1 # OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA) 2 3 HOME = . 4 RANDFILE = $ENV::HOME/.rnd 5 oid_section = new_oids 6 7 [ new_oids ] 8 9 #logotypeoid=1.3.6.1.5.5.7.1.12 10 11 #################################################################### 12 [ ca ] 13 default_ca = CA_default # The default ca section 14 15 #################################################################### 16 [ CA_default ] 17 18 dir = ./demoCA # Where everything is kept 19 certs = $dir/certs # Where the issued certs are kept 20 crl_dir = $dir/crl # Where the issued crl are kept 21 database = $dir/index.txt # database index file. 22 #unique_subject = no # Set to 'no' to allow creation of 23 # several certificates with same subject 24 new_certs_dir = $dir/newcerts # default place for new certs. 25 26 certificate = $dir/cacert.pem # The CA certificate 27 serial = $dir/serial # The current serial number 28 crlnumber = $dir/crlnumber # the current crl number 29 # must be commented out to leave a V1 CRL 30 crl = $dir/crl.pem # The current CRL 31 private_key = $dir/private/cakey.pem# The private key 32 RANDFILE = $dir/private/.rand # private random number file 33 34 x509_extensions = ext_client # The extentions to add to the cert 35 36 name_opt = ca_default # Subject Name options 37 cert_opt = ca_default # Certificate field options 38 39 # Extension copying option: use with caution. 40 copy_extensions = copy 41 42 default_days = 365 # how long to certify for 43 default_crl_days= 30 # how long before next CRL 44 default_md = default # use public key default MD 45 preserve = no # keep passed DN ordering 46 47 policy = policy_match 48 49 # For the CA policy 50 [ policy_match ] 51 countryName = supplied 52 stateOrProvinceName = optional 53 organizationName = supplied 54 organizationalUnitName = optional 55 commonName = supplied 56 emailAddress = optional 57 58 [ policy_osu_server ] 59 countryName = match 60 stateOrProvinceName = optional 61 organizationName = match 62 organizationalUnitName = supplied 63 commonName = supplied 64 emailAddress = optional 65 66 [ policy_anything ] 67 countryName = optional 68 stateOrProvinceName = optional 69 localityName = optional 70 organizationName = optional 71 organizationalUnitName = optional 72 commonName = supplied 73 emailAddress = optional 74 75 #################################################################### 76 [ req ] 77 default_bits = 2048 78 default_keyfile = privkey.pem 79 distinguished_name = req_distinguished_name 80 attributes = req_attributes 81 x509_extensions = v3_ca # The extentions to add to the self signed cert 82 83 input_password = whatever 84 output_password = whatever 85 86 string_mask = utf8only 87 88 [ req_distinguished_name ] 89 countryName = Country Name (2 letter code) 90 countryName_default = FI 91 countryName_min = 2 92 countryName_max = 2 93 94 localityName = Locality Name (eg, city) 95 localityName_default = Tuusula 96 97 0.organizationName = Organization Name (eg, company) 98 0.organizationName_default = w1.fi 99 100 ##organizationalUnitName = Organizational Unit Name (eg, section) 101 #organizationalUnitName_default = 102 #@OU@ 103 104 commonName = Common Name (e.g. server FQDN or YOUR name) 105 #@CN@ 106 commonName_max = 64 107 108 emailAddress = Email Address 109 emailAddress_max = 64 110 111 [ req_attributes ] 112 113 [ v3_ca ] 114 115 # Hotspot 2.0 PKI requirements 116 subjectKeyIdentifier=hash 117 authorityKeyIdentifier=keyid:always,issuer 118 basicConstraints = critical, CA:true, pathlen:0 119 keyUsage = critical, cRLSign, keyCertSign 120 authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ 121 # For SP intermediate CA 122 #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU 123 #nameConstraints=permitted;DNS:.w1.fi 124 #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn 125 126 [ v3_osu_server ] 127 128 basicConstraints = critical, CA:true, pathlen:0 129 keyUsage = critical, keyEncipherment 130 #@ALTNAME@ 131 132 #logotypeoid=ASN1:SEQUENCE:LogotypeExtn 133 1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn 134 [LogotypeExtn] 135 communityLogos=EXP:0,SEQUENCE:LogotypeInfo 136 [LogotypeInfo] 137 # note: implicit tag converted to explicit for CHOICE 138 direct=EXP:0,SEQUENCE:LogotypeData 139 [LogotypeData] 140 image=SEQUENCE:LogotypeImage 141 [LogotypeImage] 142 imageDetails=SEQUENCE:LogotypeDetails 143 imageInfo=SEQUENCE:LogotypeImageInfo 144 [LogotypeDetails] 145 mediaType=IA5STRING:image/png 146 logotypeHash=SEQUENCE:HashAlgAndValues 147 logotypeURI=SEQUENCE:URI 148 [HashAlgAndValues] 149 value1=SEQUENCE:HashAlgAndValueSHA256 150 #value2=SEQUENCE:HashAlgAndValueSHA1 151 [HashAlgAndValueSHA256] 152 hashAlg=SEQUENCE:sha256_alg 153 hashValue=FORMAT:HEX,OCTETSTRING:4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d 154 [HashAlgAndValueSHA1] 155 hashAlg=SEQUENCE:sha1_alg 156 hashValue=FORMAT:HEX,OCTETSTRING:5e1d5085676eede6b02da14d31c523ec20ffba0b 157 [sha256_alg] 158 algorithm=OID:sha256 159 [sha1_alg] 160 algorithm=OID:sha1 161 [URI] 162 uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png 163 [LogotypeImageInfo] 164 # default value color(1), component optional 165 #type=IMP:0,INTEGER:1 166 fileSize=INTEGER:7549 167 xSize=INTEGER:128 168 ySize=INTEGER:80 169 language=IMP:4,IA5STRING:zxx 170 171 [ crl_ext ] 172 173 # issuerAltName=issuer:copy 174 authorityKeyIdentifier=keyid:always 175 176 [ v3_OCSP ] 177 178 basicConstraints = CA:FALSE 179 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 180 extendedKeyUsage = OCSPSigning 181 182 [ ext_client ] 183 184 basicConstraints=CA:FALSE 185 subjectKeyIdentifier=hash 186 authorityKeyIdentifier=keyid,issuer 187 authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ 188 #@ALTNAME@ 189 extendedKeyUsage = clientAuth 190 191 [ ext_server ] 192 193 # Hotspot 2.0 PKI requirements 194 basicConstraints=critical, CA:FALSE 195 subjectKeyIdentifier=hash 196 authorityKeyIdentifier=keyid,issuer 197 authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ 198 #@ALTNAME@ 199 extendedKeyUsage = critical, serverAuth 200 keyUsage = critical, keyEncipherment 201
