Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5 / . / hs20 / server / ca / openssl-root.cnf
blob: 5bc50be1dbc94165399c85a50fa0981799b08de8 [file] [log] [blame]
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]1# OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)
2
3HOME = .
4RANDFILE = $ENV::HOME/.rnd
5oid_section = new_oids
6
7[ new_oids ]
8
9#logotypeoid=1.3.6.1.5.5.7.1.12
10
11####################################################################
12[ ca ]
13default_ca = CA_default # The default ca section
14
15####################################################################
16[ CA_default ]
17
18dir = ./rootCA # Where everything is kept
19certs = $dir/certs # Where the issued certs are kept
20crl_dir = $dir/crl # Where the issued crl are kept
21database = $dir/index.txt # database index file.
22#unique_subject = no # Set to 'no' to allow creation of
23 # several certificates with same subject
24new_certs_dir = $dir/newcerts # default place for new certs.
25
26certificate = $dir/cacert.pem # The CA certificate
27serial = $dir/serial # The current serial number
28crlnumber = $dir/crlnumber # the current crl number
29 # must be commented out to leave a V1 CRL
30crl = $dir/crl.pem # The current CRL
31private_key = $dir/private/cakey.pem# The private key
32RANDFILE = $dir/private/.rand # private random number file
33
34x509_extensions = usr_cert # The extentions to add to the cert
35
36name_opt = ca_default # Subject Name options
37cert_opt = ca_default # Certificate field options
38
39default_days = 365 # how long to certify for
40default_crl_days= 30 # how long before next CRL
41default_md = default # use public key default MD
42preserve = no # keep passed DN ordering
43
44policy = policy_match
45
46# For the CA policy
47[ policy_match ]
48countryName = match
49stateOrProvinceName = optional
50organizationName = match
51organizationalUnitName = optional
52commonName = supplied
53emailAddress = optional
54
55[ policy_anything ]
56countryName = optional
57stateOrProvinceName = optional
58localityName = optional
59organizationName = optional
60organizationalUnitName = optional
61commonName = supplied
62emailAddress = optional
63
64####################################################################
65[ req ]
66default_bits = 2048
67default_keyfile = privkey.pem
68distinguished_name = req_distinguished_name
69attributes = req_attributes
70x509_extensions = v3_ca # The extentions to add to the self signed cert
71
Dmitry Shmidtaf9da312015-04-03 10:03:11 -0700[diff] [blame^]72input_password = @PASSWORD@
73output_password = @PASSWORD@
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -0700[diff] [blame]74
75string_mask = utf8only
76
77[ req_distinguished_name ]
78countryName = Country Name (2 letter code)
79countryName_default = US
80countryName_min = 2
81countryName_max = 2
82
83localityName = Locality Name (eg, city)
84localityName_default = Tuusula
85
860.organizationName = Organization Name (eg, company)
870.organizationName_default = WFA Hotspot 2.0
88
89##organizationalUnitName = Organizational Unit Name (eg, section)
90#organizationalUnitName_default =
91#@OU@
92
93commonName = Common Name (e.g. server FQDN or YOUR name)
94#@CN@
95commonName_max = 64
96
97emailAddress = Email Address
98emailAddress_max = 64
99
100[ req_attributes ]
101
102[ v3_req ]
103
104# Extensions to add to a certificate request
105basicConstraints = CA:FALSE
106keyUsage = nonRepudiation, digitalSignature, keyEncipherment
107subjectAltName=DNS:example.com,DNS:another.example.com
108
109[ v3_ca ]
110
111# Hotspot 2.0 PKI requirements
112subjectKeyIdentifier=hash
113basicConstraints = critical,CA:true
114keyUsage = critical, cRLSign, keyCertSign
115
116[ crl_ext ]
117
118# issuerAltName=issuer:copy
119authorityKeyIdentifier=keyid:always
120
121[ v3_OCSP ]
122
123basicConstraints = CA:FALSE
124keyUsage = nonRepudiation, digitalSignature, keyEncipherment
125extendedKeyUsage = OCSPSigning