secure-boot-ca/codesign.cnf at master · ipxe/secure-boot-ca · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Configuration for issuing code signing certificates

openssl_conf		= openssl_conf

[ openssl_conf ]
providers		= providers

[ providers ]
pkcs11			= pkcs11

[ pkcs11 ]
activate		= 1

[ ca ]
default_ca		= ca_codesign

[ ca_codesign ]
certificate		= pkcs11:id=%02   # 02 translates to Yubikey slot 9c
database		= ipxe-sb-ca.db
default_days		= 365
default_md		= sha256
new_certs_dir		= signed
policy			= ca_policy
private_key		= pkcs11:id=%02   # 02 translates to Yubikey slot 9c
rand_serial		= yes
unique_subject		= yes
x509_extensions		= ca_exts

[ ca_policy ]
commonName		= supplied

[ ca_exts ]
authorityInfoAccess	= caIssuers;URI:https://ipxe.org/secure-boot-ca
authorityKeyIdentifier	= keyid:always
extendedKeyUsage	= codeSigning
keyUsage		= critical,digitalSignature