forked from SimplesIP/pabx-app
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
154 lines
4.3 KiB
154 lines
4.3 KiB
# Asterisk SSL configuration |
|
# |
|
# OpenSSL configuration file for custom Certificate Authority. Use a |
|
# different openssl.cnf file to generate certificate signing requests; |
|
# this one is for use only in Certificate Authority operations (csr -> |
|
# cert, cert revocation, revocation list generation). |
|
# |
|
# Be sure to customize this file prior to use, e.g. the commonName and |
|
# other options under the root_ca_distinguished_name section. |
|
|
|
HOME = . |
|
RANDFILE = $ENV::HOME/.rnd |
|
|
|
[ ca ] |
|
default_ca = MyAsteriskCA |
|
|
|
[ MyAsteriskCA ] |
|
dir = . |
|
# unsed at present, and my limited certs can be kept in current dir |
|
#certs = $dir/certs |
|
new_certs_dir = $dir/newcerts |
|
crl_dir = $dir/crl |
|
database = $dir/index |
|
|
|
certificate = $dir/ca-cert.pem |
|
serial = $dir/serial |
|
crl = $dir/ca-crl.pem |
|
private_key = $dir/private/ca-key.pem |
|
RANDFILE = $dir/private/.rand |
|
|
|
x509_extensions = usr_cert |
|
|
|
# Comment out the following two lines for the "traditional" |
|
# (and highly broken) format. |
|
name_opt = ca_default |
|
cert_opt = ca_default |
|
|
|
default_crl_days= 30 |
|
default_days = 7300 |
|
# if need to be compatible with older software, use weaker md5 |
|
default_md = sha1 |
|
# MSIE may need following set to yes? |
|
preserve = no |
|
|
|
# A few difference way of specifying how similar the request should look |
|
# For type CA, the listed attributes must be the same, and the optional |
|
# and supplied fields are just that :-) |
|
policy = policy_match |
|
|
|
# For the CA policy |
|
[ policy_match ] |
|
countryName = US |
|
stateOrProvinceName = CA |
|
organizationName = XYZ |
|
organizationalUnitName = XYZ |
|
commonName = asterisk |
|
emailAddress = root@localhost |
|
|
|
# For the 'anything' policy |
|
# At this point in time, you must list all acceptable 'object' |
|
# types. |
|
[ policy_anything ] |
|
countryName = optional |
|
stateOrProvinceName = optional |
|
localityName = optional |
|
organizationName = optional |
|
organizationalUnitName = optional |
|
commonName = supplied |
|
emailAddress = optional |
|
|
|
#################################################################### |
|
[ req ] |
|
default_bits = 2048 |
|
default_keyfile = ./private/ca-key.pem |
|
default_md = sha1 |
|
|
|
prompt = no |
|
distinguished_name = root_ca_distinguished_name |
|
|
|
x509_extensions = v3_ca |
|
|
|
# Passwords for private keys if not present they will be prompted for |
|
# input_password = secret |
|
# output_password = secret |
|
|
|
# This sets a mask for permitted string types. There are several options. |
|
# default: PrintableString, T61String, BMPString. |
|
# pkix : PrintableString, BMPString. |
|
# utf8only: only UTF8Strings. |
|
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). |
|
# MASK:XXXX a literal mask value. |
|
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings |
|
# so use this option with caution! |
|
string_mask = nombstr |
|
|
|
# req_extensions = v3_req |
|
|
|
[ root_ca_distinguished_name ] |
|
commonName = NoSuchCA CA |
|
countryName = US |
|
stateOrProvinceName = California |
|
localityName = San Mateo |
|
0.organizationName = domain.net |
|
emailAddress = nobody@localhost |
|
|
|
[ usr_cert ] |
|
|
|
# These extensions are added when 'ca' signs a request. |
|
|
|
# This goes against PKIX guidelines but some CAs do it and some software |
|
# requires this to avoid interpreting an end user certificate as a CA. |
|
|
|
basicConstraints=CA:FALSE |
|
|
|
# PKIX recommendations harmless if included in all certificates. |
|
subjectKeyIdentifier=hash |
|
authorityKeyIdentifier=keyid,issuer:always |
|
|
|
nsCaRevocationUrl = https://www.sial.org/ca-crl.pem |
|
#nsBaseUrl |
|
#nsRevocationUrl |
|
#nsRenewalUrl |
|
#nsCaPolicyUrl |
|
#nsSslServerName |
|
|
|
[ v3_req ] |
|
|
|
# Extensions to add to a certificate request |
|
|
|
basicConstraints = CA:FALSE |
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
|
|
[ v3_ca ] |
|
|
|
|
|
# Extensions for a typical CA |
|
|
|
# PKIX recommendation. |
|
subjectKeyIdentifier=hash |
|
authorityKeyIdentifier=keyid:always,issuer:always |
|
|
|
# This is what PKIX recommends but some broken software chokes on critical |
|
# extensions. |
|
#basicConstraints = critical,CA:true |
|
# So we do this instead. |
|
basicConstraints = CA:true |
|
|
|
[ crl_ext ] |
|
|
|
# CRL extensions. |
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
|
|
|
# issuerAltName=issuer:copy |
|
authorityKeyIdentifier=keyid:always,issuer:always
|
|
|