1# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)
2
3HOME			= .
4RANDFILE		= $ENV::HOME/.rnd
5oid_section		= new_oids
6
7[ new_oids ]
8
9#logotypeoid=1.3.6.1.5.5.7.1.12
10
11####################################################################
12[ ca ]
13default_ca	= CA_default		# The default ca section
14
15####################################################################
16[ CA_default ]
17
18dir		= ./demoCA		# Where everything is kept
19certs		= $dir/certs		# Where the issued certs are kept
20crl_dir		= $dir/crl		# Where the issued crl are kept
21database	= $dir/index.txt	# database index file.
22#unique_subject	= no			# Set to 'no' to allow creation of
23					# several certificates with same subject
24new_certs_dir	= $dir/newcerts		# default place for new certs.
25
26certificate	= $dir/cacert.pem 	# The CA certificate
27serial		= $dir/serial 		# The current serial number
28crlnumber	= $dir/crlnumber	# the current crl number
29					# must be commented out to leave a V1 CRL
30crl		= $dir/crl.pem 		# The current CRL
31private_key	= $dir/private/cakey.pem# The private key
32RANDFILE	= $dir/private/.rand	# private random number file
33
34x509_extensions	= ext_client		# The extentions to add to the cert
35
36name_opt 	= ca_default		# Subject Name options
37cert_opt 	= ca_default		# Certificate field options
38
39# Extension copying option: use with caution.
40copy_extensions = copy
41
42default_days	= 365			# how long to certify for
43default_crl_days= 30			# how long before next CRL
44default_md	= default		# use public key default MD
45preserve	= no			# keep passed DN ordering
46
47policy		= policy_match
48
49# For the CA policy
50[ policy_match ]
51countryName		= supplied
52stateOrProvinceName	= optional
53organizationName	= supplied
54organizationalUnitName	= optional
55commonName		= supplied
56emailAddress		= optional
57
58[ policy_osu_server ]
59countryName		= match
60stateOrProvinceName	= optional
61organizationName	= match
62organizationalUnitName	= supplied
63commonName		= supplied
64emailAddress		= optional
65
66[ policy_anything ]
67countryName		= optional
68stateOrProvinceName	= optional
69localityName		= optional
70organizationName	= optional
71organizationalUnitName	= optional
72commonName		= supplied
73emailAddress		= optional
74
75####################################################################
76[ req ]
77default_bits		= 2048
78default_keyfile 	= privkey.pem
79distinguished_name	= req_distinguished_name
80attributes		= req_attributes
81x509_extensions	= v3_ca	# The extentions to add to the self signed cert
82
83input_password = @PASSWORD@
84output_password = @PASSWORD@
85
86string_mask = utf8only
87
88[ req_distinguished_name ]
89countryName			= Country Name (2 letter code)
90countryName_default		= FI
91countryName_min			= 2
92countryName_max			= 2
93
94localityName			= Locality Name (eg, city)
95localityName_default		= Tuusula
96
970.organizationName		= Organization Name (eg, company)
980.organizationName_default	= @DOMAIN@
99
100##organizationalUnitName		= Organizational Unit Name (eg, section)
101#organizationalUnitName_default	=
102#@OU@
103
104commonName			= Common Name (e.g. server FQDN or YOUR name)
105#@CN@
106commonName_max			= 64
107
108emailAddress			= Email Address
109emailAddress_max		= 64
110
111[ req_attributes ]
112
113[ v3_ca ]
114
115# Hotspot 2.0 PKI requirements
116subjectKeyIdentifier=hash
117authorityKeyIdentifier=keyid:always,issuer
118basicConstraints = critical, CA:true, pathlen:0
119keyUsage = critical, cRLSign, keyCertSign
120authorityInfoAccess = OCSP;URI:@OCSP_URI@
121# For SP intermediate CA
122#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
123#nameConstraints=permitted;DNS:.@DOMAIN@
124#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
125
126[ v3_osu_server ]
127
128basicConstraints = critical, CA:true, pathlen:0
129keyUsage = critical, keyEncipherment
130#@ALTNAME@
131
132#logotypeoid=ASN1:SEQUENCE:LogotypeExtn
1331.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
134[LogotypeExtn]
135communityLogos=EXP:0,SEQUENCE:LogotypeInfo
136[LogotypeInfo]
137# note: implicit tag converted to explicit for CHOICE
138direct=EXP:0,SEQUENCE:LogotypeData
139[LogotypeData]
140image=SEQUENCE:LogotypeImage
141[LogotypeImage]
142imageDetails=SEQUENCE:LogotypeDetails
143imageInfo=SEQUENCE:LogotypeImageInfo
144[LogotypeDetails]
145mediaType=IA5STRING:image/png
146logotypeHash=SEQUENCE:HashAlgAndValues
147logotypeURI=SEQUENCE:URI
148[HashAlgAndValues]
149value1=SEQUENCE:HashAlgAndValueSHA256
150#value2=SEQUENCE:HashAlgAndValueSHA1
151[HashAlgAndValueSHA256]
152hashAlg=SEQUENCE:sha256_alg
153hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
154[HashAlgAndValueSHA1]
155hashAlg=SEQUENCE:sha1_alg
156hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
157[sha256_alg]
158algorithm=OID:sha256
159[sha1_alg]
160algorithm=OID:sha1
161[URI]
162uri=IA5STRING:@LOGO_URI@
163[LogotypeImageInfo]
164# default value color(1), component optional
165#type=IMP:0,INTEGER:1
166fileSize=INTEGER:7549
167xSize=INTEGER:128
168ySize=INTEGER:80
169language=IMP:4,IA5STRING:zxx
170
171[ crl_ext ]
172
173# issuerAltName=issuer:copy
174authorityKeyIdentifier=keyid:always
175
176[ v3_OCSP ]
177
178basicConstraints = CA:FALSE
179keyUsage = nonRepudiation, digitalSignature, keyEncipherment
180extendedKeyUsage = OCSPSigning
181
182[ ext_client ]
183
184basicConstraints=CA:FALSE
185subjectKeyIdentifier=hash
186authorityKeyIdentifier=keyid,issuer
187authorityInfoAccess = OCSP;URI:@OCSP_URI@
188#@ALTNAME@
189extendedKeyUsage = clientAuth
190
191[ ext_server ]
192
193# Hotspot 2.0 PKI requirements
194basicConstraints=critical, CA:FALSE
195subjectKeyIdentifier=hash
196authorityKeyIdentifier=keyid,issuer
197authorityInfoAccess = OCSP;URI:@OCSP_URI@
198#@ALTNAME@
199extendedKeyUsage = critical, serverAuth
200keyUsage = critical, keyEncipherment
201