FakeAppleISTCA2G1.cfg

# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.

[ ca ]
# `man ca`
default_ca                      = CA_default

[ CA_default ]
# Directory and file locations.
dir                             = ./ISTCA2G1
certs                           = $dir/certs
crl_dir                         = $dir/crl
new_certs_dir                   = $dir/newcerts
database                        = $dir/index.txt
serial                          = $dir/serial
RANDFILE                        = $dir/private/.rand

# The root key and root certificate.
private_key	                    = $dir/private/FakeAppleISTCA2G1.key.unencrypted.pem # The private key
certificate	                    = $dir/certs/FakeAppleISTCA2G1.cert.pem 	# The CA certificate

# For certificate revocation lists.
crlnumber                       = $dir/crlnumber
crl                             = $dir/crl/intermediate.crl.pem
crl_extensions                  = crl_ext
default_crl_days                = 30

name_opt                        = ca_default
cert_opt                        = ca_default

default_days	                = 3650      	# how long to certify for
default_md	                    = sha256    			# which md to use.
preserve	                    = yes			# keep passed DN ordering
policy                          = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName		                = match
organizationName	            = match
organizationalUnitName	        = supplied
commonName		                = supplied

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName                     = optional
stateOrProvinceName             = optional
localityName                    = optional
organizationName                = optional
organizationalUnitName          = optional
commonName                      = supplied
emailAddress                    = optional

[ req ]
# Options for the `req` tool (`man req`).
prompt                          = no
encrypt_key                     = no
default_bits                    = 2048
distinguished_name              = req_distinguished_name
string_mask                     = utf8only

default_md                      = sha256

# Extension to add when the -x509 option is used.
x509_extensions                 = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = US
organizationName                = Apple Inc.
organizationalUnitName          = Certification Authority
commonName                      = Apple IST CA 2 - G1

[ v3_ca ]
# Extensions for Apple ISTCA2G1
authorityKeyIdentifier          = keyid:always,issuer
subjectKeyIdentifier            = hash
basicConstraints                = critical, CA:TRUE, pathlen:0
keyUsage                        = critical, keyCertSign, cRLSign
crlDistributionPoints           = URI:http://g.symcb.com/crls/gtglobal.crl
authorityInfoAccess             = OCSP;URI:http://g.symcd.com
certificatePolicies             = @istca2g1_polsect

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints                = CA:FALSE
nsCertType                      = client, email
nsComment                       = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer
keyUsage                        = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage                = clientAuth, emailProtection

[ dev_server_cert ]
# Extensions for server certificates (`man x509v3_config`).
authorityInfoAccess             = OCSP;URI:http://ocsp.apple.com/ocsp04-appleistca2g101
subjectKeyIdentifier            = hash
basicConstraints                = critical, CA:FALSE
authorityKeyIdentifier          = keyid:always
certificatePolicies             = @server_polsect
crlDistributionPoints           = URI:http://crl.apple.com/appleistca2g1.crl
keyUsage                        = critical, digitalSignature, keyEncipherment
extendedKeyUsage                = serverAuth, clientAuth
subjectAltName                  = DNS:api.development.push.apple.com, DNS:api.sandbox.push.apple.com IP:127.0.0.1 IP:0.0.0.0 IP:::1

[ prod_server_cert ]
# Extensions for server certificates (`man x509v3_config`).
authorityInfoAccess             = OCSP;URI:http://ocsp.apple.com/ocsp04-appleistca2g101
subjectKeyIdentifier            = hash
basicConstraints                = critical, CA:FALSE
authorityKeyIdentifier          = keyid:always
certificatePolicies             = @server_polsect
crlDistributionPoints           = URI:http://crl.apple.com/appleistca2g1.crl
keyUsage                        = critical, digitalSignature, keyEncipherment
extendedKeyUsage                = serverAuth, clientAuth
subjectAltName                  = DNS:api.push.apple.com IP:127.0.0.1 IP:0.0.0.0 IP:::1

[ server_polsect ]
policyIdentifier                = 1.2.840.113635.100.5.11.4
userNotice.1                    = @server_notice
CPS.1                           = "http://www.apple.com/certificateauthority/rpa"

[ server_notice ]
explicitText                    = "Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements."

[ istca2g1_polsect ]
policyIdentifier                = 2.16.840.1.113733.1.7.54
CPS.1                           = "http://www.apple.com/certificateauthority/rpa"

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier          = keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints                = CA:FALSE
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer
keyUsage                        = critical, digitalSignature
extendedKeyUsage                = critical, OCSPSigning