r509.yaml in r509-0.8.1 vs r509.yaml in r509-0.9

- old
+ new

@@ -1,73 +1,96 @@ certificate_authorities: { - test_ca: { - ca_cert: { - cert: 'spec/fixtures/test_ca.cer', - key: 'spec/fixtures/test_ca.key' - }, - ocsp_cert: { - :pkcs12: 'spec/fixtures/test_ca_ocsp.p12', - :password: 'r509' - }, - ocsp_location: 'URI:http://ocsp.domain.com', - ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt', - ocsp_start_skew_seconds: 3600, - ocsp_validity_hours: 168, - cdp_location: 'URI:http://crl.domain.com/test_ca.crl', - crl_list: 'spec/fixtures/test_ca_crl_list.txt', - crl_number: 'spec/fixtures/test_ca_crl_number.txt', - crl_validity_hours: 168, #7 days - message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason - profiles: { - server: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature,keyEncipherment], - extended_key_usage: [serverAuth], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ], - subject_item_policy: { - CN: "required", - O: "required", - OU: "optional", - ST: "required", - C: "required", - L: "required" - } - }, - client: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature,keyEncipherment], - extended_key_usage: [clientAuth], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.2", "CPS.1=http://example.com/cps"] ] - }, - email: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature,keyEncipherment], - extended_key_usage: [emailProtection], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.3", "CPS.1=http://example.com/cps"] ] - }, - clientserver: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature,keyEncipherment], - extended_key_usage: [serverAuth,clientAuth], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.4", "CPS.1=http://example.com/cps"] ] - }, - codesigning: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature], - extended_key_usage: [codeSigning], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.5", "CPS.1=http://example.com/cps"] ] - }, - timestamping: { - basic_constraints: "CA:FALSE", - key_usage: [digitalSignature], - extended_key_usage: [timeStamping], - certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.6", "CPS.1=http://example.com/cps"] ] - }, - subroot: { - basic_constraints: "CA:TRUE,pathlen:0", - key_usage: [keyCertSign,cRLSign], - extended_key_usage: [], - certificate_policies: [ ] - } + test_ca: { + ca_cert: { + cert: 'spec/fixtures/test_ca.cer', + key: 'spec/fixtures/test_ca.key' + }, + ocsp_cert: { + pkcs12: 'spec/fixtures/test_ca_ocsp.p12', + password: 'r509' + }, + ocsp_location: ['http://ocsp.domain.com'], + ca_issuers_location: ['http://domain.com/ca.html'], + ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt', + ocsp_start_skew_seconds: 3600, + ocsp_validity_hours: 168, + cdp_location: ['http://crl.domain.com/test_ca.crl'], + crl_list: 'spec/fixtures/test_ca_crl_list.txt', + crl_number: 'spec/fixtures/test_ca_crl_number.txt', + crl_validity_hours: 168, #7 days + message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason + profiles: { + server: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature,keyEncipherment], + extended_key_usage: [serverAuth], + subject_item_policy: { + CN: "required", + O: "required", + OU: "optional", + ST: "required", + C: "required", + L: "required" } + }, + client: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature,keyEncipherment], + extended_key_usage: [clientAuth], + }, + email: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature,keyEncipherment], + extended_key_usage: [emailProtection], + }, + clientserver: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature,keyEncipherment], + extended_key_usage: [serverAuth,clientAuth], + }, + codesigning: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature], + extended_key_usage: [codeSigning], + }, + timestamping: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature], + extended_key_usage: [timeStamping], + }, + subroot: { + basic_constraints: {"ca" : true, "path_length" : 0}, + key_usage: [keyCertSign,cRLSign], + extended_key_usage: [], + certificate_policies: [ + { policy_identifier: "2.16.840.1.99999.21.234", + cps_uris: ["http://example.com/cps","http://haha.com"], + user_notices: [ { explicit_text: "this is a great thing", organization: "my org", notice_numbers: "1,2,3" } ] + }, + { policy_identifier: "2.16.840.1.99999.21.235", + cps_uris: ["http://example.com/cps2"], + user_notices: [ { explicit_text: "this is a bad thing", organization: "another org", notice_numbers: "3,2,1" },{ explicit_text: "another user notice"} ] + } + ], + inhibit_any_policy: 0, + policy_constraints: { require_explicit_policy: 0, inhibit_policy_mapping: 0}, + name_constraints: { + permitted: [ + {type: "IP", value: "192.168.0.0/255.255.0.0"}, + {type: "dirName", value: [['CN','myCN'],['O','Org']]} + ], + excluded: [ + {type: "email", value: "domain.com"}, + {type: "URI", value: ".net"}, + {type: "DNS", value: "test.us"} + ] + } + }, + ocsp_delegate: { + basic_constraints: {"ca" : false}, + key_usage: [digitalSignature], + extended_key_usage: [OCSPSigning], + ocsp_no_check: true + } } + } }