Skip to content

Commit a359655

Browse files
haoxianghuaapavlo
haoxianghua
authored and
apavlo
committed
add configuration files
1 parent 82de935 commit a359655

File tree

3 files changed

+266
-1
lines changed

3 files changed

+266
-1
lines changed

data/intermediate_openssl.cnf

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
# OpenSSL root CA configuration file.
2+
# Copy to `/root/ca/openssl.cnf`.
3+
4+
[ ca ]
5+
# `man ca`
6+
default_ca = CA_default
7+
8+
[ CA_default ]
9+
# Directory and file locations.
10+
dir = .
11+
certs = $dir/certs
12+
crl_dir = $dir/crl
13+
new_certs_dir = $dir/newcerts
14+
database = $dir/index.txt
15+
serial = $dir/serial
16+
RANDFILE = $dir/private/.rand
17+
18+
# The root key and root certificate.
19+
private_key = $dir/private/intermediate.key.pem
20+
certificate = $dir/certs/intermediate.cert.pem
21+
22+
# For certificate revocation lists.
23+
crlnumber = $dir/crlnumber
24+
crl = $dir/crl/intermediate.crl.pem
25+
crl_extensions = crl_ext
26+
default_crl_days = 30
27+
28+
# SHA-1 is deprecated, so use SHA-2 instead.
29+
default_md = sha256
30+
31+
name_opt = ca_default
32+
cert_opt = ca_default
33+
default_days = 375
34+
preserve = no
35+
policy = policy_loose
36+
37+
[ policy_strict ]
38+
# The root CA should only sign intermediate certificates that match.
39+
# See the POLICY FORMAT section of `man ca`.
40+
countryName = match
41+
stateOrProvinceName = match
42+
organizationName = match
43+
organizationalUnitName = optional
44+
commonName = supplied
45+
emailAddress = optional
46+
47+
[ policy_loose ]
48+
# Allow the intermediate CA to sign a more diverse range of certificates.
49+
# See the POLICY FORMAT section of the `ca` man page.
50+
countryName = optional
51+
stateOrProvinceName = optional
52+
localityName = optional
53+
organizationName = optional
54+
organizationalUnitName = optional
55+
commonName = supplied
56+
emailAddress = optional
57+
58+
[ req ]
59+
# Options for the `req` tool (`man req`).
60+
default_bits = 2048
61+
distinguished_name = req_distinguished_name
62+
string_mask = utf8only
63+
64+
# SHA-1 is deprecated, so use SHA-2 instead.
65+
default_md = sha256
66+
67+
# Extension to add when the -x509 option is used.
68+
x509_extensions = v3_ca
69+
70+
[ req_distinguished_name ]
71+
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
72+
countryName = Country Name (2 letter code)
73+
stateOrProvinceName = State or Province Name
74+
localityName = Locality Name
75+
0.organizationName = Organization Name
76+
organizationalUnitName = Organizational Unit Name
77+
commonName = Common Name
78+
emailAddress = Email Address
79+
80+
# Optionally, specify some defaults.
81+
countryName_default = US
82+
stateOrProvinceName_default = PA
83+
localityName_default = Pittsburgh
84+
0.organizationName_default =
85+
organizationalUnitName_default =
86+
emailAddress_default =
87+
88+
[ v3_ca ]
89+
# Extensions for a typical CA (`man x509v3_config`).
90+
subjectKeyIdentifier = hash
91+
authorityKeyIdentifier = keyid:always,issuer
92+
basicConstraints = critical, CA:true
93+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
94+
95+
[ v3_intermediate_ca ]
96+
# Extensions for a typical intermediate CA (`man x509v3_config`).
97+
subjectKeyIdentifier = hash
98+
authorityKeyIdentifier = keyid:always,issuer
99+
basicConstraints = critical, CA:true, pathlen:0
100+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
101+
102+
[ usr_cert ]
103+
# Extensions for client certificates (`man x509v3_config`).
104+
basicConstraints = CA:FALSE
105+
nsCertType = client, email
106+
nsComment = "OpenSSL Generated Client Certificate"
107+
subjectKeyIdentifier = hash
108+
authorityKeyIdentifier = keyid,issuer
109+
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
110+
extendedKeyUsage = clientAuth, emailProtection
111+
112+
[ server_cert ]
113+
# Extensions for server certificates (`man x509v3_config`).
114+
basicConstraints = CA:FALSE
115+
nsCertType = server
116+
nsComment = "OpenSSL Generated Server Certificate"
117+
subjectKeyIdentifier = hash
118+
authorityKeyIdentifier = keyid,issuer:always
119+
keyUsage = critical, digitalSignature, keyEncipherment
120+
extendedKeyUsage = serverAuth
121+
122+
[ crl_ext ]
123+
# Extension for CRLs (`man x509v3_config`).
124+
authorityKeyIdentifier=keyid:always
125+
126+
[ ocsp ]
127+
# Extension for OCSP signing certificates (`man ocsp`).
128+
basicConstraints = CA:FALSE
129+
subjectKeyIdentifier = hash
130+
authorityKeyIdentifier = keyid,issuer
131+
keyUsage = critical, digitalSignature
132+
extendedKeyUsage = critical, OCSPSigning
133+

