upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-14 06:32:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/doth/CA/CA.cfg
Aram Sargsyan 60f1a73754 Fix a typo in doth system test's CA.cfg 
The comments in CA.cfg file serve as a good tutorial for setting up
a simple PKI for a system test. There is a typo in one of the presented
commands, which results in openssl not exiting with an error message
instead of generating a certificate.

Fix the typo.
2022-09-23 13:23:49 +00:00

121 lines
5.3 KiB
INI
Raw Blame History

## How To
# To issue a certificate:
#
# 1. Generate the next certificate serial (if the file does not exist):
# xxd -l 8 -u -ps /dev/urandom > ./serial
# 2. Create the new certificate request (e.g. for foo.example.com):
# openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \
# -addext "subjectAltName=DNS:foo.example.com,IP:X.X.X.X" \
# -newkey rsa -keyout ./certs/foo.example.com.key \
# -out ./certs/foo.example.com.csr
#
# The above will generate request for an RSA-based certificate. One
# can issue an ECDSA-based certificate by replacing "-newkey rsa" with
# "-newkey ec -pkeyopt ec_paramgen_curve:secp384r1".
#
# 3. Issue the certificate:
# openssl ca -config ./CA.cfg -in ./certs/foo.example.com.csr \
# -out ./certs/foo.example.com.pem
#
# To cleanup the internal database from expired certificates:
#
# 1. openssl ca -config ./CA.cfg -updatedb
#
# To revoke a certificate:
#
# 1. Revoke the certificate via file (e.g. for foo.example.com):
# openssl ca -config ./CA.cfg -revoke ./certs/foo.example.com.pem
# 2. Optionally remove the certificate file if you do not need it anymore:
# rm ./certs/foo.example.com.pem
# 3. Generate the certificate revocation list file: CRL (e.g. revoked.crl):
# openssl ca -config ./CA.cfg -gencrl > ./revoked.crl
#
# The key for CA was generated like follows
# openssl genrsa -out ./CA.key 3072
# openssl req -x509 -new -key ./CA.key -days 10950 -out ./CA.pem
#
# See also:
#
# - https://jamielinux.com/docs/openssl-certificate-authority/index.html
# - https://www.openssl.org/docs/man1.1.1/man1/ca.html
# - https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html
# - https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
# - https://security.stackexchange.com/a/190646 - for ECDSA certificates
# - https://gist.github.com/Soarez/9688998
# - https://habr.com/ru/post/192446/ - Beware, your screen might "go Cyrillic"!
# certificate authority configuration
[ca]
default_ca = CA_default # The default ca section
[CA_default]
dir = .
new_certs_dir = $dir/newcerts # new certs dir (must be created)
certificate = $dir/CA.pem # The CA cert
private_key = $dir/private/CA.key # CA private key
serial = $dir/serial # serial number file for the next certificate
# Update before issuing it:
# xxd -l 8 -u -ps /dev/urandom > ./serial
database = $dir/index.txt # (must be created manually: touch ./index.txt)
default_days = 10950 # how long to certify for
#default_crl_days = 30 # the number of days before the
default_crl_days = 10950 # next CRL is due. That is the
# days from now to place in the
# CRL nextUpdate field. If CRL
# is expired, certificate
# verifications will fail even
# for otherwise valid
# certificates. Clients might
# cache the CRL, so the expiry
# period should normally be
# relatively short (default:
# 30) for production CAs.
default_md = sha256 # digest to use
policy = policy_default # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
# We need the following in order to copy Subject Alt Name(s) from a
# request to the certificate.
copy_extensions = copy # copy extensions from request
[policy_default]
countryName = optional
stateOrProvinceName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# default certificate requests settings
[req]
# Options for the `req` tool (`man req`).
default_bits = 3072 # for RSA only
distinguished_name = req_default
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-256 instead.
default_md = sha256
# do not encrypt the private key file
encrypt_key = no
[req_default]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (e.g., city)
0.organizationName = Organization Name (e.g., company)
organizationalUnitName = Organizational Unit Name (e.g. department)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
# defaults
countryName_default = UA
stateOrProvinceName_default = Kharkiv Oblast
localityName_default = Kharkiv
0.organizationName_default = ISC
organizationalUnitName_default = Software Engeneering (BIND 9)
Reference in a new issue View git blame Copy permalink