blob: 887e25d90fe16b01dcbf4715aacd4914bfc0c2fa (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# For details on what can go here, see:
#
# https://github.com/OpenSC/libp11/README.md
# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = ${ENV::ENGINE_MODULE}
init = 0
# For convenience while testing, we use environment variables to pass
# in the PIN and the path to the PKCS #11 module. You would NOT
# want to do this in production, particularly with the PIN.
MODULE_PATH = ${ENV::PKCS11_MODULE}
PIN = ${ENV::PKCS11_PIN}
# From here down is OpenSSL voodoo for issuing certificates.
[req]
distinguished_name = dn
default_md = sha256
x509_extensions = ext_ca
[dn]
C = PV
O = Pottsylvanian Ministry of Offense
[ext_ca]
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ext_ee]
keyUsage = critical, digitalSignature, nonRepudiation
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
|
