forked from SimplesIP/pabx-app
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
155 lines
4.3 KiB
155 lines
4.3 KiB
2 years ago
|
# Asterisk SSL configuration
|
||
|
#
|
||
|
# OpenSSL configuration file for custom Certificate Authority. Use a
|
||
|
# different openssl.cnf file to generate certificate signing requests;
|
||
|
# this one is for use only in Certificate Authority operations (csr ->
|
||
|
# cert, cert revocation, revocation list generation).
|
||
|
#
|
||
|
# Be sure to customize this file prior to use, e.g. the commonName and
|
||
|
# other options under the root_ca_distinguished_name section.
|
||
|
|
||
|
HOME = .
|
||
|
RANDFILE = $ENV::HOME/.rnd
|
||
|
|
||
|
[ ca ]
|
||
|
default_ca = MyAsteriskCA
|
||
|
|
||
|
[ MyAsteriskCA ]
|
||
|
dir = .
|
||
|
# unsed at present, and my limited certs can be kept in current dir
|
||
|
#certs = $dir/certs
|
||
|
new_certs_dir = $dir/newcerts
|
||
|
crl_dir = $dir/crl
|
||
|
database = $dir/index
|
||
|
|
||
|
certificate = $dir/ca-cert.pem
|
||
|
serial = $dir/serial
|
||
|
crl = $dir/ca-crl.pem
|
||
|
private_key = $dir/private/ca-key.pem
|
||
|
RANDFILE = $dir/private/.rand
|
||
|
|
||
|
x509_extensions = usr_cert
|
||
|
|
||
|
# Comment out the following two lines for the "traditional"
|
||
|
# (and highly broken) format.
|
||
|
name_opt = ca_default
|
||
|
cert_opt = ca_default
|
||
|
|
||
|
default_crl_days= 30
|
||
|
default_days = 7300
|
||
|
# if need to be compatible with older software, use weaker md5
|
||
|
default_md = sha1
|
||
|
# MSIE may need following set to yes?
|
||
|
preserve = no
|
||
|
|
||
|
# A few difference way of specifying how similar the request should look
|
||
|
# For type CA, the listed attributes must be the same, and the optional
|
||
|
# and supplied fields are just that :-)
|
||
|
policy = policy_match
|
||
|
|
||
|
# For the CA policy
|
||
|
[ policy_match ]
|
||
|
countryName = US
|
||
|
stateOrProvinceName = CA
|
||
|
organizationName = XYZ
|
||
|
organizationalUnitName = XYZ
|
||
|
commonName = asterisk
|
||
|
emailAddress = root@localhost
|
||
|
|
||
|
# For the 'anything' policy
|
||
|
# At this point in time, you must list all acceptable 'object'
|
||
|
# types.
|
||
|
[ policy_anything ]
|
||
|
countryName = optional
|
||
|
stateOrProvinceName = optional
|
||
|
localityName = optional
|
||
|
organizationName = optional
|
||
|
organizationalUnitName = optional
|
||
|
commonName = supplied
|
||
|
emailAddress = optional
|
||
|
|
||
|
####################################################################
|
||
|
[ req ]
|
||
|
default_bits = 2048
|
||
|
default_keyfile = ./private/ca-key.pem
|
||
|
default_md = sha1
|
||
|
|
||
|
prompt = no
|
||
|
distinguished_name = root_ca_distinguished_name
|
||
|
|
||
|
x509_extensions = v3_ca
|
||
|
|
||
|
# Passwords for private keys if not present they will be prompted for
|
||
|
# input_password = secret
|
||
|
# output_password = secret
|
||
|
|
||
|
# This sets a mask for permitted string types. There are several options.
|
||
|
# default: PrintableString, T61String, BMPString.
|
||
|
# pkix : PrintableString, BMPString.
|
||
|
# utf8only: only UTF8Strings.
|
||
|
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||
|
# MASK:XXXX a literal mask value.
|
||
|
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||
|
# so use this option with caution!
|
||
|
string_mask = nombstr
|
||
|
|
||
|
# req_extensions = v3_req
|
||
|
|
||
|
[ root_ca_distinguished_name ]
|
||
|
commonName = NoSuchCA CA
|
||
|
countryName = US
|
||
|
stateOrProvinceName = California
|
||
|
localityName = San Mateo
|
||
|
0.organizationName = domain.net
|
||
|
emailAddress = nobody@localhost
|
||
|
|
||
|
[ usr_cert ]
|
||
|
|
||
|
# These extensions are added when 'ca' signs a request.
|
||
|
|
||
|
# This goes against PKIX guidelines but some CAs do it and some software
|
||
|
# requires this to avoid interpreting an end user certificate as a CA.
|
||
|
|
||
|
basicConstraints=CA:FALSE
|
||
|
|
||
|
# PKIX recommendations harmless if included in all certificates.
|
||
|
subjectKeyIdentifier=hash
|
||
|
authorityKeyIdentifier=keyid,issuer:always
|
||
|
|
||
|
nsCaRevocationUrl = https://www.sial.org/ca-crl.pem
|
||
|
#nsBaseUrl
|
||
|
#nsRevocationUrl
|
||
|
#nsRenewalUrl
|
||
|
#nsCaPolicyUrl
|
||
|
#nsSslServerName
|
||
|
|
||
|
[ v3_req ]
|
||
|
|
||
|
# Extensions to add to a certificate request
|
||
|
|
||
|
basicConstraints = CA:FALSE
|
||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||
|
|
||
|
[ v3_ca ]
|
||
|
|
||
|
|
||
|
# Extensions for a typical CA
|
||
|
|
||
|
# PKIX recommendation.
|
||
|
subjectKeyIdentifier=hash
|
||
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||
|
|
||
|
# This is what PKIX recommends but some broken software chokes on critical
|
||
|
# extensions.
|
||
|
#basicConstraints = critical,CA:true
|
||
|
# So we do this instead.
|
||
|
basicConstraints = CA:true
|
||
|
|
||
|
[ crl_ext ]
|
||
|
|
||
|
# CRL extensions.
|
||
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||
|
|
||
|
# issuerAltName=issuer:copy
|
||
|
authorityKeyIdentifier=keyid:always,issuer:always
|