naiveproxy/net/tools/quic/certs/ca.cnf

# Defaults in the event they're not set in the environment
CA_DIR    = out
KEY_SIZE  = 2048
ALGO      = sha256
CERT_TYPE = root
CA_NAME   = req_env_dn

[ca]
default_ca = CA_root
preserve   = yes

# The default test root, used to generate certificates and CRLs.
[CA_root]
dir           = $ENV::CA_DIR
key_size      = $ENV::KEY_SIZE
algo          = $ENV::ALGO
cert_type     = $ENV::CERT_TYPE
type          = $key_size-$algo-$cert_type
database      = $dir/$type-index.txt
new_certs_dir = $dir
serial        = $dir/$type-serial
certificate   = $dir/$type.pem
private_key   = $dir/$type.key
RANDFILE      = $dir/.rand
default_days     = 3650
default_crl_days = 30
default_md       = sha256
policy           = policy_anything
unique_subject   = no
copy_extensions  = copy

[user_cert]
# Extensions to add when signing a request for an EE cert
basicConstraints       = critical, CA:false
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage       = serverAuth,clientAuth

[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
keyUsage               = critical, keyCertSign, cRLSign

[crl_extensions]
# Extensions to add when signing a CRL
authorityKeyIdentifier = keyid:always

[policy_anything]
# Default signing policy
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = optional
emailAddress           = optional

[req]
# The request section used to generate the root CA certificate. This should
# not be used to generate end-entity certificates. For certificates other
# than the root CA, see README to find the appropriate configuration file
# (ie: openssl_cert.cnf).
default_bits       = $ENV::KEY_SIZE
default_md         = sha256
string_mask        = utf8only
prompt             = no
encrypt_key        = no
distinguished_name = $ENV::CA_NAME
x509_extensions    = req_ca_exts

[req_env_dn]
CN = QUIC Server Root CA

[req_ca_exts]
basicConstraints       = critical, CA:true
keyUsage               = critical, keyCertSign, cRLSign
subjectKeyIdentifier   = hash
Import chromium-70.0.3521.2 2018-08-15 01:19:20 +03:00			`# Defaults in the event they're not set in the environment`
			`CA_DIR = out`
			`KEY_SIZE = 2048`
			`ALGO = sha256`
			`CERT_TYPE = root`
			`CA_NAME = req_env_dn`

			`[ca]`
			`default_ca = CA_root`
			`preserve = yes`

			`# The default test root, used to generate certificates and CRLs.`
			`[CA_root]`
			`dir = $ENV::CA_DIR`
			`key_size = $ENV::KEY_SIZE`
			`algo = $ENV::ALGO`
			`cert_type = $ENV::CERT_TYPE`
			`type = $key_size-$algo-$cert_type`
			`database = $dir/$type-index.txt`
			`new_certs_dir = $dir`
			`serial = $dir/$type-serial`
			`certificate = $dir/$type.pem`
			`private_key = $dir/$type.key`
			`RANDFILE = $dir/.rand`
			`default_days = 3650`
			`default_crl_days = 30`
			`default_md = sha256`
			`policy = policy_anything`
			`unique_subject = no`
			`copy_extensions = copy`

			`[user_cert]`
			`# Extensions to add when signing a request for an EE cert`
			`basicConstraints = critical, CA:false`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`extendedKeyUsage = serverAuth,clientAuth`

			`[ca_cert]`
			`# Extensions to add when signing a request for an intermediate/CA cert`
			`basicConstraints = critical, CA:true`
			`subjectKeyIdentifier = hash`
			`keyUsage = critical, keyCertSign, cRLSign`

			`[crl_extensions]`
			`# Extensions to add when signing a CRL`
			`authorityKeyIdentifier = keyid:always`

			`[policy_anything]`
			`# Default signing policy`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = optional`
			`emailAddress = optional`

			`[req]`
			`# The request section used to generate the root CA certificate. This should`
			`# not be used to generate end-entity certificates. For certificates other`
			`# than the root CA, see README to find the appropriate configuration file`
			`# (ie: openssl_cert.cnf).`
			`default_bits = $ENV::KEY_SIZE`
			`default_md = sha256`
			`string_mask = utf8only`
			`prompt = no`
			`encrypt_key = no`
			`distinguished_name = $ENV::CA_NAME`
			`x509_extensions = req_ca_exts`

			`[req_env_dn]`
			`CN = QUIC Server Root CA`

			`[req_ca_exts]`
			`basicConstraints = critical, CA:true`
			`keyUsage = critical, keyCertSign, cRLSign`
			`subjectKeyIdentifier = hash`