data/openssl.cnf

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
# OpenSSL root CA configuration file.
2+
# Copy to `/root/ca/openssl.cnf`.
3+
4+
[ ca ]
5+
# `man ca`
6+
default_ca = CA_default
7+
8+
[ CA_default ]
9+
# Directory and file locations.
10+
dir = .
11+
certs = $dir/certs
12+
crl_dir = $dir/crl
13+
new_certs_dir = $dir/newcerts
14+
database = $dir/index.txt
15+
serial = $dir/serial
16+
RANDFILE = $dir/private/.rand
17+
18+
# The root key and root certificate.
19+
private_key = $dir/private/ca.key.pem
20+
certificate = $dir/certs/ca.cert.pem
21+
22+
# For certificate revocation lists.
23+
crlnumber = $dir/crlnumber
24+
crl = $dir/crl/ca.crl.pem
25+
crl_extensions = crl_ext
26+
default_crl_days = 30
27+
28+
# SHA-1 is deprecated, so use SHA-2 instead.
29+
default_md = sha256
30+
31+
name_opt = ca_default
32+
cert_opt = ca_default
33+
default_days = 375
34+
preserve = no
35+
policy = policy_strict
36+
37+
[ policy_strict ]
38+
# The root CA should only sign intermediate certificates that match.
39+
# See the POLICY FORMAT section of `man ca`.
40+
countryName = optional
41+
stateOrProvinceName = optional
42+
organizationName = optional
43+
organizationalUnitName = optional
44+
commonName = supplied
45+
emailAddress = optional
46+
47+
[ policy_loose ]
48+
# Allow the intermediate CA to sign a more diverse range of certificates.
49+
# See the POLICY FORMAT section of the `ca` man page.
50+
countryName = optional
51+
stateOrProvinceName = optional
52+
localityName = optional
53+
organizationName = optional
54+
organizationalUnitName = optional
55+
commonName = supplied
56+
emailAddress = optional
57+
58+
[ req ]
59+
# Options for the `req` tool (`man req`).
60+
default_bits = 2048
61+
distinguished_name = req_distinguished_name
62+
string_mask = utf8only
63+
64+
# SHA-1 is deprecated, so use SHA-2 instead.
65+
default_md = sha256
66+
67+
# Extension to add when the -x509 option is used.
68+
x509_extensions = v3_ca
69+
70+
[ req_distinguished_name ]
71+
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
72+
countryName = Country Name (2 letter code)
73+
stateOrProvinceName = State or Province Name
74+
localityName = Locality Name
75+
0.organizationName = Organization Name
76+
organizationalUnitName = Organizational Unit Name
77+
commonName = Common Name
78+
emailAddress = Email Address
79+
80+
# Optionally, specify some defaults.
81+
countryName_default = US
82+
stateOrProvinceName_default = PA
83+
localityName_default = Pittsburgh
84+
0.organizationName_default =
85+
organizationalUnitName_default =
86+
emailAddress_default =
87+
88+
[ v3_ca ]
89+
# Extensions for a typical CA (`man x509v3_config`).
90+
subjectKeyIdentifier = hash
91+
authorityKeyIdentifier = keyid:always,issuer
92+
basicConstraints = critical, CA:true
93+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
94+
95+
[ v3_intermediate_ca ]
96+
# Extensions for a typical intermediate CA (`man x509v3_config`).
97+
subjectKeyIdentifier = hash
98+
authorityKeyIdentifier = keyid:always,issuer
99+
basicConstraints = critical, CA:true, pathlen:0
100+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
101+
102+
[ usr_cert ]
103+
# Extensions for client certificates (`man x509v3_config`).
104+
basicConstraints = CA:FALSE
105+
nsCertType = client, email
106+
nsComment = "OpenSSL Generated Client Certificate"
107+
subjectKeyIdentifier = hash
108+
authorityKeyIdentifier = keyid,issuer
109+
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
110+
extendedKeyUsage = clientAuth, emailProtection
111+
112+
[ server_cert ]
113+
# Extensions for server certificates (`man x509v3_config`).
114+
basicConstraints = CA:FALSE
115+
nsCertType = server
116+
nsComment = "OpenSSL Generated Server Certificate"
117+
subjectKeyIdentifier = hash
118+
authorityKeyIdentifier = keyid,issuer:always
119+
keyUsage = critical, digitalSignature, keyEncipherment
120+
extendedKeyUsage = serverAuth
121+
122+
[ crl_ext ]
123+
# Extension for CRLs (`man x509v3_config`).
124+
authorityKeyIdentifier=keyid:always
125+
126+
[ ocsp ]
127+
# Extension for OCSP signing certificates (`man ocsp`).
128+
basicConstraints = CA:FALSE
129+
subjectKeyIdentifier = hash
130+
authorityKeyIdentifier = keyid,issuer
131+
keyUsage = critical, digitalSignature
132+
extendedKeyUsage = critical, OCSPSigning

script/testing/jdbc/test_jdbc.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,4 @@ else
1212
java -cp out.jar:./lib/postgresql-9.4.1209.jre6.jar PelotonTest $1 $2
1313
fi
1414

15-
#java -cp out.jar:./lib/postgresql-9.4.1209.jre6.jar SSLTest $1
15+
java -cp out.jar:./lib/postgresql-9.4.1209.jre6.jar SSLTest $1

0 commit comments

Comments
 (0)