Changes

Jump to navigation Jump to search

SSL Certificate (edit)

Revision as of 11:34, 29 November 2022

493 bytes added ,  11:34, 29 November 2022
m
→‎Generate self signed certificate
Line 123: Line 123:  
==Generate self signed certificate one line==
 
==Generate self signed certificate one line==
 
  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
 
  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
 
+
[https://devopscube.com/create-self-signed-certificates-openssl/ How to create Self-Signed Certificates DevopsCube]
 +
<br />
 
==Installing the Private Key and Certificate==
 
==Installing the Private Key and Certificate==
   Line 152: Line 153:  
Nginx
 
Nginx
 
  <nowiki>server {
 
  <nowiki>server {
 
+
 
  listen  443;
+
  listen  443;
 
+
 
  ssl    on;
+
  ssl    on;
  ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
+
  ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
  ssl_certificate_key    /etc/ssl/su_dominio_com.key;
+
  ssl_certificate_key    /etc/ssl/su_dominio_com.key;
  add_header Strict-Transport-Security max-age=31536000;
+
  add_header Strict-Transport-Security max-age=31536000;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
+
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
  server_name su.dominio.com;
+
  server_name su.dominio.com;
  access_log /var/log/nginx/nginx.vhost.access.log;
+
  access_log /var/log/nginx/nginx.vhost.access.log;
  error_log /var/log/nginx/nginx.vhost.error.log;
+
  error_log /var/log/nginx/nginx.vhost.error.log;
  location / {
+
  location / {
  root  /home/www/public_html/su.dominio.com/public/;
+
  root  /home/www/public_html/su.dominio.com/public/;
  index  index.html;
+
  index  index.html;
  }
+
  }
 
+
 
  } </nowiki>
+
  } </nowiki>
    
TODO: gunicorn: Poner aqui init.d script<br />
 
TODO: gunicorn: Poner aqui init.d script<br />
Line 219: Line 220:  
=openssl.cnf=
 
=openssl.cnf=
 
  <nowiki>#
 
  <nowiki>#
  # OpenSSL example configuration file.
+
  # OpenSSL example configuration file.
  # This is mostly being used for generation of certificate requests.
+
  # This is mostly being used for generation of certificate requests.
  #
+
  #
 
+
 
  # This definition stops the following lines choking if HOME isn't
+
  # This definition stops the following lines choking if HOME isn't
  # defined.
+
  # defined.
  HOME = .
+
  HOME = .
  RANDFILE = $ENV::HOME/.rnd
+
  RANDFILE = $ENV::HOME/.rnd
 
+
 
  # Extra OBJECT IDENTIFIER info:
+
  # Extra OBJECT IDENTIFIER info:
  #oid_file = $ENV::HOME/.oid
+
  #oid_file = $ENV::HOME/.oid
  oid_section = new_oids
+
  oid_section = new_oids
 
+
 
  # To use this configuration file with the "-extfile" option of the
+
  # To use this configuration file with the "-extfile" option of the
  # "openssl x509" utility, name here the section containing the
+
  # "openssl x509" utility, name here the section containing the
  # X.509v3 extensions to use:
+
  # X.509v3 extensions to use:
  # extensions =  
+
  # extensions =  
  # (Alternatively, use a configuration file that has only
+
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
+
  # X.509v3 extensions in its main [= default] section.)
 
+
 
  [ new_oids ]
+
  [ new_oids ]
 
+
 
  # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+
  # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  # Add a simple OID like this:
+
  # Add a simple OID like this:
  # testoid1=1.2.3.4
+
  # testoid1=1.2.3.4
  # Or use config file substitution like this:
+
  # Or use config file substitution like this:
  # testoid2=${testoid1}.5.6
+
  # testoid2=${testoid1}.5.6
 
+
 
  # Policies used by the TSA examples.
+
  # Policies used by the TSA examples.
  tsa_policy1 = 1.2.3.4.1
+
  tsa_policy1 = 1.2.3.4.1
  tsa_policy2 = 1.2.3.4.5.6
+
  tsa_policy2 = 1.2.3.4.5.6
  tsa_policy3 = 1.2.3.4.5.7
+
  tsa_policy3 = 1.2.3.4.5.7
 
