131 lines
3.8 KiB
YAML
131 lines
3.8 KiB
YAML
---
|
|
# configuration example for the CAcert signer software
|
|
#
|
|
# each directive is described at its first occurrence. If a description is
|
|
# missing please file a bug report.
|
|
|
|
# Settings defines global settings for the signer
|
|
Settings:
|
|
# define address information for the CA operator, this will be used for
|
|
# the SubjectDN of CA certificates
|
|
organization:
|
|
country: [ "CH" ]
|
|
organization: [ "CAcert Inc." ]
|
|
locality: [ "Genève" ]
|
|
street-address: [ "Clos Belmont 2" ]
|
|
postal-code: [ "1208" ]
|
|
# define how long CA certificates should be valid
|
|
validity-years:
|
|
root: 20
|
|
intermediary: 5
|
|
# URL patterns used for certificate fields. The first %s is replaced with
|
|
# the identifier of a CA certificate
|
|
url-patterns:
|
|
ocsp: "http://ocsp.cacert.org/"
|
|
crl: "http://crl.cacert.org/%s.crl"
|
|
issuer: "http://www.cacert.org/certs/%s.crt"
|
|
|
|
# KeyStorage defines PKCS#11 tokens, a token named 'default' must be present
|
|
KeyStorage:
|
|
default:
|
|
# HSM type, softhsm support is builtin
|
|
type: softhsm
|
|
# token label of the PKCS#11 token
|
|
label: localhsm
|
|
offline:
|
|
# HSM type, p11module requires a module parameter
|
|
type: p11module
|
|
# path to a PKCS#11 shared library module
|
|
module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
|
|
label: smartcard
|
|
|
|
# CAs defines the CA hierarchy of root and intermediary CA certificates
|
|
CAs:
|
|
# a root CA, the map key will be used as a label for PKCS11 and URLs
|
|
ecc_root_2022:
|
|
# information about the private key
|
|
key-info:
|
|
# key algorithm EC (for elliptic curve) or RSA are supported
|
|
algorithm: "EC"
|
|
# elliptic curve name P-224, P-256, P-384 and P-521 are supported
|
|
ecc-curve: "P-521"
|
|
# common name for the SubjectDN of the CA certificate
|
|
common-name: "CAcert ECC Root CA 2022"
|
|
# storage can be any label from the KeyStorage configuration
|
|
storage: offline
|
|
rsa_root_2022:
|
|
key-info:
|
|
algorithm: "RSA"
|
|
# RSA key length in bits (> 3072 is recommended by NIST, BSI and others)
|
|
rsa-bits: 4096
|
|
common-name: "CAcert RSA Root CA 2022"
|
|
storage: offline
|
|
ecc_person_2022:
|
|
key-info:
|
|
algorithm: "EC"
|
|
ecc-curve: "P-384"
|
|
# parent CA, must be any of the other defined CAs
|
|
parent: "ecc_root_2022"
|
|
common-name: "CAcert ECC Person CA 2022"
|
|
# extended key usage, only makes sense for non-root CAs, supported values are
|
|
#
|
|
# - client for client authentication
|
|
# - code for code signing
|
|
# - email for email protection (aka S/MIME)
|
|
# - ocsp for OCSP signing
|
|
# - server for server authentication
|
|
#
|
|
# CAs should only sign endpoint certificates for one of the extended key usages
|
|
# defined in the CA certificate itself
|
|
ext-key-usages:
|
|
- client
|
|
- code
|
|
- email
|
|
- ocsp
|
|
rsa_person_2022:
|
|
key-info:
|
|
algorithm: "RSA"
|
|
rsa-bits: 3072
|
|
parent: "rsa_root_2022"
|
|
common-name: "CAcert RSA Person CA 2022"
|
|
ext-key-usages:
|
|
- client
|
|
- code
|
|
- email
|
|
- ocsp
|
|
ecc_client_2022:
|
|
key-info:
|
|
algorithm: "EC"
|
|
ecc-curve: "P-384"
|
|
parent: "ecc_root_2022"
|
|
common-name: "CAcert ECC Client CA 2022"
|
|
ext-key-usages:
|
|
- client
|
|
- ocsp
|
|
rsa_client_2022:
|
|
key-info:
|
|
algorithm: "RSA"
|
|
rsa-bits: 3072
|
|
parent: "rsa_root_2022"
|
|
common-name: "CAcert RSA Client CA 2022"
|
|
ext-key-usages:
|
|
- client
|
|
- ocsp
|
|
ecc_server_2022:
|
|
key-info:
|
|
algorithm: "EC"
|
|
ecc-curve: "P-384"
|
|
parent: "ecc_root_2022"
|
|
common-name: "CAcert ECC Server CA 2022"
|
|
ext-key-usages:
|
|
- server
|
|
- ocsp
|
|
rsa_server_2022:
|
|
key-info:
|
|
algorithm: "RSA"
|
|
rsa-bits: 3072
|
|
parent: "rsa_root_2022"
|
|
common-name: "CAcert RSA Server CA 2022"
|
|
ext-key-usages:
|
|
- server
|
|
- ocsp
|