#
# ca options
#

[ca]
default_ca = osbuild_ca

[osbuild_ca]
database        = /etc/osbuild-composer/index.txt
new_certs_dir   = /etc/osbuild-composer
rand_serial     = yes

certificate     = /etc/osbuild-composer/ca-crt.pem
private_key     = /etc/osbuild-composer/ca-key.pem

default_days    = 3650
default_md      = sha256

x509_extensions = osbuild_ca_ext

# See WARNINGS in `man openssl ca`. This is ok, because it only copies
# extensions that are not already specified in `osbuild_ca_ext`.
copy_extensions = copy

preserve        = no
policy          = osbuild_ca_policy


[req]
distinguished_name = req_distinguished_name
prompt = no


[req_distinguished_name]
CN = localhost


[osbuild_ca_ext]
basicConstraints       = critical, CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign


[osbuild_ca_policy]
emailAddress = optional


#
# Extensions for server certificates
#

[osbuild_server_ext]
basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth


#
# Extensions for client certificates
#

[osbuild_client_ext]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage       = clientAuth