diff options
| author | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2012-06-06 04:16:24 -0500 |
|---|---|---|
| committer | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2012-06-06 04:16:24 -0500 |
| commit | 75044dd48af51f848e49f6705ec6e9423571dd8c (patch) | |
| tree | a973bc28051a6706dc6e28f807538bc3e8f3488c /confskel/openssl | |
| parent | bf4dbda9682241deffb3ec704e2597a12496d2a8 (diff) | |
| download | kcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.tar.gz kcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.zip | |
Add ssl generation and storage
Diffstat (limited to 'confskel/openssl')
| -rw-r--r-- | confskel/openssl/pki_extensions | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions new file mode 100644 index 0000000..d841890 --- /dev/null +++ b/confskel/openssl/pki_extensions @@ -0,0 +1,61 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name + +[kdc_princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:@@@REALM_UCNAME@@@ + +[ client_cert ] + +# These extensions are added when 'ca' signs a request. + +basicConstraints=CA:FALSE + +keyUsage = digitalSignature, keyEncipherment, keyAgreement + +extendedKeyUsage = 1.3.6.1.5.2.3.4 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name + + +# Copy subject details + +issuerAltName=issuer:copy + +[princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:principal_seq + +[principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:principals + +[principals] +princ1 = GeneralString:@@@KDCSERVER@@@ |