+
 
  ####################################################################
+
  ####################################################################
  [ ca ]
+
  [ ca ]
  default_ca = CA_default # The default ca section
+
  default_ca = CA_default # The default ca section
 
+
 
  ####################################################################
+
  ####################################################################
  [ CA_default ]
+
  [ CA_default ]
 
+
 
  dir = ./demoCA # Where everything is kept
+
  dir = ./demoCA # Where everything is kept
  certs = $dir/certs # Where the issued certs are kept
+
  certs = $dir/certs # Where the issued certs are kept
  crl_dir = $dir/crl # Where the issued crl are kept
+
  crl_dir = $dir/crl # Where the issued crl are kept
  database = $dir/index.txt # database index file.
+
  database = $dir/index.txt # database index file.
  #unique_subject = no # Set to 'no' to allow creation of
+
  #unique_subject = no # Set to 'no' to allow creation of
  # several ctificates with same subject.
+
  # several ctificates with same subject.
  new_certs_dir = $dir/newcerts # default place for new certs.
+
  new_certs_dir = $dir/newcerts # default place for new certs.
 
+
 
  certificate = $dir/cacert.pem # The CA certificate
+
  certificate = $dir/cacert.pem # The CA certificate
  serial = $dir/serial # The current serial number
+
  serial = $dir/serial # The current serial number
  crlnumber = $dir/crlnumber # the current crl number
+
  crlnumber = $dir/crlnumber # the current crl number
  # must be commented out to leave a V1 CRL
+
  # must be commented out to leave a V1 CRL
  crl = $dir/crl.pem # The current CRL
+
  crl = $dir/crl.pem # The current CRL
  private_key = $dir/private/cakey.pem# The private key
+
  private_key = $dir/private/cakey.pem# The private key
  RANDFILE = $dir/private/.rand # private random number file
+
  RANDFILE = $dir/private/.rand # private random number file
 
+
 
  x509_extensions = usr_cert # The extentions to add to the cert
+
  x509_extensions = usr_cert # The extentions to add to the cert
 
+
 
  # Comment out the following two lines for the "traditional"
+
  # Comment out the following two lines for the "traditional"
  # (and highly broken) format.
+
  # (and highly broken) format.
  name_opt = ca_default # Subject Name options
+
  name_opt = ca_default # Subject Name options
  cert_opt = ca_default # Certificate field options
+
  cert_opt = ca_default # Certificate field options
 
+
 
  # Extension copying option: use with caution.
+
  # Extension copying option: use with caution.
  # copy_extensions = copy
+
  # copy_extensions = copy
 
+
 
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  # so this is commented out by default to leave a V1 CRL.
+
  # so this is commented out by default to leave a V1 CRL.
  # crlnumber must also be commented out to leave a V1 CRL.
+
  # crlnumber must also be commented out to leave a V1 CRL.
  # crl_extensions = crl_ext
+
  # crl_extensions = crl_ext
 
+
 
  default_days = 365 # how long to certify for
+
  default_days = 365 # how long to certify for
  default_crl_days= 30 # how long before next CRL
+
  default_crl_days= 30 # how long before next CRL
  default_md = default # use public key default MD
+
  default_md = default # use public key default MD
  preserve = no # keep passed DN ordering
+
  preserve = no # keep passed DN ordering
 
+
 
  # A few difference way of specifying how similar the request should look
+
  # A few difference way of specifying how similar the request should look
  # For type CA, the listed attributes must be the same, and the optional
+
  # For type CA, the listed attributes must be the same, and the optional
  # and supplied fields are just that :-)
+
  # and supplied fields are just that :-)
  policy = policy_match
+
  policy = policy_match
 
