r509.yaml in r509-0.9.2 vs r509.yaml in r509-0.10.0
- old
+ new
@@ -1,96 +1,289 @@
-certificate_authorities: {
- test_ca: {
- ca_cert: {
- cert: 'spec/fixtures/test_ca.cer',
- key: 'spec/fixtures/test_ca.key'
- },
- ocsp_cert: {
- pkcs12: 'spec/fixtures/test_ca_ocsp.p12',
- password: 'r509'
- },
- ocsp_location: ['http://ocsp.domain.com'],
- ca_issuers_location: ['http://domain.com/ca.html'],
- ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt',
- ocsp_start_skew_seconds: 3600,
- ocsp_validity_hours: 168,
- cdp_location: ['http://crl.domain.com/test_ca.crl'],
- crl_list: 'spec/fixtures/test_ca_crl_list.txt',
- crl_number: 'spec/fixtures/test_ca_crl_number.txt',
- crl_validity_hours: 168, #7 days
- message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
- profiles: {
- server: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature,keyEncipherment],
- extended_key_usage: [serverAuth],
- subject_item_policy: {
- CN: "required",
- O: "required",
- OU: "optional",
- ST: "required",
- C: "required",
- L: "required"
- }
- },
- client: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature,keyEncipherment],
- extended_key_usage: [clientAuth],
- },
- email: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature,keyEncipherment],
- extended_key_usage: [emailProtection],
- },
- clientserver: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature,keyEncipherment],
- extended_key_usage: [serverAuth,clientAuth],
- },
- codesigning: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature],
- extended_key_usage: [codeSigning],
- },
- timestamping: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature],
- extended_key_usage: [timeStamping],
- },
- subroot: {
- basic_constraints: {"ca" : true, "path_length" : 0},
- key_usage: [keyCertSign,cRLSign],
- extended_key_usage: [],
- certificate_policies: [
- { policy_identifier: "2.16.840.1.99999.21.234",
- cps_uris: ["http://example.com/cps","http://haha.com"],
- user_notices: [ { explicit_text: "this is a great thing", organization: "my org", notice_numbers: "1,2,3" } ]
- },
- { policy_identifier: "2.16.840.1.99999.21.235",
- cps_uris: ["http://example.com/cps2"],
- user_notices: [ { explicit_text: "this is a bad thing", organization: "another org", notice_numbers: "3,2,1" },{ explicit_text: "another user notice"} ]
- }
- ],
- inhibit_any_policy: 0,
- policy_constraints: { require_explicit_policy: 0, inhibit_policy_mapping: 0},
- name_constraints: {
- permitted: [
- {type: "IP", value: "192.168.0.0/255.255.0.0"},
- {type: "dirName", value: [['CN','myCN'],['O','Org']]}
- ],
- excluded: [
- {type: "email", value: "domain.com"},
- {type: "URI", value: ".net"},
- {type: "DNS", value: "test.us"}
- ]
- }
- },
- ocsp_delegate: {
- basic_constraints: {"ca" : false},
- key_usage: [digitalSignature],
- extended_key_usage: [OCSPSigning],
- ocsp_no_check: true
- }
- }
- }
-}
+---
+custom_oids:
+- :oid: 2.5.4.15
+ :short_name: businessCategory
+ :long_name: Business Category
+- :oid: 1.3.6.1.4.1.311.60.2.1.2
+ :short_name: jurisdictionOfIncorporationStateOrProvinceName
+
+certificate_authorities:
+ test_ca:
+ ca_cert:
+ cert: spec/fixtures/test_ca.cer
+ key: spec/fixtures/test_ca.key
+ ocsp_cert:
+ pkcs12: spec/fixtures/test_ca_ocsp.p12
+ password: r509
+ crl_cert:
+ pkcs12: spec/fixtures/test_ca_crl.p12
+ password: r509
+ ocsp_chain: spec/fixtures/test_ca_ocsp_chain.txt
+ ocsp_start_skew_seconds: 3600
+ ocsp_validity_hours: 168
+ crl_list_file: spec/fixtures/test_ca_crl_list.txt
+ crl_number_file: spec/fixtures/test_ca_crl_number.txt
+ crl_validity_hours: 168
+ crl_md: SHA1
+ profiles:
+ server:
+ basic_constraints:
+ :ca: false
+ :critical: true
+ key_usage:
+ :critical: false
+ :value:
+ - digitalSignature
+ - keyEncipherment
+ extended_key_usage:
+ :critical: false
+ :value:
+ - serverAuth
+ subject_item_policy:
+ CN:
+ :policy: required
+ O:
+ :policy: required
+ OU:
+ :policy: optional
+ ST:
+ :policy: required
+ C:
+ :policy: required
+ L:
+ :policy: match
+ :value: My Locality Requirement
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ client:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ - keyEncipherment
+ extended_key_usage:
+ :value:
+ - clientAuth
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ email:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ - keyEncipherment
+ extended_key_usage:
+ :value:
+ - emailProtection
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ clientserver:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ - keyEncipherment
+ extended_key_usage:
+ :value:
+ - serverAuth
+ - clientAuth
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ codesigning:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ extended_key_usage:
+ :value:
+ - codeSigning
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ timestamping:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ extended_key_usage:
+ :value:
+ - timeStamping
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ subroot:
+ basic_constraints:
+ :ca: true
+ :path_length: 0
+ key_usage:
+ :value:
+ - keyCertSign
+ - cRLSign
+ certificate_policies:
+ - :policy_identifier: 2.16.840.1.99999.21.234
+ :cps_uris:
+ - http://example.com/cps
+ - http://haha.com
+ :user_notices:
+ - :explicit_text: this is a great thing
+ :organization: my org
+ :notice_numbers: '1,2,3'
+ - :policy_identifier: 2.16.840.1.99999.21.235
+ :cps_uris:
+ - http://example.com/cps2
+ :user_notices:
+ - :explicit_text: this is a bad thing
+ :organization: another org
+ :notice_numbers: '3,2,1'
+ - :explicit_text: another user notice
+ inhibit_any_policy:
+ :value: 0
+ policy_constraints:
+ :require_explicit_policy: 0
+ :inhibit_policy_mapping: 0
+ name_constraints:
+ :critical: true
+ :permitted:
+ - :type: IP
+ :value: 192.168.0.0/255.255.0.0
+ - :type: dirName
+ :value:
+ :CN: myCN
+ :O: Org
+ :excluded:
+ - :type: email
+ :value: domain.com
+ - :type: URI
+ :value: .net
+ - :type: DNS
+ :value: test.us
+ authority_info_access:
+ :critical: true
+ :ocsp_location:
+ - :type: URI
+ :value: http://ocsp.domain.com
+ :ca_issuers_location:
+ - :type: URI
+ :value: http://domain.com/ca.html
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1
+ ocsp_delegate:
+ basic_constraints:
+ :ca: false
+ key_usage:
+ :value:
+ - digitalSignature
+ extended_key_usage:
+ :value:
+ - OCSPSigning
+ crl_distribution_points:
+ :value:
+ - :type: URI
+ :value: http://crl.domain.com/test_ca.crl
+ ocsp_no_check:
+ :critical: false
+ :value: true
+ default_md: SHA1
+ allowed_mds:
+ - SHA256
+ - SHA512
+ - SHA1