# $Id$
#
# Config file for myrpi.py; note that this is also read by the OpenSSL
# command line tool running under mypki.py, so syntax must remain
# compatable with both OpenSSL and Python config file parsers, and
# large portions of this are OpenSSL voodoo.

[myrpki]
handle				= wombat
roa_csv				= roas.csv
children_csv			= children.csv
parents_csv			= parents.csv
prefix_csv			= prefixes.csv
asn_csv				= asns.csv
xml_filename			= myrpki.xml
bpki_directory			= bpki.myrpki
repository_bpki_certificate	= bpki.pubd/ca.cer
repository_handle		= wombat

[constants]
digest				= sha256
key_length			= 2048
cert_days			= 365
crl_days			= 365

[myirbe]
irdbd_conf			= irdbd.conf
bpki_directory			= bpki.myirbe
want_pubd			= true
want_rootd			= true
rsync_base			= rsync://server.example/
pubd_base			= https://localhost:4402
rpkid_base			= https://localhost:4404

[req]
default_bits			= ${constants::key_length}
default_md			= ${constants::digest}
distinguished_name		= req_dn
prompt				= no
encrypt_key			= no

[req_dn]
CN                      	= Dummy name for certificate request

[ca_x509_ext_ee]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert0]
basicConstraints		= critical,CA:true,pathlen:0
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert1]
basicConstraints		= critical,CA:true,pathlen:1
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_ca]
basicConstraints		= critical,CA:true
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca]
default_ca			= ca
dir				= ${ENV::BPKI_DIRECTORY}
new_certs_dir			= $dir
database			= $dir/index
certificate			= $dir/ca.cer
private_key			= $dir/ca.key
default_days			= ${constants::cert_days}
default_crl_days		= ${constants::crl_days}
default_md			= ${constants::digest}
policy				= ca_dn_policy
unique_subject			= no
serial				= $dir/serial
crlnumber			= $dir/crl_number

[ca_dn_policy]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional
givenName			= optional
surname				= optional

[rpkid]

sql-database			= rpki
sql-username			= rpki
sql-password    		= fnord
bpki-ta         		= bpki.myirbe/ca.cer
rpkid-key       		= bpki.myirbe/rpkid.key
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdb-cert       		= bpki.myirbe/irdbd.cer
irbe-cert       		= bpki.myirbe/irbe.cer
irdb-url        		= https://localhost:4403/
server-host     		= localhost
server-port     		= 4404

[irdbd]

sql-database    		= irdb
sql-username    		= irdb
sql-password    		= fnord
bpki-ta         		= bpki.myirbe/ca.cer
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdbd-cert      		= bpki.myirbe/irdbd.cer
irdbd-key       		= bpki.myirbe/irdbd.key
https-url			= https://localhost:4403/

[pubd]

startup-message			= This is pubd

sql-database            	= pubd
sql-username            	= pubd
sql-password            	= fnord
bpki-ta                 	= bpki.myirbe/ca.cer
pubd-cert               	= bpki.myirbe/pubd.cer
pubd-key                	= bpki.myirbe/pubd.key
irbe-cert               	= bpki.myirbe/irbe.cer
server-host             	= localhost
server-port             	= 4402
publication-base        	= publication/

[irbe_cli]

rpkid-bpki-ta                   = bpki.myirbe/ca.cer
rpkid-irbe-key                  = bpki.myirbe/irbe.key
rpkid-irbe-cert                 = bpki.myirbe/irbe.cer
rpkid-cert                      = bpki.myirbe/rpkid.cer
rpkid-url                       = https://localhost:4404/left-right/

pubd-bpki-ta                    = bpki.myirbe/ca.cer
pubd-irbe-key                   = bpki.myirbe/irbe.key
pubd-irbe-cert                  = bpki.myirbe/irbe.cer
pubd-cert                       = bpki.myirbe/pubd.cer
pubd-url                        = https://localhost:4402/control/

[rootd]

startup-message			= This is rootd

bpki-ta                 	= bpki.myirbe/ca.cer
rootd-bpki-crl          	= bpki.myirbe/ca.crl
rootd-bpki-cert         	= bpki.myirbe/rootd.cer
rootd-bpki-key          	= bpki.myirbe/rootd.key
child-bpki-cert         	= bpki.myirbe/child.cer

server-port             	= 4401

rpki-root-dir           	= publication/
rpki-base-uri           	= rsync://localhost:4400/wombat/
rpki-root-cert-uri      	= rsync://localhost:4400/wombat/root.cer

rpki-root-key           	= bpki.myirbe/ca.key
rpki-root-cert          	= publication/root.cer

rpki-subject-pkcs10     	= rootd.subject.pkcs10
rpki-subject-lifetime   	= 30d

rpki-root-crl           	= root.crl
rpki-root-manifest      	= root.mnf

rpki-class-name         	= wombat
rpki-subject-cert       	= wombat.cer

[rpki_x509_extensions]
basicConstraints        	= critical,CA:true
subjectKeyIdentifier    	= hash
keyUsage                	= critical,keyCertSign,cRLSign
subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/wombat/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/wombat/root.mnf
sbgp-autonomousSysNum   	= critical,AS:0-4294967295
sbgp-ipAddrBlock        	= critical,IPv4:0.0.0.0/0,IPv6:0::/0
certificatePolicies     	= critical, @rpki_certificate_policy

[rpki_certificate_policy]

policyIdentifier = 1.3.6.1.5.5.7.14.2