diff options
| -rw-r--r-- | myrpki/myrpki.conf | 42 | ||||
| -rw-r--r-- | myrpki/myrpki.py | 1 |
2 files changed, 9 insertions, 34 deletions
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf index 24e512ed..796c5d3c 100644 --- a/myrpki/myrpki.conf +++ b/myrpki/myrpki.conf @@ -14,25 +14,9 @@ parents_csv = parents.csv prefix_csv = prefixes.csv asn_csv = asns.csv -# The only things in the following list whose pathnames are really any -# of the user's business are the ca-cert and the directory name. -# Everything else is internal use and could be wired in place for all -# the user should really care. Perhaps this means that some code can -# be simplified considerably.... - -# User cares about these bpki_ca_directory = bpki bpki_ca_certificate = bpki/ca.cer -# User knows about these but doesn't need to touch them -bpki_ca_key = bpki/ca.key -bpki_crl = bpki/ca.crl - -# Internal database junk for "openssl ca" -bpki_index = bpki/index -bpki_serial = bpki/serial -bpki_crl_number = bpki/crl_number - xml_filename = myrpki.xml [constants] @@ -45,18 +29,12 @@ crl_days = 365 default_bits = ${constants::key_length} default_md = ${constants::digest} distinguished_name = req_dn -x509_extensions = req_x509_ext prompt = no encrypt_key = no [req_dn] CN = ${myrpki::handle} -[req_x509_ext] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - [ca_x509_ext_bsc] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always @@ -72,23 +50,21 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca] -default_ca = ca_default - -[ca_default] - -new_certs_dir = ${myrpki::bpki_ca_directory} -database = ${myrpki::bpki_index} +default_ca = ca certificate = ${myrpki::bpki_ca_certificate} -private_key = ${myrpki::bpki_ca_key} +dir = ${myrpki::bpki_ca_directory} +new_certs_dir = $dir +database = $dir/index +private_key = $dir/ca.key default_days = ${constants::cert_days} default_crl_days = ${constants::crl_days} default_md = ${constants::digest} -policy = ca_dn_policy_only_require_cn +policy = ca_dn_policy unique_subject = no -serial = ${myrpki::bpki_serial} -crlnumber = ${myrpki::bpki_crl_number} +serial = $dir/serial +crlnumber = $dir/crl_number -[ca_dn_policy_only_require_cn] +[ca_dn_policy] countryName = optional stateOrProvinceName = optional localityName = optional diff --git a/myrpki/myrpki.py b/myrpki/myrpki.py index 954afcf0..43f66328 100644 --- a/myrpki/myrpki.py +++ b/myrpki/myrpki.py @@ -246,7 +246,6 @@ class CA(object): #"-verbose", "-sha256", "-newkey", "rsa:2048", "-config", self.cfg, - "-extensions", "req_x509_ext", "-keyout", self.key, "-out", self.req)) |