# $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $ CERT_C = DE CERT_ST = Lower Saxony CERT_L = Hanover CERT_O = OpenBSD CERT_OU = iked CERT_CN = CERT_EMAIL = reyk@openbsd.org # default settings CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign,cRLSign EXTCERTUSAGE = serverAuth,clientAuth CERTIP = 0.0.0.0 CERTFQDN = nohost.nodomain CADB = index.txt CASERIAL = serial.txt NSCERTTYPE = server,client [ req ] #default_bits = 2048 #default_md = sha256 #default_keyfile = privkey.pem distinguished_name = req_distinguished_name #attributes = req_attributes req_extensions = $ENV::REQ_EXT [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::CERT_C countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::CERT_ST localityName = Locality Name (eg, city) localityName_default = $ENV::CERT_L 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::CERT_O # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = OpenBSD organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = $ENV::CERT_OU commonName = Common Name (eg, fully qualified host name) commonName_max = 64 commonName_default = $ENV::CERT_CN emailAddress = Email Address emailAddress_max = 64 emailAddress_default = $ENV::CERT_EMAIL [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ x509v3_extensions ] nsCaRevocationUrl = http://127.0.0.1/ca-crl.pem nsComment = "This is a comment" # under ASN.1, the 0 bit would be encoded as 80 nsCertType = 0x40 [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] keyUsage=$ENV::CERTUSAGE nsCertType=$ENV::NSCERTTYPE subjectAltName=IP:$ENV::CERTIP extendedKeyUsage=$ENV::EXTCERTUSAGE [x509v3_FQDN] keyUsage=$ENV::CERTUSAGE nsCertType=$ENV::NSCERTTYPE subjectAltName=DNS:$ENV::CERTFQDN extendedKeyUsage=$ENV::EXTCERTUSAGE [ca] default_ca = CA_default [CA_sign_policy] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [CA_default] database = $ENV::CADB serial = $ENV::CASERIAL default_md = sha256 default_days = 365 default_crl_days = 365 unique_subject = no email_in_dn = yes policy = CA_sign_policy