+
 
  # For the CA policy
+
  # For the CA policy
  [ policy_match ]
+
  [ policy_match ]
  countryName = match
+
  countryName = match
  stateOrProvinceName = match
+
  stateOrProvinceName = match
  organizationName = match
+
  organizationName = match
  organizationalUnitName = optional
+
  organizationalUnitName = optional
  commonName = supplied
+
  commonName = supplied
  emailAddress = optional
+
  emailAddress = optional
 
+
 
  # For the 'anything' policy
+
  # For the 'anything' policy
  # At this point in time, you must list all acceptable 'object'
+
  # At this point in time, you must list all acceptable 'object'
  # types.
+
  # types.
  [ policy_anything ]
+
  [ policy_anything ]
  countryName = optional
+
  countryName = optional
  stateOrProvinceName = optional
+
  stateOrProvinceName = optional
  localityName = optional
+
  localityName = optional
  organizationName = optional
+
  organizationName = optional
  organizationalUnitName = optional
+
  organizationalUnitName = optional
  commonName = supplied
+
  commonName = supplied
  emailAddress = optional
+
  emailAddress = optional
 
+
 
  ####################################################################
+
  ####################################################################
  [ req ]
+
  [ req ]
  default_bits = 2048
+
  default_bits = 2048
  default_keyfile = privkey.pem
+
  default_keyfile = privkey.pem
  distinguished_name = req_distinguished_name
+
  distinguished_name = req_distinguished_name
  attributes = req_attributes
+
  attributes = req_attributes
  x509_extensions = v3_ca # The extentions to add to the self signed cert
+
  x509_extensions = v3_ca # The extentions to add to the self signed cert
 
+
 
  # Passwords for private keys if not present they will be prompted for
+
  # Passwords for private keys if not present they will be prompted for
  # input_password = secret
+
  # input_password = secret
  # output_password = secret
+
  # output_password = secret
 
+
 
  # This sets a mask for permitted string types. There are several options.  
+
  # This sets a mask for permitted string types. There are several options.  
  # default: PrintableString, T61String, BMPString.
+
  # default: PrintableString, T61String, BMPString.
  # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+
  # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  # utf8only: only UTF8Strings (PKIX recommendation after 2004).
+
  # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  # MASK:XXXX a literal mask value.
+
  # MASK:XXXX a literal mask value.
  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+
  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  string_mask = utf8only
+
  string_mask = utf8only
 
+
 
  req_extensions = v3_req # The extensions to add to a certificate request
+
  req_extensions = v3_req # The extensions to add to a certificate request
 
+
 
  [ req_distinguished_name ]
+
  [ req_distinguished_name ]
  countryName = Country Name (2 letter code)
+
  countryName = Country Name (2 letter code)
  countryName_default = AU
+
  countryName_default = AU
  countryName_min = 2
+
  countryName_min = 2
  countryName_max = 2
+
  countryName_max = 2
 
+
 
  stateOrProvinceName = State or Province Name (full name)
+
  stateOrProvinceName = State or Province Name (full name)
  stateOrProvinceName_default = Some-State
+
  stateOrProvinceName_default = Some-State
 
+
 
  localityName = Locality Name (eg, city)
+
  localityName = Locality Name (eg, city)
 
+
 
  0.organizationName = Organization Name (eg, company)
+
  0.organizationName = Organization Name (eg, company)
  0.organizationName_default = Internet Widgits Pty Ltd
+
  0.organizationName_default = Internet Widgits Pty Ltd
 
+
 
  # we can do this but it is not needed normally :-)
+
  # we can do this but it is not needed normally :-)
  #1.organizationName = Second Organization Name (eg, company)
+
  #1.organizationName = Second Organization Name (eg, company)
  #1.organizationName_default = World Wide Web Pty Ltd
+
  #1.organizationName_default = World Wide Web Pty Ltd
 
+
 
  organizationalUnitName = Organizational Unit Name (eg, section)
+
  organizationalUnitName = Organizational Unit Name (eg, section)
  #organizationalUnitName_default =
+
  #organizationalUnitName_default =
 
