Preenchendo o Arquivo de Configuração¶
Esta página mostra como preparar o arquivo de configuração ssl_anspca.conf para uso de
pesquisadores/estudantes (People);
servidores/hosts (Services);
servidor web (Services).
Índice
Arquivo de Configuração para Pesquisadores e Estudantes¶
- Há 4 linhas que devem ser preenchidas:
1.organizationalUnitName = People
0.commonName = Fulano da Silva
extendedKeyUsage = clientAuth,emailProtection
email.1 = username@email.com
- Observações:
todas as demais linhas devem ser mantidas intactas;
não são permitidos caracteres especiais como (‘), (ç), (:), (^), (~), (”) etc.
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_dn
x509_extensions = extensions
string_mask = nombstr
prompt = no
default_md = sha256
[ req_dn ]
0.countryName = BR
0.organizationName = ANSP
0.organizationalUnitName = ANSPGrid CA
# FILL OUT THE DESIRED OPTION
# use "People" for users or "Services" for servers
# 1.organizationalUnitName = People
# 1.organizationalUnitName = Services
1.organizationalUnitName = People
# FILL OUT THE DESIRED OPTION
# user name (no accent) or server DNS
# 0.commonName = Fulano da Silva
# 0.commonName = www.my.server.com
0.commonName = Fulano da Silva
[ extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
# FILL OUT THE DESIRED OPTION
### For user (default)
# extendedKeyUsage = clientAuth,emailProtection
### For servers
# extendedKeyUsage = serverAuth,clientAuth
extendedKeyUsage = clientAuth,emailProtection
crlDistributionPoints = URI:http://gridca.ansp.br/media/ca/anspca2.crl
certificatePolicies = ia5org,@certpolicy
subjectAltName = @altnames
[ altnames ]
# FILL OUT THE INFORMATION
#user email or server admin email
#email.1 = username@my.server.com
email.1 = username@email.com
# SERVICE ONLY - FILL OUT THE INFORMATION AND REMOVE THE COMMENT SYMBOL # FROM THE LINE
# server DNS
# DNS.1 = www.my.server.com
#DNS.1 =
[certpolicy]
policyIdentifier = 1.3.6.1.4.1.19550.3.1.4
Arquivo de Configuração para Servidores¶
- Há 5 linhas que devem ser preenchidas:
1.organizationalUnitName = Services
0.commonName = www.my.server.com
extendedKeyUsage = serverAuth,clientAuth
email.1 = username@my.server.com
DNS.1 = www.my.server.com
- Observações:
todas as demais linhas devem ser mantidas intactas;
não são permitidos caracteres especiais como (‘), (ç), (:), (^), (~), (”) etc.
Arquivo de Configuração com apenas 1 DNS¶
Em regra, deve-se inserir apenas o DNS principal, como o exemplo abaixo.
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_dn
x509_extensions = extensions
string_mask = nombstr
prompt = no
default_md = sha256
[ req_dn ]
0.countryName = BR
0.organizationName = ANSP
0.organizationalUnitName = ANSPGrid CA
# FILL OUT THE DESIRED OPTION
# use "People" for users or "Services" for servers
# 1.organizationalUnitName = People
# 1.organizationalUnitName = Services
1.organizationalUnitName = Services
# FILL OUT THE DESIRED OPTION
# user name (no accent) or server DNS
# 0.commonName = Fulano da Silva
# 0.commonName = www.my.server.com
0.commonName = www.my.server.com
[ extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
# FILL OUT THE DESIRED OPTION
### For user (default)
# extendedKeyUsage = clientAuth,emailProtection
### For servers
# extendedKeyUsage = serverAuth,clientAuth
extendedKeyUsage = serverAuth,clientAuth
crlDistributionPoints = URI:http://gridca.ansp.br/media/ca/anspca2.crl
certificatePolicies = ia5org,@certpolicy
subjectAltName = @altnames
[ altnames ]
# FILL OUT THE INFORMATION
#user email or server admin email
#email.1 = username@my.server.com
email.1 = username@my.server.com
# SERVICE ONLY - FILL OUT THE INFORMATION AND REMOVE THE COMMENT SYMBOL # FROM THE LINE
# server DNS
# DNS.1 = www.my.server.com
DNS.1 = www.my.server.com
[certpolicy]
policyIdentifier = 1.3.6.1.4.1.19550.3.1.4
Arquivo de Configuração com mais de 1 DNS¶
Em determinados casos, há necessidade de informar o DNS principal e vários DNSs secundários. Veja o exemplo abaixo. Observe que o nome do DNS em 0.commonName é repetido em DNS.1.
