myrpki/examples/myrpki.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

# $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
#
# Config file for myrpi.py; note that this is also read by the OpenSSL
# command line tool running under mypki.py, so syntax must remain
# compatable with both OpenSSL and Python config file parsers, and
# large portions of this are OpenSSL voodoo.

[myrpki]
handle				= Me
roa_csv				= roas.csv
children_csv			= children.csv
parents_csv			= parents.csv
prefix_csv			= prefixes.csv
asn_csv				= asns.csv
xml_filename			= myrpki.xml
bpki_directory			= bpki.myrpki
repository_bpki_certificate	= bpki.pubd/ca.cer
repository_handle		= Me

[constants]
digest				= sha256
key_length			= 2048
cert_days			= 365
crl_days			= 365

[myirbe]
irdbd_conf			= irdbd.conf
bpki_directory			= bpki.myirbe
want_pubd			= true
want_rootd			= true
rsync_base			= rsync://server.example/
pubd_base			= https://localhost:4402
rpkid_base			= https://localhost:4404

[req]
default_bits			= ${constants::key_length}
default_md			= ${constants::digest}
distinguished_name		= req_dn
prompt				= no
encrypt_key			= no

[req_dn]
CN                      	= Dummy name for certificate request

[ca_x509_ext_ee]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert0]
basicConstraints		= critical,CA:true,pathlen:0
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert1]
basicConstraints		= critical,CA:true,pathlen:1
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_ca]
basicConstraints		= critical,CA:true
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca]
default_ca			= ca
dir				= ${ENV::BPKI_DIRECTORY}
new_certs_dir			= $dir
database			= $dir/index
certificate			= $dir/ca.cer
private_key			= $dir/ca.key
default_days			= ${constants::cert_days}
default_crl_days		= ${constants::crl_days}
default_md			= ${constants::digest}
policy				= ca_dn_policy
unique_subject			= no
serial				= $dir/serial
crlnumber			= $dir/crl_number

[ca_dn_policy]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional
givenName			= optional
surname				= optional

[rpkid]

sql-database			= rpki
sql-username			= rpki
sql-password    		= fnord
bpki-ta         		= bpki.myirbe/ca.cer
rpkid-key       		= bpki.myirbe/rpkid.key
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdb-cert       		= bpki.myirbe/irdbd.cer
irbe-cert       		= bpki.myirbe/irbe.cer
irdb-url        		= https://localhost:4403/
server-host     		= localhost
server-port     		= 4404

[irdbd]

sql-database    		= irdb
sql-username    		= irdb
sql-password    		= fnord
bpki-ta         		= bpki.myirbe/ca.cer
rpkid-cert      		= bpki.myirbe/rpkid.cer
irdbd-cert      		= bpki.myirbe/irdbd.cer
irdbd-key       		= bpki.myirbe/irdbd.key
https-url			= https://localhost:4403/

[pubd]

startup-message			= This is pubd

sql-database            	= pubd
sql-username            	= pubd
sql-password            	= fnord
bpki-ta                 	= bpki.myirbe/ca.cer
pubd-cert               	= bpki.myirbe/pubd.cer
pubd-key                	= bpki.myirbe/pubd.key
irbe-cert               	= bpki.myirbe/irbe.cer
server-host             	= localhost
server-port             	= 4402
publication-base        	= publication/

[rootd]

startup-message			= This is rootd

bpki-ta                 	= bpki.myirbe/ca.cer
rootd-bpki-crl          	= bpki.myirbe/ca.crl
rootd-bpki-cert         	= bpki.myirbe/rootd.cer
rootd-bpki-key          	= bpki.myirbe/rootd.key
child-bpki-cert         	= bpki.myirbe/child.cer

server-port             	= 4401

rpki-root-dir           	= publication/
rpki-base-uri           	= rsync://localhost:4400/Me/
rpki-root-cert-uri      	= rsync://localhost:4400/Me/root.cer

rpki-root-key           	= bpki.myirbe/ca.key
rpki-root-cert          	= publication/root.cer

rpki-subject-pkcs10     	= rootd.subject.pkcs10
rpki-subject-lifetime   	= 30d

rpki-root-crl           	= root.crl
rpki-root-manifest      	= root.mnf

rpki-class-name         	= Me
rpki-subject-cert       	= Me.cer

[rpki_x509_extensions]
basicConstraints        	= critical,CA:true
subjectKeyIdentifier    	= hash
keyUsage                	= critical,keyCertSign,cRLSign
subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/Me/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/Me/root.mnf
sbgp-autonomousSysNum   	= critical,AS:0-4294967295
sbgp-ipAddrBlock        	= critical,IPv4:0.0.0.0/0,IPv6:0::/0
certificatePolicies     	= critical, @rpki_certificate_policy

[rpki_certificate_policy]

policyIdentifier = 1.3.6.1.5.5.7.14.2