# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)

HOME			= .
RANDFILE		= $ENV::HOME/.rnd
oid_section		= new_oids

[ new_oids ]

#logotypeoid=1.3.6.1.5.5.7.1.12

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several certificates with same subject
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= ext_client		# The extentions to add to the cert

name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= optional
organizationName	= supplied
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_osu_server ]
countryName		= match
stateOrProvinceName	= optional
organizationName	= match
organizationalUnitName	= supplied
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

input_password = @PASSWORD@
output_password = @PASSWORD@

string_mask = utf8only

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FI
countryName_min			= 2
countryName_max			= 2

localityName			= Locality Name (eg, city)
localityName_default		= Tuusula

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= @DOMAIN@

##organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
#@OU@

commonName			= Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

[ req_attributes ]

[ v3_ca ]

# Hotspot 2.0 PKI requirements
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
authorityInfoAccess = OCSP;URI:@OCSP_URI@
# For SP intermediate CA
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
#nameConstraints=permitted;DNS:.@DOMAIN@
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn

[ v3_osu_server ]

basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyEncipherment
#@ALTNAME@

#logotypeoid=ASN1:SEQUENCE:LogotypeExtn
1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
[LogotypeExtn]
communityLogos=EXP:0,SEQUENCE:LogotypeInfo
[LogotypeInfo]
# note: implicit tag converted to explicit for CHOICE
direct=EXP:0,SEQUENCE:LogotypeData
[LogotypeData]
image=SEQUENCE:LogotypeImage
[LogotypeImage]
imageDetails=SEQUENCE:LogotypeDetails
imageInfo=SEQUENCE:LogotypeImageInfo
[LogotypeDetails]
mediaType=IA5STRING:image/png
logotypeHash=SEQUENCE:HashAlgAndValues
logotypeURI=SEQUENCE:URI
[HashAlgAndValues]
value1=SEQUENCE:HashAlgAndValueSHA256
#value2=SEQUENCE:HashAlgAndValueSHA1
[HashAlgAndValueSHA256]
hashAlg=SEQUENCE:sha256_alg
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
[HashAlgAndValueSHA1]
hashAlg=SEQUENCE:sha1_alg
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
[sha256_alg]
algorithm=OID:sha256
[sha1_alg]
algorithm=OID:sha1
[URI]
uri=IA5STRING:@LOGO_URI@
[LogotypeImageInfo]
# default value color(1), component optional
#type=IMP:0,INTEGER:1
fileSize=INTEGER:7549
xSize=INTEGER:128
ySize=INTEGER:80
language=IMP:4,IA5STRING:zxx

[ crl_ext ]

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ v3_OCSP ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

[ ext_client ]

basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = clientAuth

[ ext_server ]

# Hotspot 2.0 PKI requirements
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = critical, serverAuth
keyUsage = critical, keyEncipherment