diff options
Diffstat (limited to 'openssl.conf')
-rw-r--r-- | openssl.conf | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/openssl.conf b/openssl.conf new file mode 100644 index 0000000..7f156ce --- /dev/null +++ b/openssl.conf @@ -0,0 +1,46 @@ +# For details on what can go here, see: +# +# https://github.com/OpenSC/libp11/README.md +# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html + +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +pkcs11 = pkcs11_section + +[pkcs11_section] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +init = 0 + +# For convenience while testing, we use environment variables to pass +# in the PIN and the path to the PKCS #11 module. You would NOT +# want to do this in production, particularly with the PIN. + +MODULE_PATH = ${ENV::PKCS11_MODULE} +PIN = ${ENV::PKCS11_PIN} + +# From here down is OpenSSL voodoo for issuing certificates. + +[req] +distinguished_name = dn +default_md = sha256 +x509_extensions = ext_ca + +[dn] +C = PV +O = Pottsylvanian Ministry of Offense + +[ext_ca] +basicConstraints = critical, CA:true +keyUsage = critical, cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ext_ee] +keyUsage = critical, digitalSignature, nonRepudiation +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always |