-
Notifications
You must be signed in to change notification settings - Fork 17
/
openssl.cnf
229 lines (189 loc) · 7.14 KB
/
openssl.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# Commands to create Privoxy Root CA certificate
# Clean start
# rm ca.* index.txt* serial*
##################
# CA
##################
# Privoxy Root CA
# mkdir certs && cd certs
# touch index.txt
# echo 1000 > serial
# CA certificate encrypted key passphrase, both -passin and -passout
# sf-pwgen --algorithm memorable --count 2 --length 24 2>/dev/null | paste -s -d -- '-' \
# 1>passphrase.txt || true
# if [ $(head -1 passphrase.txt | wc -c) < 20 ]; then openssl rand -base64 23 1>passphrase.txt 2>/dev/null; fi
# cat passphrase.txt passphrase.txt > passphrase-dbl.txt \
# && mv passphrase-dbl.txt passphrase.txt \
# || rm -f passphrase-dbl.txt
# chmod go-rwx passphrase.txt
# CA encrypted key
# EC
# openssl genpkey -out ca.key.pem -algorithm EC \
# -pkeyopt ec_paramgen_curve:P-256 -aes256 \
# -pass file:passphrase.txt
#
# RSA
# # openssl genpkey -out ca.key.pem -algorithm RSA \
# # -pkeyopt rsa_keygen_bits:2048 -aes256 \
# # -pass file:passphrase.txt
# CA certificate
# openssl req -config openssl.cnf \
# -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
# -key ca.key.pem -passin file:passphrase.txt -batch
# CA certificate text verification
# openssl x509 -text -noout -in ca.cert.pem
# CA certificate openssl self-verification
# openssl verify -CAfile ca.cert.pem ca.cert.pem
# CA convert to PKCS12
# Note: `man openssl`: "If the same pathname
# argument is supplied to -passin and -passout arguments then the
# first line will be used for the input password and the next line
# for the output password."
# openssl pkcs12 -export -out ca.p12 \
# -inkey ca.key.pem -in ca.cert.pem \
# -passin file:passphrase.txt \
# -passout file:passphrase.txt
# verify .p12 passphrase
# openssl pkcs12 -noout -in ca.p12 -passin file:passphrase.txt
######################
# Server certificates
######################
# Clean and prepare directory for new certificates
# rm serial* 01.pem index.txt ; echo 01 > serial ; touch index.txt
# Server certificate encrypted key and decrypted key
# openssl genpkey -out adblock2privoxy-nginx.key.pem \
# -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -aes256 \
# -pass file:passphrase.txt
# openssl ec -in adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
# -out adblock2privoxy-nginx.key.pem.decrypted
# chmod go-rwx adblock2privoxy-nginx.key.pem.decrypted
# Server certificate CSR
# openssl req -config openssl.cnf -new -sha256 -extensions server_cert \
# -key adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
# -out adblock2privoxy-nginx.csr.pem -batch
# Server certificate (825 days maximum validity)
# https://support.apple.com/en-us/HT210176
# openssl ca -config openssl.cnf -days 825 -notext -md sha256 \
# -extensions server_cert -in adblock2privoxy-nginx.csr.pem \
# -out adblock2privoxy-nginx.cert.pem -passin file:passphrase.txt \
# -subj '/CN=adblock2privoxy-nginx' -batch
# Server certificate chain of trust
# cat adblock2privoxy-nginx.cert.pem ca.cert.pem > adblock2privoxy-nginx.chain.pem
# Server certificate text
# openssl x509 -in adblock2privoxy-nginx.cert.pem -text -noout
# Server certificate and chain validity
# openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.cert.pem
# openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.chain.pem
# DH params
# openssl dhparam -out dhparam.pem 2048
[ca]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = .
certs = $dir
crl_dir = $dir
new_certs_dir = $dir
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/.rand
# The root key and root certificate.
private_key = $dir/ca.key.pem
certificate = $dir/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 825
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[req]
# Options for the `req` tool (`man req`).
# default_bits = 4096
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
[req_distinguished_name]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Massachusetts
stateOrProvinceName_default = Massachusetts
localityName = Boston
localityName_default = Boston
0.organizationName = Adblock2Privoxy
0.organizationName_default = Adblock2Privoxy
organizationalUnitName = adblock2privoxy-nginx
commonName = adblock2privoxy-nginx
commonName_default = adblock2privoxy-nginx
commonName_max = 64
emailAddress = [email protected]
emailAddress_max = 40
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = DNS:localhost, IP:127.0.0.1
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
[ smime ]
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = critical, email:copy
extendedKeyUsage = critical, emailProtection