+
 
  commonName = Common Name (e.g. server FQDN or YOUR name)
+
  commonName = Common Name (e.g. server FQDN or YOUR name)
  commonName_max = 64
+
  commonName_max = 64
 
+
 
  emailAddress = Email Address
+
  emailAddress = Email Address
  emailAddress_max = 64
+
  emailAddress_max = 64
 
+
 
  # SET-ex3 = SET extension number 3
+
  # SET-ex3 = SET extension number 3
 
+
 
  [ req_attributes ]
+
  [ req_attributes ]
  challengePassword = A challenge password
+
  challengePassword = A challenge password
  challengePassword_min = 4
+
  challengePassword_min = 4
  challengePassword_max = 20
+
  challengePassword_max = 20
 
+
 
  unstructuredName = An optional company name
+
  unstructuredName = An optional company name
 
+
 
  [ usr_cert ]
+
  [ usr_cert ]
 
+
 
  # These extensions are added when 'ca' signs a request.
+
  # These extensions are added when 'ca' signs a request.
 
+
 
  # This goes against PKIX guidelines but some CAs do it and some software
+
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
+
  # requires this to avoid interpreting an end user certificate as a CA.
 
+
 
  basicConstraints=CA:FALSE
+
  basicConstraints=CA:FALSE
 
+
 
  # Here are some examples of the usage of nsCertType. If it is omitted
+
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
+
  # the certificate can be used for anything *except* object signing.
 
+
 
  # This is OK for an SSL server.
+
  # This is OK for an SSL server.
  # nsCertType = server
+
  # nsCertType = server
 
+
 
  # For an object signing certificate this would be used.
+
  # For an object signing certificate this would be used.
  # nsCertType = objsign
+
  # nsCertType = objsign
 
+
 
  # For normal client use this is typical
+
  # For normal client use this is typical
  # nsCertType = client, email
+
  # nsCertType = client, email
 
+
 
  # and for everything including object signing:
+
  # and for everything including object signing:
  # nsCertType = client, email, objsign
+
  # nsCertType = client, email, objsign
 
+
 
  # This is typical in keyUsage for a client certificate.
+
  # This is typical in keyUsage for a client certificate.
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
+
 
  # This will be displayed in Netscape's comment listbox.
+
  # This will be displayed in Netscape's comment listbox.
  nsComment = "OpenSSL Generated Certificate"
+
  nsComment = "OpenSSL Generated Certificate"
 
+
 
  # PKIX recommendations harmless if included in all certificates.
+
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
+
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
+
  authorityKeyIdentifier=keyid,issuer
 
+
 
  # This stuff is for subjectAltName and issuerAltname.
+
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
+
  # Import the email address.
  # subjectAltName=email:copy
+
  # subjectAltName=email:copy
  # An alternative to produce certificates that aren't
+
  # An alternative to produce certificates that aren't
  # deprecated according to PKIX.
+
  # deprecated according to PKIX.
  # subjectAltName=email:move
+
  # subjectAltName=email:move
 
+
 
  # Copy subject details
+
  # Copy subject details
  # issuerAltName=issuer:copy
+
  # issuerAltName=issuer:copy
 
+
 
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  #nsBaseUrl
+
  #nsBaseUrl
  #nsRevocationUrl
+
  #nsRevocationUrl
  #nsRenewalUrl
+
  #nsRenewalUrl
  #nsCaPolicyUrl
+
  #nsCaPolicyUrl
  #nsSslServerName
+
  #nsSslServerName
 
+
 
  # This is required for TSA certificates.
+
  # This is required for TSA certificates.
  # extendedKeyUsage = critical,timeStamping
+
  # extendedKeyUsage = critical,timeStamping
 
+
 
  [ v3_req ]
+
  [ v3_req ]
 
+
 
  # Extensions to add to a certificate request
+
  # Extensions to add to a certificate request
 
+
 
  basicConstraints = CA:FALSE
+
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName = @alt_names
+
  subjectAltName = @alt_names
  [ v3_ca ]
+
  [ v3_ca ]
 
