# $Id$ # # Config file for myrpi.py; note that this is also read by the OpenSSL # command line tool running under mypki.py, so syntax must remain # compatable with both OpenSSL and Python config file parsers, and # large portions of this are OpenSSL voodoo. [myrpki] handle = wombat roa_csv = roas.csv children_csv = children.csv parents_csv = parents.csv prefix_csv = prefixes.csv asn_csv = asns.csv xml_filename = myrpki.xml bpki_directory = bpki.myrpki repository_bpki_certificate = bpki.pubd/ca.cer [constants] digest = sha256 key_length = 2048 cert_days = 365 crl_days = 365 [myirbe] irdbd_conf = irdbd.conf rpkid_ca_directory = bpki.rpkid pubd_ca_directory = bpki.pubd rootd_ca_directory = bpki.rootd rsync_base = rsync://server.example/ pubd_base = https://localhost:4402 rpkid_base = https://localhost:4404 [req] default_bits = ${constants::key_length} default_md = ${constants::digest} distinguished_name = req_dn prompt = no encrypt_key = no [req_dn] CN = Dummy name for certificate request [ca_x509_ext_ee] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_xcert0] basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_xcert1] basicConstraints = critical,CA:true,pathlen:1 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_ca] basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca] default_ca = ca dir = ${ENV::BPKI_DIRECTORY} new_certs_dir = $dir database = $dir/index certificate = $dir/ca.cer private_key = $dir/ca.key default_days = ${constants::cert_days} default_crl_days = ${constants::crl_days} default_md = ${constants::digest} policy = ca_dn_policy unique_subject = no serial = $dir/serial crlnumber = $dir/crl_number [ca_dn_policy] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional givenName = optional surname = optional [rpkid] sql-database = rpki sql-username = rpki sql-password = fnord bpki-ta = bpki.rpkid/ca.cer rpkid-key = bpki.rpkid/rpkid.key rpkid-cert = bpki.rpkid/rpkid.cer irdb-cert = bpki.rpkid/irdbd.cer irbe-cert = bpki.rpkid/irbe_cli.cer irdb-url = https://localhost:4403/ server-host = localhost server-port = 4404 [irdbd] sql-database = irdb sql-username = irdb sql-password = fnord bpki-ta = bpki.rpkid/ca.cer rpkid-cert = bpki.rpkid/rpkid.cer irdbd-cert = bpki.rpkid/irdbd.cer irdbd-key = bpki.rpkid/irdbd.key https-url = https://localhost:4403/ [pubd] startup-message = This is pubd sql-database = pubd sql-username = pubd sql-password = fnord bpki-ta = bpki.pubd/ca.cer pubd-cert = bpki.pubd/pubd.cer pubd-key = bpki.pubd/pubd.key irbe-cert = bpki.pubd/irbe_cli.cer server-host = localhost server-port = 4402 publication-base = publication/ [rootd] startup-message = This is rootd bpki-ta = bpki.rootd/ca.cer rootd-bpki-crl = bpki.rootd/ca.crl rootd-bpki-cert = bpki.rootd/rootd.cer rootd-bpki-key = bpki.rootd/rootd.key child-bpki-cert = bpki.rootd/child.cer server-port = 4401 rpki-root-dir = publication/localhost:4400/ rpki-base-uri = rsync://localhost:4400/ rpki-root-cert-uri = rsync://localhost:4400/rootd.cer rpki-root-key = bpki.rootd/ca.key rpki-root-cert = bpki.rootd/rpkiroot.cer rpki-subject-pkcs10 = rootd.subject.pkcs10 rpki-subject-lifetime = 30d rpki-root-crl = Bandicoot.crl rpki-root-manifest = Bandicoot.mnf rpki-class-name = Wombat rpki-subject-cert = Wombat.cer [rpki_x509_extensions] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/Bandicoot.mnf sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 certificatePolicies = critical, @rpki_certificate_policy [rpki_certificate_policy] policyIdentifier = 1.3.6.1.5.5.7.14.2