blob: 7f156ce9c475e70d05f77780078d8cd2aa53518f (
plain) (
tree)
|
|
# For details on what can go here, see:
#
# https://github.com/OpenSC/libp11/README.md
# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
init = 0
# For convenience while testing, we use environment variables to pass
# in the PIN and the path to the PKCS #11 module. You would NOT
# want to do this in production, particularly with the PIN.
MODULE_PATH = ${ENV::PKCS11_MODULE}
PIN = ${ENV::PKCS11_PIN}
# From here down is OpenSSL voodoo for issuing certificates.
[req]
distinguished_name = dn
default_md = sha256
x509_extensions = ext_ca
[dn]
C = PV
O = Pottsylvanian Ministry of Offense
[ext_ca]
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ext_ee]
keyUsage = critical, digitalSignature, nonRepudiation
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
|