Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

127 linhas
4.2KB

  1. {{ ansible_managed | comment }}
  2. [ ca ]
  3. # `man ca`
  4. default_ca = CA_default
  5. [ CA_default ]
  6. # Directory and file locations.
  7. dir = {{ certificate_authority_directory }}
  8. certs = $dir/certs
  9. crl_dir = $dir/crl
  10. new_certs_dir = $dir/newcerts
  11. database = $dir/index
  12. serial = $dir/serial
  13. RANDFILE = $dir/private/.rand
  14. # The root key and root certificate.
  15. private_key = $dir/private/ca.key.pem
  16. certificate = $dir/certs/ca.cert.pem
  17. # For certificate revocation lists.
  18. crlnumber = $dir/crlnumber
  19. crl = $dir/crl/ca.crl.pem
  20. crl_extensions = crl_ext
  21. default_crl_days = 30
  22. # SHA-1 is deprecated, so use SHA-2 instead.
  23. default_md = sha256
  24. name_opt = ca_default
  25. cert_opt = ca_default
  26. preserve = no
  27. policy = policy_{{ certificate_authority_policy }}
  28. copy_extensions = copy
  29. default_enddate = {{ lookup('pipe','date -u --date="'+(certificate_authority_enddate|string)+'" +%Y%m%d%H%M%SZ') }}
  30. [ policy_strict ]
  31. # The root CA should only sign intermediate certificates that match.
  32. # See the POLICY FORMAT section of `man ca`.
  33. countryName = match
  34. stateOrProvinceName = match
  35. organizationName = match
  36. organizationalUnitName = optional
  37. commonName = supplied
  38. emailAddress = optional
  39. [ policy_strict_org ]
  40. # The root CA should only sign intermediate certificates that match.
  41. # See the POLICY FORMAT section of `man ca`.
  42. countryName = optional
  43. stateOrProvinceName = optional
  44. organizationName = match
  45. organizationalUnitName = optional
  46. commonName = supplied
  47. emailAddress = optional
  48. [ policy_loose ]
  49. # Allow the intermediate CA to sign a more diverse range of certificates.
  50. # See the POLICY FORMAT section of the `ca` man page.
  51. countryName = optional
  52. stateOrProvinceName = optional
  53. localityName = optional
  54. organizationName = optional
  55. organizationalUnitName = optional
  56. commonName = supplied
  57. emailAddress = optional
  58. [ req ]
  59. # Options for the `req` tool (`man req`).
  60. default_bits = 2048
  61. distinguished_name = req_distinguished_name
  62. string_mask = utf8only
  63. # SHA-1 is deprecated, so use SHA-2 instead.
  64. default_md = sha256
  65. # Extension to add when the -x509 option is used.
  66. #x509_extensions = v3_ca
  67. [ req_distinguished_name ]
  68. # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  69. countryName = Country Name (2 letter code)
  70. stateOrProvinceName = State or Province Name
  71. localityName = Locality Name
  72. 0.organizationName = Organization Name
  73. organizationalUnitName = Organizational Unit Name
  74. commonName = Common Name
  75. emailAddress = Email Address
  76. # Optionally, specify some defaults.
  77. countryName_default = {{ certificate_authority_country | default('') }}
  78. stateOrProvinceName_default = {{ certificate_authority_state | default('') }}
  79. localityName_default = {{ certificate_authority_locality | default('') }}
  80. 0.organizationName_default = {{ certificate_authority_organization | default('') }}
  81. organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }}
  82. #emailAddress_default =
  83. [ usr_cert ]
  84. # Extensions for client certificates (`man x509v3_config`).
  85. basicConstraints = CA:FALSE
  86. subjectKeyIdentifier = hash
  87. authorityKeyIdentifier = keyid,issuer:always
  88. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  89. extendedKeyUsage = clientAuth, emailProtection
  90. [ server_cert ]
  91. # Extensions for server certificates (`man x509v3_config`).
  92. basicConstraints = CA:FALSE
  93. subjectKeyIdentifier = hash
  94. authorityKeyIdentifier = keyid,issuer:always
  95. keyUsage = critical, digitalSignature, keyEncipherment
  96. extendedKeyUsage = serverAuth
  97. [ crl_ext ]
  98. # Extension for CRLs (`man x509v3_config`).
  99. authorityKeyIdentifier=keyid:always
  100. [ ocsp ]
  101. # Extension for OCSP signing certificates (`man ocsp`).
  102. basicConstraints = CA:FALSE
  103. subjectKeyIdentifier = hash
  104. authorityKeyIdentifier = keyid,issuer
  105. keyUsage = critical, digitalSignature
  106. extendedKeyUsage = critical, OCSPSigning