cacert-gosigner/docs/config.sample.yaml
Jan Dittberner 82a1284073 Rename intermediary CA to subordinate CA
This refactoring commit renames all occurrences of the term "intermediary CA"
to "subordinate CA" for better alignment with the terms used in RFC-5280 and
other standard documents.
2022-08-03 16:01:06 +02:00

137 lines
3.9 KiB
YAML

---
# configuration example for the CAcert signer software
#
# each directive is described at its first occurrence. If a description is
# missing please file a bug report.
# Settings defines global settings for the signer
Settings:
# define address information for the CA operator, this will be used for
# the SubjectDN of CA certificates
organization:
country: [ "CH" ]
organization: [ "CAcert Inc." ]
locality: [ "Genève" ]
street-address: [ "Clos Belmont 2" ]
postal-code: [ "1208" ]
# define how long CA certificates should be valid
validity-years:
root: 20
subordinate: 5
# URL patterns used for certificate fields. The first %s is replaced with
# the identifier of a CA certificate
url-patterns:
ocsp: "http://ocsp.cacert.org/"
crl: "http://crl.cacert.org/%s.crl"
issuer: "http://www.cacert.org/certs/%s.crt"
# Settings for the serial link
# baud and timeout-millis are optional
serial:
device: "/dev/ttyUSB0"
baud: 115200
timeout-millis: 5000
# KeyStorage defines PKCS#11 tokens, a token named 'default' must be present
KeyStorage:
default:
# HSM type, softhsm support is builtin
type: softhsm
# token label of the PKCS#11 token
label: localhsm
offline:
# HSM type, p11module requires a module parameter
type: p11module
# path to a PKCS#11 shared library module
module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
label: smartcard
# CAs defines the CA hierarchy of root and subordinate CA certificates
CAs:
# a root CA, the map key will be used as a label for PKCS11 and URLs
ecc_root_2022:
# information about the private key
key-info:
# key algorithm EC (for elliptic curve) or RSA are supported
algorithm: "EC"
# elliptic curve name P-224, P-256, P-384 and P-521 are supported
ecc-curve: "P-521"
# common name for the SubjectDN of the CA certificate
common-name: "CAcert ECC Root CA 2022"
# storage can be any label from the KeyStorage configuration
storage: offline
rsa_root_2022:
key-info:
algorithm: "RSA"
# RSA key length in bits (> 3072 is recommended by NIST, BSI and others)
rsa-bits: 4096
common-name: "CAcert RSA Root CA 2022"
storage: offline
ecc_person_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
# parent CA, must be any of the other defined CAs
parent: "ecc_root_2022"
common-name: "CAcert ECC Person CA 2022"
# extended key usage, only makes sense for non-root CAs, supported values are
#
# - client for client authentication
# - code for code signing
# - email for email protection (aka S/MIME)
# - ocsp for OCSP signing
# - server for server authentication
#
# CAs should only sign endpoint certificates for one of the extended key usages
# defined in the CA certificate itself
ext-key-usages:
- client
- code
- email
- ocsp
rsa_person_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Person CA 2022"
ext-key-usages:
- client
- code
- email
- ocsp
ecc_client_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
parent: "ecc_root_2022"
common-name: "CAcert ECC Client CA 2022"
ext-key-usages:
- client
- ocsp
rsa_client_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Client CA 2022"
ext-key-usages:
- client
- ocsp
ecc_server_2022:
key-info:
algorithm: "EC"
ecc-curve: "P-384"
parent: "ecc_root_2022"
common-name: "CAcert ECC Server CA 2022"
ext-key-usages:
- server
- ocsp
rsa_server_2022:
key-info:
algorithm: "RSA"
rsa-bits: 3072
parent: "rsa_root_2022"
common-name: "CAcert RSA Server CA 2022"
ext-key-usages:
- server
- ocsp