cacert-gosigner/docs/config.sample.yaml

131 lines
3.8 KiB
YAML

---
# configuration example for the CAcert signer software
#
# each directive is described at its first occurrence. If a description is
# missing please file a bug report.
# Settings defines global settings for the signer
Settings:
# define address information for the CA operator, this will be used for
# the SubjectDN of CA certificates
organization:
country: [ "CH" ]
organization: [ "CAcert Inc." ]
locality: [ "Genève" ]
street-address: [ "Clos Belmont 2" ]
postal-code: [ "1208" ]
# define how long CA certificates should be valid
validity-years:
root: 20
intermediary: 5
# URL patterns used for certificate fields. The first %s is replaced with
# the identifier of a CA certificate
url-patterns:
ocsp: "http://ocsp.cacert.org/"
crl: "http://crl.cacert.org/%s.crl"
issuer: "http://www.cacert.org/certs/%s.crt"
# KeyStorage defines PKCS#11 tokens, a token named 'default' must be present
KeyStorage:
default:
# HSM type, softhsm support is builtin
type: softhsm
# token label of the PKCS#11 token
label: localhsm
offline:
# HSM type, p11module requires a module parameter
type: p11module
# path to a PKCS#11 shared library module
module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
label: smartcard
# CAs defines the CA hierarchy of root and intermediary CA certificates
CAs:
# a root CA, the map key will be used as a label for PKCS11 and URLs
ecc_root_2022:
# information about the private key
key-info:
# key algorithm EC (for elliptic curve) or RSA are supported
algorithm: "EC"
# elliptic curve name P-224, P-256, P-384 and P-521 are supported
ecc-curve: "P-521"
# common name for the SubjectDN of the CA certificate
common-name: "CAcert ECC Root CA 2022"
# storage can be any label from the KeyStorage configuration
storage: offline
rsa_root_2022:
key-info:
algorithm: "RSA"
# RSA key length in bits (> 3072 is recommended by NIST, BSI and others)
rsa-bits: 4096
common-name: "CAcert RSA Root CA 2022"
storage: offline
ecc_person_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
# parent CA, must be any of the other defined CAs
parent: "ecc_root_2022"
common-name: "CAcert ECC Person CA 2022"
# extended key usage, only makes sense for non-root CAs, supported values are
#
# - client for client authentication
# - code for code signing
# - email for email protection (aka S/MIME)
# - ocsp for OCSP signing
# - server for server authentication
#
# CAs should only sign endpoint certificates for one of the extended key usages
# defined in the CA certificate itself
ext-key-usages:
- client
- code
- email
- ocsp
rsa_person_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Person CA 2022"
ext-key-usages:
- client
- code
- email
- ocsp
ecc_client_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
parent: "ecc_root_2022"
common-name: "CAcert ECC Client CA 2022"
ext-key-usages:
- client
- ocsp
rsa_client_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Client CA 2022"
ext-key-usages:
- client
- ocsp
ecc_server_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
parent: "ecc_root_2022"
common-name: "CAcert ECC Server CA 2022"
ext-key-usages:
- server
- ocsp
rsa_server_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Server CA 2022"
ext-key-usages:
- server
- ocsp