+
 
 
+
 
  # Extensions for a typical CA
+
  # Extensions for a typical CA
 
+
 
 
+
 
  # PKIX recommendation.
+
  # PKIX recommendation.
 
+
 
  subjectKeyIdentifier=hash
+
  subjectKeyIdentifier=hash
 
+
 
  authorityKeyIdentifier=keyid:always,issuer
+
  authorityKeyIdentifier=keyid:always,issuer
 
+
 
  # This is what PKIX recommends but some broken software chokes on critical
+
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
+
  # extensions.
  #basicConstraints = critical,CA:true
+
  #basicConstraints = critical,CA:true
  # So we do this instead.
+
  # So we do this instead.
  basicConstraints = CA:true
+
  basicConstraints = CA:true
 
+
 
  # Key usage: this is typical for a CA certificate. However since it will
+
  # Key usage: this is typical for a CA certificate. However since it will
  # prevent it being used as an test self-signed certificate it is best
+
  # prevent it being used as an test self-signed certificate it is best
  # left out by default.
+
  # left out by default.
  # keyUsage = cRLSign, keyCertSign
+
  # keyUsage = cRLSign, keyCertSign
 
+
 
  # Some might want this also
+
  # Some might want this also
  # nsCertType = sslCA, emailCA
+
  # nsCertType = sslCA, emailCA
 
+
 
  # Include email address in subject alt name: another PKIX recommendation
+
  # Include email address in subject alt name: another PKIX recommendation
  # subjectAltName=email:copy
+
  # subjectAltName=email:copy
  # Copy issuer details
+
  # Copy issuer details
  # issuerAltName=issuer:copy
+
  # issuerAltName=issuer:copy
 
+
 
  # DER hex encoding of an extension: beware experts only!
+
  # DER hex encoding of an extension: beware experts only!
  # obj=DER:02:03
+
  # obj=DER:02:03
  # Where 'obj' is a standard or added object
+
  # Where 'obj' is a standard or added object
  # You can even override a supported extension:
+
  # You can even override a supported extension:
  # basicConstraints= critical, DER:30:03:01:01:FF
+
  # basicConstraints= critical, DER:30:03:01:01:FF
 
+
 
  [ crl_ext ]
+
  [ crl_ext ]
 
+
 
  # CRL extensions.
+
  # CRL extensions.
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
+
 
  # issuerAltName=issuer:copy
+
  # issuerAltName=issuer:copy
  authorityKeyIdentifier=keyid:always
+
  authorityKeyIdentifier=keyid:always
 
+
 
  [ proxy_cert_ext ]
+
  [ proxy_cert_ext ]
  # These extensions should be added when creating a proxy certificate
+
  # These extensions should be added when creating a proxy certificate
 
+
 
  # This goes against PKIX guidelines but some CAs do it and some software
+
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
+
  # requires this to avoid interpreting an end user certificate as a CA.
 
+
 
  basicConstraints=CA:FALSE
+
  basicConstraints=CA:FALSE
 
+
 
  # Here are some examples of the usage of nsCertType. If it is omitted
+
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
+
  # the certificate can be used for anything *except* object signing.
 
+
 
  # This is OK for an SSL server.
+
  # This is OK for an SSL server.
  # nsCertType = server
+
  # nsCertType = server
 
+
 
  # For an object signing certificate this would be used.
+
  # For an object signing certificate this would be used.
  # nsCertType = objsign
+
  # nsCertType = objsign
 
+
 
  # For normal client use this is typical
+
  # For normal client use this is typical
  # nsCertType = client, email
+
  # nsCertType = client, email
 
+
 
  # and for everything including object signing:
+
  # and for everything including object signing:
  # nsCertType = client, email, objsign
+
  # nsCertType = client, email, objsign
 
+
 
  # This is typical in keyUsage for a client certificate.
+
  # This is typical in keyUsage for a client certificate.
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
+
 
  # This will be displayed in Netscape's comment listbox.
+
  # This will be displayed in Netscape's comment listbox.
  nsComment = "OpenSSL Generated Certificate"
+
  nsComment = "OpenSSL Generated Certificate"
 
