diff options
| author | Rob Austein <sra@hactrn.net> | 2013-03-28 16:05:41 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2013-03-28 16:05:41 +0000 |
| commit | d2847b67f9a8a25e92af61d6abe5efafc92d9ead (patch) | |
| tree | 45734205c0fecfee94a3b58d587f295a785b0b5d /rpkid/examples | |
| parent | 7379e8e6bdc3733fefdd0b5ce543dd9d9500299d (diff) | |
Clean a lot of OpenSSL-related historical baggage out of sample rpki.conf.
svn path=/trunk/; revision=5239
Diffstat (limited to 'rpkid/examples')
| -rw-r--r-- | rpkid/examples/rpki.conf | 121 |
1 files changed, 0 insertions, 121 deletions
diff --git a/rpkid/examples/rpki.conf b/rpkid/examples/rpki.conf index 8c9bc261..3b798667 100644 --- a/rpkid/examples/rpki.conf +++ b/rpkid/examples/rpki.conf @@ -251,32 +251,6 @@ irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer ################################################################# -[irbe_cli] - -# HTTP service URL for rpkid - -rpkid-url = http://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/ - -# BPKI certificates and keys for talking to rpkid - -rpkid-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rpkid-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key -rpkid-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer -rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer - -# HTTP service URL for pubd - -pubd-url = http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/ - -# BPKI certificates and keys for talking to pubd - -pubd-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -pubd-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key -pubd-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer -pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer - -################################################################# - [rootd] # You don't need to run rootd unless you're IANA, are certifying @@ -385,100 +359,5 @@ sql-password = ${myrpki::irdbd_sql_password} ################################################################# -# Constants for OpenSSL voodoo portion of this file, to make them -# easier to find. - -[constants] - -# Digest algorithm. Don't change this. - -digest = sha256 - -# RSA key length. Don't change this. - -key_length = 2048 - -# Lifetime of BPKI certificates (and rootd RPKI root certificate). -# Don't change this unless you know what you're doing. - -cert_days = 365 - -# Lifetime of BPKI CRLs. Don't change this unless you know what -# you're doing. - -crl_days = 365 - -################################################################# - -# The rest of this file is OpenSSL configuration voodoo. Don't touch -# anything below here even if you -do- know what you're doing. Even -# by OpenSSL standards, some of this is weird, and interacts in -# non-obvious ways with code in myrpki.py and myirbe.py. If you touch -# this stuff and something breaks, don't say you weren't warned. - -[req] -default_bits = ${constants::key_length} -default_md = ${constants::digest} -distinguished_name = req_dn -prompt = no -encrypt_key = no - -[req_dn] -CN = Dummy name for certificate request - -[ca_x509_ext_ee] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ca_x509_ext_xcert0] -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ca_x509_ext_xcert1] -basicConstraints = critical,CA:true,pathlen:1 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ca_x509_ext_ca] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ca] -default_ca = ca -dir = ${ENV::BPKI_DIRECTORY} -new_certs_dir = $dir -database = $dir/index -certificate = $dir/ca.cer -private_key = $dir/ca.key -default_days = ${constants::cert_days} -default_crl_days = ${constants::crl_days} -default_md = ${constants::digest} -policy = ca_dn_policy -unique_subject = no -serial = $dir/serial -crlnumber = $dir/crl_number - -[ca_dn_policy] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -givenName = optional -surname = optional - -[rootd_x509_extensions] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest} -sbgp-autonomousSysNum = critical,${rootd::root_cert_asns} -sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs} -certificatePolicies = critical,1.3.6.1.5.5.7.14.2 - #[rpkic] #autosync = false |