From 75044dd48af51f848e49f6705ec6e9423571dd8c Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Wed, 6 Jun 2012 04:16:24 -0500
Subject: Add ssl generation and storage

---
 confskel/openssl/pki_extensions | 61 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 confskel/openssl/pki_extensions

(limited to 'confskel/openssl')

diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions
new file mode 100644
index 0000000..d841890
--- /dev/null
+++ b/confskel/openssl/pki_extensions
@@ -0,0 +1,61 @@
+[ kdc_cert ]
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+#Pkinit EKU
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+# Add id-pkinit-san (pkinit subjectAlternativeName)
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
+principal_name = EXP:1, SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:@@@REALM_UCNAME@@@
+
+[ client_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+basicConstraints=CA:FALSE
+
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+
+extendedKeyUsage =  1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+[princ_name]
+realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
+principal_name = EXP:1, SEQUENCE:principal_seq
+
+[principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:principals
+
+[principals]
+princ1 = GeneralString:@@@KDCSERVER@@@
-- 
cgit v1.2.1