Fichiers de configuration utilisés

root-ca.cnf :
# pour generer un certificat root CA
[ req ]
default_bits = 1024
default_keyfile = private/ca.key
default_md = md5
distinguished_name = req_distinguished_name
x509_extensions = rootca_cert

[ req_distinguished_name ]
countryName = Pays
countryName_default = FR
countryName_min =2
countryName_max =2

stateOrProvinceName = Etat, province ou departement

stateOrProvinceName_default = Essonne

localityName = Ville
localityName_default = SBZ

organizationName = Organisation
organizationName_default = ISET

organizationalUnitName = Unite organisationnelle

organizationalUnitName_default = TI
commonName = Nom commun
commonName_default = ISET TI Root CA
commonName_max = 64

emailAddress = Adresse mail

emailAddress_max = 64

[ rootca_cert ]
# la section ci-dessous decrit les extensions a inclure dans un certificat rootCA

basicConstraints = critical, CA:true

subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign
authorityKeyIdentifier = keyid:always,issuer:always
nsCertType = sslCA, emailCA, objCA
nsComment = "Certificat Racine. Genere par OpenSSL"
# subjectAltName = email:copy

req-subca.cnf :
# pour generer une requete de certificat CA intermediaire
[ req ]
default_bits = 1024
default_keyfile = private/subca.key
default_md = md5
distinguished_name = req_distinguished_name
x509_extensions = subca_req
string_mask = nombstr

[ req_distinguished_name ]
countryName = Pays
countryName_default = FR
countryName_min =2
countryName_max =2

stateOrProvinceName = Etat, province ou departement

stateOrProvinceName_default = Essonne

localityName = Ville
localityName_default = SBZ

organizationName = Organisation
organizationName_default = ISET

organizationalUnitName = Unite organisationnelle

organizationalUnitName_default = TI

commonName = Nom commun

commonName_default = ISET TI Server CA
commonName_max = 64

emailAddress = Adresse mail

emailAddress_max = 64

[ subca_req ]
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, keyCertSign, cRLSign
# nsCertType = sslCA, emailCA, objCA
# nsComment = "Requete de signature de certificat"
# subjectAltName = email:copy

req-server.cnf :
# pour generer une requete de certificat serveur
[ req ]
default_bits = 1024
default_keyfile = private/server.key
default_md = md5
distinguished_name = req_distinguished_name
x509_extension = server_req
string_mask = nombstr

[ req_distinguished_name ]
countryName = Pays
countryName_default = FR
countryName_min =2
countryName_max =2

stateOrProvinceName = Etat, province ou departement

stateOrProvinceName_default = Essonne

localityName = Ville
localityName_default = SBZ

organizationName = Organisation
organizationName_default = ISET

organizationalUnitName = Unite organisationnelle

organizationalUnitName_default = TI

commonName = Nom commun (ex: nom de la root CA)

commonName_default = ISET TI Server1 CA
commonName_max = 64

emailAddress = Adresse mail

emailAddress_max = 64

[ server_req ]
basicConstraints = critical, CA:false
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server
# nsComment = "Requete de signature de certificat"
# subjectAltName = email:copy

ca-server.cnf :
# pour signer un certificat serveur
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /home/sana/pki # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/ca.pem # The CA certificate

serial = $dir/serial # The current serial number
crl = $dir/ca.crl # The current CRL
private_key = $dir/private/ca.key # The private key

RANDFILE = $dir/private/.rand # private random number file

default_days = 730 # how long to certify for

default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
Preserve = no # keep passed DN ordering

x509_extensions = server_cert
copy_extensions = none
policy = policy_anything

[ server_cert ]
basicConstraints = critical, CA:false
authorityKeyIdentifier = keyid:always
subjectKeyIdentifier = hash
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server, objsign
nsComment = "Certificat serveur genere par OpenSSL pour INT/LOR"

#subjectAltName = email:copy
#issuerAltName = issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ policy_anything ]
countryName = supplied
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

ca-subca.cnf :
# pour signer un certificat CA intermediaire
[ ca ]
default_ca = CA_default # The default ca section

[ CA_default ]
dir = /home/sana/pki # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/ca.pem # The CA certificate

serial = $dir/serial # The current serial number
crl = $dir/ca.crl # The current CRL
private_key = $dir/private/ca.key # The private key

RANDFILE = $dir/private/.rand # private random number file

default_days = 4383 # how long to certify for

default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
Preserve = no # keep passed DN ordering

x509_extensions = subca_cert
copy_extensions = none
policy = policy_match

[ subca_cert ]
basicConstraints = critical, CA:true
authorityKeyIdentifier = keyid:always, issuer:always
subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign
# nsCertType = sslCA, emailCA, objCA
nsComment = "Genere par OpenSSL"
# subjectAltName = email:copy

[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional