[IMP] add new work

2024-05-07 14:56:21 +02:00
parent 7a4fe704bf
commit fa3dedd02f
8 changed files with 255 additions and 84 deletions
@@ -0,0 +1,24 @@
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+[ v3_ca ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer
+basicConstraints        = critical, CA:true
+keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
+default_md              = sha512
+crlDistributionPoints   = {{ intermediate_crl_uri }}
+nsCertType              = sslCA, emailCA
+issuerAltName           = issuer:copy
+
+[ req_distinguished_name ]
+C   = {{ country }}
+ST  = {{ state }}
+L   = {{ city }}
+O   = {{ organization_name }}
+OU  = {{ organization_ou }}
+CN  = {{ intermediate_organization_cn }}
+
@@ -1,5 +1,5 @@
 [ ca ]
-default_ca = {{ organization_ou }} 
+default_ca = CA_default

 [ CA_default ]
 dir                 = {{ pki_dir }}
@@ -24,8 +24,8 @@ serial            = $dir/serial
 private			  = $dir/private

 # The root key and root certificate.
-private_key       = $dir/private/root_ca.key
-certificate       = $dir/certs/root_ca.crt
+private_key       = {{ dc_ca_keyfile }}
+certificate       = {{ dc_ca_certfile }}

 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha512
@@ -36,7 +36,7 @@ default_days      = {{ default_crl_duration }}
 preserve          = no
 policy            = policy_loose

-default_crl_days    = 90
+default_crl_days    = {{ default_crl_duration }}

 [ req ]
 default_bits                = 4096
@@ -0,0 +1,43 @@
+[ ca ]
+
+default_ca          = CA_default
+
+[ CA_default ]
+dir                 = {{ pki_dir }}
+certs               = $dir/certs
+crl_dir             = $dir/crl
+new_certs_dir       = $dir/newcerts
+database            = $dir/index.txt
+serial              = $dir/serial
+
+private_key         = {{ root_ca_keyfile }}
+certificate         = {{ root_ca_certfile }}
+
+default_md          = sha512
+
+name_opt            = ca_default
+cert_opt            = ca_default
+default_days        = 1825
+preserve            = no
+policy              = policy_loose
+default_crl_days    = {{ default_crl_duration }}
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier        = hash
+authorityKeyIdentifier      = keyid:always,issuer
+basicConstraints            = critical, CA:true, pathlen:0
+keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign
+
+crlDistributionPoints       = {{ intermediate_crl_uri }}
+nsCertType                  = sslCA, emailCA
+issuerAltName               = issuer:copy
+
@@ -16,8 +16,8 @@ serial            = $dir/serial
 private			  = $dir/private

 # The root key and root certificate.
-private_key       = $dir/private/root_ca.key
-certificate       = $dir/certs/root_ca.crt
+private_key       = {{ dc_ca_keyfile }}
+certificate       = {{ dc_ca_certfile }}

 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha512
@@ -28,10 +28,10 @@ default_days      = {{ default_crl_duration }}
 preserve          = no
 policy            = policy_loose

-default_crl_days    = 90
+default_crl_days    = {{ default_crl_duration }}

 [ req ]
-default_bits                = 4096
+default_bits        = {{ default_bits_user }}
 distinguished_name  = req_distinguished_name

 [ policy_loose ]
@@ -73,9 +73,12 @@ organizationalUnitName_default      = {{ organization_unit }}

 commonName          		= Common Name (eg, Your Name or server name)
 commonName_max              = 64
+commonName_default          = {{ commonName }}

 emailAddress                = Email Address
 emailAddress_max    		= 64
+emailAddress_default        = {{ emailAddress }}
+

 ########################################### User Certificates ################################################
 [ usr_cert_scarduser ]