[ADD] First commit

templates/openssl_root_ca.tmpl

@@ -0,0 +1,53 @@
+[ ca ]
+default_ca = {{ organization_ou }} 
+
+[ CA_default ]
+dir                 = {{ pki_dir }}
+certs               = $dir/certs
+crl_dir             = $dir/crl
+new_certs_dir       = $dir/newcerts
+database            = $dir/index.txt
+serial              = $dir/serial
+private_key			= $dir/private/root_ca.key
+RANDFILE			= $dir/private/.rand
+
+default_md          = sha512
+
+name_opt            = ca_default
+cert_opt            = ca_default
+default_days        = {{ default_cert_duration }}
+preserve            = no
+policy              = policy_strict
+
+[ policy_strict ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+defaults_bits       = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = {{ country }}
+ST                  = {{ state }}
+L                   = {{ city }}
+O                   = {{ organization_name }}
+OU                  = {{ organization_ou }}
+CN                  = {{ organization_cn }}
+
+[ v3_ca ]
+subjectKeyIdentifier        = hash
+authorityKeyIdentifier      = keyid:always,issuer
+basicConstraints            = critical, CA:true
+keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign
+
+crlDistributionPoints       = {{ crl_uri }}
+

templates/openssl_server_cert.tmpl

@@ -0,0 +1,131 @@
+set_dns             = {{ dc_name }}
+set_dc_guid         = {{ dc_guid }}
+
+set_crp_default     = {{ crl_uri }}
+CRLDISTPT           = $set_crp_default
+
+oid_section = new_oids
+
+[ new_oids ]
+msADGUID=1.3.6.1.4.1.311.25.1
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = {{ pki_dir }}
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+private			  = $dir/private
+
+# The root key and root certificate.
+private_key       = $dir/private/root_ca.key
+certificate       = $dir/certs/root_ca.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = {{ default_crl_duration }}
+preserve          = no
+policy            = policy_loose
+
+default_crl_days    = 90
+
+[ req ]
+default_bits                = 4096
+distinguished_name  = req_distinguished_name
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ req_distinguished_name ]
+countryName         		= Country Name (2 letter code)
+countryName_default 		= {{ country }}
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = {{ state }}
+
+localityName                = Locality Name (eg, city)
+localityName_default        = {{ city }}
+
+organizationName    		= Organization Name
+organizationName_default 	= {{ organization_name }}
+
+organizationalUnitName      = Organizational Unit Name
+organizationalUnitName_default      = {{ organization_unit }}
+
+commonName          		= Common Name (eg, Your Name or server name)
+commonName_max              = 64
+
+emailAddress                = Email Address
+emailAddress_max    		= 64
+
+########################################## Domain Controller Certificate #####################################
+[ usr_cert_mskdc ]
+
+# These extensions are added when 'ca' signs a request for a domain controller certificate.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType          = server
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment           = "Domain Controller Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=@dc_subjalt
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl       = $CRLDISTPT
+
+#Extended Key requirements for our domain controller certs
+# serverAuth - says cert can be used to identify an ssl/tls server
+# pkInitKDC - says cert can be used to identify a Kerberos Domain Controller.
+extendedKeyUsage = clientAuth,serverAuth,pkInitKDC
+
+[dc_subjalt]
+DNS=$set_dns
+otherName=msADGUID;FORMAT:HEX,OCTETSTRING:$set_dc_guid

templates/openssl_user_cert.tmpl

@@ -0,0 +1,121 @@
+set_crp_default     = {{ crl_uri }}
+CRLDISTPT           = $set_crp_default
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = {{ pki_dir }}
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+private			  = $dir/private
+
+# The root key and root certificate.
+private_key       = $dir/private/root_ca.key
+certificate       = $dir/certs/root_ca.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = {{ default_crl_duration }}
+preserve          = no
+policy            = policy_loose
+
+default_crl_days    = 90
+
+[ req ]
+default_bits                = 4096
+distinguished_name  = req_distinguished_name
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ req_distinguished_name ]
+countryName         		= Country Name (2 letter code)
+countryName_default 		= {{ country }}
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = {{ state }}
+
+localityName                = Locality Name (eg, city)
+localityName_default        = {{ city }}
+
+organizationName    		= Organization Name
+organizationName_default 	= {{ organization_name }}
+
+organizationalUnitName      = Organizational Unit Name
+organizationalUnitName_default      = {{ organization_unit }}
+
+commonName          		= Common Name (eg, Your Name or server name)
+commonName_max              = 64
+
+emailAddress                = Email Address
+emailAddress_max    		= 64
+
+########################################### User Certificates ################################################
+[ usr_cert_scarduser ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment           = "Smart Card Login Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+#subjectAltName=email:copy,otherName:msUPN;UTF8:kguerineau@ad.tranqui.it
+subjectAltName = @sanuser
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl       = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,msSmartcardLogin
+