+
 
  # PKIX recommendations harmless if included in all certificates.
+
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
+
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
+
  authorityKeyIdentifier=keyid,issuer
 
+
 
  # This stuff is for subjectAltName and issuerAltname.
+
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
+
  # Import the email address.
  # subjectAltName=email:copy
+
  # subjectAltName=email:copy
  # An alternative to produce certificates that aren't
+
  # An alternative to produce certificates that aren't
  # deprecated according to PKIX.
+
  # deprecated according to PKIX.
  # subjectAltName=email:move
+
  # subjectAltName=email:move
 
+
 
  # Copy subject details
+
  # Copy subject details
  # issuerAltName=issuer:copy
+
  # issuerAltName=issuer:copy
 
+
 
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  #nsBaseUrl
+
  #nsBaseUrl
  #nsRevocationUrl
+
  #nsRevocationUrl
  #nsRenewalUrl
+
  #nsRenewalUrl
  #nsCaPolicyUrl
+
  #nsCaPolicyUrl
  #nsSslServerName
+
  #nsSslServerName
 
+
 
  # This really needs to be in place for it to be a proxy certificate.
+
  # This really needs to be in place for it to be a proxy certificate.
  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
+
 
  ####################################################################
+
  ####################################################################
  [ tsa ]
+
  [ tsa ]
 
+
 
  default_tsa = tsa_config1 # the default TSA section
+
  default_tsa = tsa_config1 # the default TSA section
 
+
 
  [ tsa_config1 ]
+
  [ tsa_config1 ]
 
+
 
  # These are used by the TSA reply generation only.
+
  # These are used by the TSA reply generation only.
  dir = ./demoCA # TSA root directory
+
  dir = ./demoCA # TSA root directory
  serial = $dir/tsaserial # The current serial number (mandatory)
+
  serial = $dir/tsaserial # The current serial number (mandatory)
  crypto_device = builtin # OpenSSL engine to use for signing
+
  crypto_device = builtin # OpenSSL engine to use for signing
  signer_cert = $dir/tsacert.pem # The TSA signing certificate
+
  signer_cert = $dir/tsacert.pem # The TSA signing certificate
  # (optional)
+
  # (optional)
  certs = $dir/cacert.pem # Certificate chain to include in reply
+
  certs = $dir/cacert.pem # Certificate chain to include in reply
  # (optional)
+
  # (optional)
  signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+
  signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
 
+
 
  default_policy = tsa_policy1 # Policy if request did not specify it
+
  default_policy = tsa_policy1 # Policy if request did not specify it
  # (optional)
+
  # (optional)
  other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+
  other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  digests = md5, sha1 # Acceptable message digests (mandatory)
+
  digests = md5, sha1 # Acceptable message digests (mandatory)
  accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+
  accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  clock_precision_digits  = 0 # number of digits after dot. (optional)
+
  clock_precision_digits  = 0 # number of digits after dot. (optional)
  ordering = yes # Is ordering defined for timestamps?
+
  ordering = yes # Is ordering defined for timestamps?
  # (optional, default: no)
+
  # (optional, default: no)
  tsa_name = yes # Must the TSA name be included in the reply?
+
  tsa_name = yes # Must the TSA name be included in the reply?
  # (optional, default: no)
+
  # (optional, default: no)
  ess_cert_id_chain = no # Must the ESS cert id chain be included?
+
  ess_cert_id_chain = no # Must the ESS cert id chain be included?
  # (optional, default: no)
+
  # (optional, default: no)
  [ alt_names ]
+
  [ alt_names ]
  DNS.1 = webserver02.rra.lan
+
  DNS.1 = webserver02.rra.lan
  DNS.2 = marco.rra.lan</nowiki>
+
  DNS.2 = marco.rra.lan</nowiki>
    
#Copy your openssl.cnf.
 
#Copy your openssl.cnf.
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/2365"

Navigation menu