aboutsummaryrefslogtreecommitdiff
path: root/openssl.conf
blob: 7f156ce9c475e70d05f77780078d8cd2aa53518f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# For details on what can go here, see:
#
# https://github.com/OpenSC/libp11/README.md
# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id	= pkcs11
dynamic_path	= /usr/lib/engines/engine_pkcs11.so
init		= 0

# For convenience while testing, we use environment variables to pass
# in the PIN and the path to the PKCS #11 module.  You would NOT
# want to do this in production, particularly with the PIN.

MODULE_PATH	= ${ENV::PKCS11_MODULE}
PIN		= ${ENV::PKCS11_PIN}

# From here down is OpenSSL voodoo for issuing certificates.

[req]
distinguished_name      = dn
default_md              = sha256
x509_extensions		= ext_ca

[dn]
C                       = PV
O                       = Pottsylvanian Ministry of Offense

[ext_ca]
basicConstraints        = critical, CA:true
keyUsage                = critical, cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

[ext_ee]
keyUsage                = critical, digitalSignature, nonRepudiation
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always