Setup more CAB forum compliant CA structure

main
Jan Dittberner 3 years ago
parent e67dc820cf
commit e485abeced

@ -1,7 +1,7 @@
extensions = v3_ext
[ca]
default_ca = EXAMPLECA
default_ca = sub_ca
[rootca]
dir = ./example_ca/root
@ -25,7 +25,7 @@ default_md = sha256
default_days = 1825
default_crl_days = 30
[EXAMPLECA]
[sub_ca]
dir = ./example_ca/sub
certs = $dir/certs
crl_dir = $dir/crl
@ -44,6 +44,25 @@ default_md = sha256
default_days = 365
default_crl_days = 30
[email_ca]
dir = ./example_ca/email
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
serial = $dir/serial
new_certs_dir = $dir/newcerts
crl = $dir/crl.pem
certificate = $dir/ca.crt.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = no
default_md = sha256
default_days = 365
default_crl_days = 30
[policy_any]
countryName = match
stateOrProvinceName = optional
@ -55,12 +74,14 @@ emailAddress = optional
[policy_match]
commonName = supplied
[client_ext]
[email_ext]
basicConstraints = critical,CA:false
keyUsage = keyEncipherment,digitalSignature,nonRepudiation
extendedKeyUsage = clientAuth,emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/email.crl
[req]
default_bits = 3072
@ -86,10 +107,34 @@ commonName_max = 64
[req_attributes]
[root_ca]
basicConstraints = critical,CA:true,pathlen:1
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca]
[ext_sub_ca]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/sub.crl
certificatePolicies = @policy_sub_ca
[ext_email_ca]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
extendedKeyUsage = clientAuth,emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/email.crl
certificatePolicies = @policy_email_ca
[policy_sub_ca]
policyIdentifier = 1.3.6.1.5.5.7.2.1
CPS = http://example.org/ca/sub/cps.html
[policy_email_ca]
policyIdentifier = 1.3.6.1.5.5.7.2.1
CPS = http://example.org/ca/email/cps.html

@ -6,10 +6,10 @@ COUNTRY_CODE=CH
ORGANIZATION="Acme Ltd."
if [ ! -d "example_ca" ]; then
mkdir -p example_ca/root/newcerts example_ca/sub/newcerts
touch example_ca/root/index.txt example_ca/sub/index.txt
mkdir -p example_ca/root/newcerts example_ca/sub/newcerts example_ca/email/newcerts
touch example_ca/root/index.txt example_ca/sub/index.txt example_ca/email/index.txt
umask 077
mkdir example_ca/root/private example_ca/sub/private
mkdir example_ca/root/private example_ca/sub/private example_ca/email/private
openssl req -new -x509 \
-config ca.cnf \
-keyout example_ca/root/private/ca.key.pem \
@ -32,8 +32,24 @@ if [ ! -d "example_ca" ]; then
-config ca.cnf \
-name rootca \
-in example_ca/sub/ca.csr.pem \
-extensions sub_ca \
-extensions ext_sub_ca \
-out example_ca/sub/ca.crt.pem \
-create_serial \
-rand_serial \
-batch
openssl req -new \
-config ca.cnf \
-keyout example_ca/email/private/ca.key.pem \
-newkey rsa:3072 \
-nodes \
-subj "/CN=Example Email CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-utf8 \
-out example_ca/email/ca.csr.pem
openssl ca \
-config ca.cnf \
-name rootca \
-in example_ca/email/ca.csr.pem \
-extensions ext_email_ca \
-out example_ca/email/ca.crt.pem \
-rand_serial \
-batch
fi
Loading…
Cancel
Save