blob: 35060297970706e034b3a767d45574beb53c7114 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
[default]
batch = 1 # do not use stdin
total_timeout = 8 # prevent, e.g., infinite polling due to error
trusted = trusted.crt
newkey = new.key
newkeypass =
cmd = ir
out_trusted = root.crt
#certout = test.cert.pem
policies = certificatePolicies
#policy_oids = 1.2.3.4
#policy_oids_critical = 1
#verbosity = 7
############################# server-dependent configurations
[Mock] # the built-in OpenSSL CMP mock server
# no_check_time = 1
server_host = 127.0.0.1 # localhost
server_port = 0 # 0 means that the port is determined by the server
server_tls = $server_port
server_cert = server.crt
server = $server_host:$server_port
server_path = pkix/
path = $server_path
ca_dn = /CN=Root CA
recipient = $ca_dn
server_dn = /CN=server.example
expect_sender = $server_dn
subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf"
newkey = signer.key
out_trusted = signer_root.crt
kur_port = $server_port
pbm_port = $server_port
pbm_ref =
pbm_secret = pass:test
cert = signer.crt
key = signer.p12
keypass = pass:12345
ignore_keyusage = 0
column = 0
sleep = 0
############################# aspects
[connection]
msg_timeout = 5
total_timeout =
# reset any TLS options to default:
tls_used =
tls_cert =
tls_key =
tls_keypass =
tls_trusted =
tls_host =
[tls]
server =
tls_used =
tls_cert =
tls_key =
tls_keypass =
tls_trusted =
tls_host =
[credentials]
ref =
secret =
cert =
key =
keypass =
extracerts =
digest =
unprotected_requests =
[verification]
#expect_sender =
srvcert =
trusted =
untrusted =
#unprotected_errors =
extracertsout =
[commands]
cmd =
certout =
cacertsout =
infotype =
oldcert =
revreason =
geninfo =
[enrollment]
cmd =
newkey =
newkeypass =
#subject =
issuer =
days =
reqexts =
sans =
san_nodefault = 0
#popo =
implicit_confirm = 0
disable_confirm = 0
certout =
out_trusted =
oldcert =
csr =
############################# extra cert template contents
[certificatePolicies]
certificatePolicies = "critical, @pkiPolicy"
[pkiPolicy]
policyIdentifier = 1.2.3.4
[reqexts]
basicConstraints = CA:FALSE
#basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation
extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning
#crlDistributionPoints = URI:http:
#authorityInfoAccess = URI:http:
subjectAltName = @alt_names
[alt_names]
DNS.0 = localhost
IP.0 = 127.0.0.1
IP.1 = 192.168.1.1
URI.0 = http://192.168.0.2
[reqexts_invalidkey]
subjectAltName = @alt_names_3
[alt_names_3]
DNS.0 = localhost
DNS.1 = xn--rksmrgs-5wao1o.example.com
DNS.2 = xn--rkmacka-5wa.example.com
DNS__3 = xn--rksallad-0za.example.com
|
