 | default_tsa = tsa_config1 # the default TSA section 334 | 335 | [ tsa_config1 ] 336 | 337 | # These are used by the TSA reply generation only. 338 | dir = ./TSA # TSA root directory 339 | serial = $dir/tsaserial # The current serial number (mandatory) 340 | crypto_device = builtin # OpenSSL engine to use for signing 341 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 342 | # (optional) 343 | certs = $dir/ca.crt # Certificate chain to include in reply 344 | # (optional) 345 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 346 | 347 | default_policy = tsa_policy1 # Policy if request did not specify it 348 | # (optional) 349 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 350 | digests = sha256 # Acceptable message digests (mandatory) 351 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 352 | clock_precision_digits = 0 # number of digits after dot. (optional) 353 | ordering = yes # Is ordering defined for timestamps? 354 | # (optional, default: no) 355 | tsa_name = yes # Must the TSA name be included in the reply? 356 | # (optional, default: no) 357 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 358 | # (optional, default: no) 359 | --------------------------------------------------------------------------------