set_dns = {{ dc_name }} set_dc_guid = {{ dc_guid }} set_crp_default = {{ crl_uri }} CRLDISTPT = $set_crp_default oid_section = new_oids [ new_oids ] msADGUID=1.3.6.1.4.1.311.25.1 [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = {{ pki_dir }} certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial private = $dir/private # The root key and root certificate. private_key = {{ dc_ca_keyfile }} certificate = {{ dc_ca_certfile }} # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha512 name_opt = ca_default cert_opt = ca_default default_days = {{ default_crl_duration }} preserve = no policy = policy_loose default_crl_days = {{ default_crl_duration }} [ req ] default_bits = 4096 distinguished_name = req_distinguished_name [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = {{ country }} stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = {{ state }} localityName = Locality Name (eg, city) localityName_default = {{ city }} organizationName = Organization Name organizationName_default = {{ organization_name }} organizationalUnitName = Organizational Unit Name organizationalUnitName_default = {{ organization_unit }} commonName = Common Name (eg, Your Name or server name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 ########################################## Domain Controller Certificate ##################################### [ usr_cert_mskdc ] # These extensions are added when 'ca' signs a request for a domain controller certificate. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE crlDistributionPoints=URI:$CRLDISTPT # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. nsCertType = server # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "Domain Controller Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. subjectAltName=@dc_subjalt # Copy subject details issuerAltName=issuer:copy nsCaRevocationUrl = $CRLDISTPT #Extended Key requirements for our domain controller certs # serverAuth - says cert can be used to identify an ssl/tls server # pkInitKDC - says cert can be used to identify a Kerberos Domain Controller. extendedKeyUsage = clientAuth,serverAuth,pkInitKDC [dc_subjalt] DNS=$set_dns otherName=msADGUID;FORMAT:HEX,OCTETSTRING:$set_dc_guid