---
# configuration example for the CAcert signer software
#
# each directive is described at its first occurrence. If a description is
# missing please file a bug report.

# Settings defines global settings for the signer
Settings:
  # define address information for the CA operator, this will be used for
  # the SubjectDN of CA certificates
  organization:
    country: [ "CH" ]
    organization: [ "CAcert Inc." ]
    locality: [ "Genève" ]
    street-address: [ "Clos Belmont 2" ]
    postal-code: [ "1208" ]
  # define how long CA certificates should be valid
  validity-years:
    root: 20
    intermediary: 5
  # URL patterns used for certificate fields. The first %s is replaced with
  # the identifier of a CA certificate
  url-patterns:
    ocsp: "http://ocsp.cacert.org/"
    crl: "http://crl.cacert.org/%s.crl"
    issuer: "http://www.cacert.org/certs/%s.crt"

# KeyStorage defines PKCS#11 tokens, a token named 'default' must be present
KeyStorage:
  default:
    # HSM type, softhsm support is builtin
    type: softhsm
    # token label of the PKCS#11 token
    label: localhsm
  offline:
    # HSM type, p11module requires a module parameter
    type: p11module
    # path to a PKCS#11 shared library module
    module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
    label: smartcard

# CAs defines the CA hierarchy of root and intermediary CA certificates
CAs:
  # a root CA, the map key will be used as a label for PKCS11 and URLs
  ecc_root_2022:
    # information about the private key
    key-info:
      # key algorithm EC (for elliptic curve) or RSA are supported
      algorithm: "EC"
      # elliptic curve name P-224, P-256, P-384 and P-521 are supported
      ecc-curve: "P-521"
    # common name for the SubjectDN of the CA certificate
    common-name: "CAcert ECC Root CA 2022"
    # storage can be any label from the KeyStorage configuration
    storage: offline
  rsa_root_2022:
    key-info:
      algorithm: "RSA"
      # RSA key length in bits (> 3072 is recommended by NIST, BSI and others)
      rsa-bits: 4096
    common-name: "CAcert RSA Root CA 2022"
    storage: offline
  ecc_person_2022:
    key-info:
      algorithm: "EC"
      ecc-curve: "P-384"
    # parent CA, must be any of the other defined CAs
    parent: "ecc_root_2022"
    common-name: "CAcert ECC Person CA 2022"
    # extended key usage, only makes sense for non root CAs, supported values are
    #
    # - client for client authentication
    # - code for code signing
    # - email for email protection (aka S/MIME)
    # - ocsp for OCSP signing
    # - server for server authentication
    #
    # CAs should only sign endpoint certificates for one of the extended key usages
    # defined in the CA certificate itself
    ext-key-usages:
      - client
      - code
      - email
      - ocsp
  rsa_person_2022:
    key-info:
      algorithm: "RSA"
      rsa-bits: 3072
    parent: "rsa_root_2022"
    common-name: "CAcert RSA Person CA 2022"
    ext-key-usages:
      - client
      - code
      - email
      - ocsp
  ecc_client_2022:
    key-info:
      algorithm: "EC"
      ecc-curve: "P-384"
    parent: "ecc_root_2022"
    common-name: "CAcert ECC Client CA 2022"
    ext-key-usages:
      - client
      - ocsp
  rsa_client_2022:
    key-info:
      algorithm: "RSA"
      rsa-bits: 3072
    parent: "rsa_root_2022"
    common-name: "CAcert RSA Client CA 2022"
    ext-key-usages:
      - client
      - ocsp
  ecc_server_2022:
    key-info:
      algorithm: "EC"
      ecc-curve: "P-384"
    parent: "ecc_root_2022"
    common-name: "CAcert ECC Server CA 2022"
    ext-key-usages:
      - server
      - ocsp
  rsa_server_2022:
    key-info:
      algorithm: "RSA"
      rsa-bits: 3072
    parent: "rsa_root_2022"
    common-name: "CAcert RSA Server CA 2022"
    ext-key-usages:
      - server
      - ocsp