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_dn
x509_extensions = extensions
string_mask = nombstr
prompt = no
default_md = sha256
[ req_dn ]
0.countryName = BR
0.organizationName = ANSP
0.organizationalUnitName = ANSPGrid CA
# FILL OUT THE DESIRED OPTION
# use "People" for users or "Services" for servers
# 1.organizationalUnitName = People
# 1.organizationalUnitName = Services
1.organizationalUnitName = Services
# FILL OUT THE DESIRED OPTION
# user name (no accent) or server DNS
# 0.commonName = Fulano da Silva
# 0.commonName = www.my.server.com
0.commonName = www.my.server.com
[ extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
# FILL OUT THE DESIRED OPTION
### For user (default)
# extendedKeyUsage = clientAuth,emailProtection
### For servers
# extendedKeyUsage = serverAuth,clientAuth
extendedKeyUsage = serverAuth,clientAuth
crlDistributionPoints = URI:http://gridca.ansp.br/media/ca/anspca2.crl
certificatePolicies = ia5org,@certpolicy
subjectAltName = @altnames
[ altnames ]
# FILL OUT THE INFORMATION
#user email or server admin email
#email.1 = username@my.server.com
email.1 = username@my.server.com
# SERVICE ONLY - FILL OUT THE INFORMATION AND REMOVE THE COMMENT SYMBOL # FROM THE LINE
# server DNS
# DNS.1 = www.my.server.com
DNS.1 = my.server.org.br
DNS.2 = server01.org.br
DNS.3 = server02.org.br
DNS.4 = server03.org.br
[certpolicy]
policyIdentifier = 1.3.6.1.4.1.19550.3.1.4
Arquivo de Configuração para Servidor Web¶
- Há 5 linhas que devem ser preenchidas:
1.organizationalUnitName = Services
0.commonName = www.my.server.com
extendedKeyUsage = serverAuth,clientAuth
email.1 = username@my.server.com
DNS.1 = www.my.server.com
Nota
Aqui é ainda mais importante a inclusão da extensão serverAuth.
- Observações:
todas as demais linhas devem ser mantidas intactas;
não são permitidos caracteres especiais como (‘), (ç), (:), (^), (~), (”) etc.
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_dn
x509_extensions = extensions
string_mask = nombstr
prompt = no
default_md = sha256
[ req_dn ]
0.countryName = BR
0.organizationName = ANSP
0.organizationalUnitName = ANSPGrid CA
# FILL OUT THE DESIRED OPTION
# use "People" for users or "Services" for servers
# 1.organizationalUnitName = People
# 1.organizationalUnitName = Services
1.organizationalUnitName = Services
# FILL OUT THE DESIRED OPTION
# user name (no accent) or server DNS
# 0.commonName = Fulano da Silva
# 0.commonName = www.my.server.com
0.commonName = www.my.server.com
[ extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
# FILL OUT THE DESIRED OPTION
### For user (default)
# extendedKeyUsage = clientAuth,emailProtection
### For servers
# extendedKeyUsage = serverAuth,clientAuth
extendedKeyUsage = serverAuth,clientAuth
crlDistributionPoints = URI:http://gridca.ansp.br/media/ca/anspca2.crl
certificatePolicies = ia5org,@certpolicy
subjectAltName = @altnames
[ altnames ]
# FILL OUT THE INFORMATION
#user email or server admin email
#email.1 = username@my.server.com
email.1 = username@my.server.com
# SERVICE ONLY - FILL OUT THE INFORMATION AND REMOVE THE COMMENT SYMBOL # FROM THE LINE
# server DNS
# DNS.1 = www.my.server.com
DNS.1 = www.my.server.com
[certpolicy]
policyIdentifier = 1.3.6.1.4.1.19550.3.1.4