diff --git a/ca.cnf b/ca.cnf index b302513..5ae89c9 100644 --- a/ca.cnf +++ b/ca.cnf @@ -1,7 +1,7 @@ extensions = v3_ext [ca] -default_ca = EXAMPLECA +default_ca = sub_ca [rootca] dir = ./example_ca/root @@ -25,7 +25,7 @@ default_md = sha256 default_days = 1825 default_crl_days = 30 -[EXAMPLECA] +[sub_ca] dir = ./example_ca/sub certs = $dir/certs crl_dir = $dir/crl @@ -44,6 +44,25 @@ default_md = sha256 default_days = 365 default_crl_days = 30 +[email_ca] +dir = ./example_ca/email +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +serial = $dir/serial +new_certs_dir = $dir/newcerts + +crl = $dir/crl.pem +certificate = $dir/ca.crt.pem +private_key = $dir/private/ca.key.pem +RANDFILE = $dir/private/.rand +unique_subject = no +email_in_dn = no + +default_md = sha256 +default_days = 365 +default_crl_days = 30 + [policy_any] countryName = match stateOrProvinceName = optional @@ -55,12 +74,14 @@ emailAddress = optional [policy_match] commonName = supplied -[client_ext] +[email_ext] basicConstraints = critical,CA:false keyUsage = keyEncipherment,digitalSignature,nonRepudiation extendedKeyUsage = clientAuth,emailProtection subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always +authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ +crlDistributionPoints = URI:http://crl.example.org/email.crl [req] default_bits = 3072 @@ -86,10 +107,34 @@ commonName_max = 64 [req_attributes] [root_ca] -basicConstraints = critical,CA:true,pathlen:1 +basicConstraints = critical,CA:true +keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash -[sub_ca] +[ext_sub_ca] basicConstraints = critical,CA:true,pathlen:0 +keyUsage = critical,keyCertSign,cRLSign +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ +crlDistributionPoints = URI:http://crl.example.org/sub.crl +certificatePolicies = @policy_sub_ca + +[ext_email_ca] +basicConstraints = critical,CA:true,pathlen:0 +keyUsage = critical,keyCertSign,cRLSign +extendedKeyUsage = clientAuth,emailProtection subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always \ No newline at end of file +authorityKeyIdentifier = keyid:always +authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ +crlDistributionPoints = URI:http://crl.example.org/email.crl +certificatePolicies = @policy_email_ca + +[policy_sub_ca] +policyIdentifier = 1.3.6.1.5.5.7.2.1 +CPS = http://example.org/ca/sub/cps.html + +[policy_email_ca] +policyIdentifier = 1.3.6.1.5.5.7.2.1 +CPS = http://example.org/ca/email/cps.html diff --git a/setup_example_ca.sh b/setup_example_ca.sh index 7b11bc1..f50d257 100755 --- a/setup_example_ca.sh +++ b/setup_example_ca.sh @@ -6,10 +6,10 @@ COUNTRY_CODE=CH ORGANIZATION="Acme Ltd." if [ ! -d "example_ca" ]; then - mkdir -p example_ca/root/newcerts example_ca/sub/newcerts - touch example_ca/root/index.txt example_ca/sub/index.txt + mkdir -p example_ca/root/newcerts example_ca/sub/newcerts example_ca/email/newcerts + touch example_ca/root/index.txt example_ca/sub/index.txt example_ca/email/index.txt umask 077 - mkdir example_ca/root/private example_ca/sub/private + mkdir example_ca/root/private example_ca/sub/private example_ca/email/private openssl req -new -x509 \ -config ca.cnf \ -keyout example_ca/root/private/ca.key.pem \ @@ -32,8 +32,24 @@ if [ ! -d "example_ca" ]; then -config ca.cnf \ -name rootca \ -in example_ca/sub/ca.csr.pem \ - -extensions sub_ca \ + -extensions ext_sub_ca \ -out example_ca/sub/ca.crt.pem \ - -create_serial \ + -rand_serial \ + -batch + openssl req -new \ + -config ca.cnf \ + -keyout example_ca/email/private/ca.key.pem \ + -newkey rsa:3072 \ + -nodes \ + -subj "/CN=Example Email CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \ + -utf8 \ + -out example_ca/email/ca.csr.pem + openssl ca \ + -config ca.cnf \ + -name rootca \ + -in example_ca/email/ca.csr.pem \ + -extensions ext_email_ca \ + -out example_ca/email/ca.crt.pem \ + -rand_serial \ -batch fi \ No newline at end of file