working

1 files changed, 43 insertions, 0 deletions

diff --git a/config_files/certificate-authority/config/sign_intermediate_csr.ini b/config_files/certificate-authority/config/sign_intermediate_csr.ini
new file mode 100644
index 0000000..09a20f7
--- /dev/null
+++ b/config_files/certificate-authority/config/sign_intermediate_csr.ini
@@ -0,0 +1,43 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# The root key and root certificate.
+private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%BA%6C%1F%2B%2B%16%E9%7B%4F%31%B0%91%19%73%2F%C8%DF%78%3A%FD;object=root;type=private
+certificate       = ../certs/root.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign