Examples by use case
Example of (A)HAB profiles¶
If (A)HAB tree consists of SRK roots and IMG/CSF/SGK End-Entity certificates the following profiles can be used as example.
(A)HAB root CA profile¶
Example of (A)HAB root CA profile. The Common name must be empty since it is populated from the product information.
# Config file for the Root profile. Do not use TABS
# Do not modify the CommonName if this is used as HAB CA.
---
Name: NXP i.MX6 HABv4 Root CA Profile
# Distinguished name of the CA
DN:
Organization: Customer
# OrganizationalUnit:
# Country: FI
# Province:
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: HAB Root CA
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 3
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "1752000h" # 200 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: true
MaxPathLen: 0
# MaxPathLenZero indicates that BasicConstraintsValid==true
# and MaxPathLen==0 should be interpreted as an actual
# maximum path length of zero. Otherwise, that combination is
# interpreted as MaxPathLen not being set.
MaxPathLenZero: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 32
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
# ExtraExtensions: true
# SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
End-Entity profile¶
Example of End-Entity profile. The Common name must be empty since it is populated from the product information. This profile is used for IMG, CSF and SGK use cases.
# Config file for the End-Entity profile. Do not use TABS
# Do not modify the CommonName if this is used as End-Entity Certificate and the Common Name comes from the product template.
---
Name: NXP i.MX6 HABv4 EndEntity Profile
DN:
Organization: Customer
# OrganizationalUnit: R&D
# Country: FI
# Province:
#- Something
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: IMG
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 1
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "1752000h" # 200 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 1
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
ExtraExtensions: true
SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
# EnforceUniqueDN enables the checking if a certificate has been issued with the same subject DN from the CA
# Values true or false
#EnforceUniqueDN: true
Example of Windows signing profile¶
Windows signing is using externally issued certificate. Even though it is externally issued a certificate profile is needed.
# Config file for the End-Entity profile. Do not use TABS
---
Name: Windows End-Entity profile
DN:
# Organization: Test Comp
# OrganizationalUnit: R&D
# Country: FI
# Province:
#- Something
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: IMG
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 1
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "876000h" # 100 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
ExtraExtensions: true
SANUsage: true
Example of RAUC profiles¶
In this example RAUC signing is using an Root CA and End-Entity certificate which is used for RAUC bundle signing.
RAUC CA profile¶
Example of RAUC root CA profile.
# Config file for the Root profile. Do not use TABS
---
Name: Generic Root CA
# Distinguished name of the CA
DN:
# Organization:
# OrganizationalUnit:
Country: FI
# Province:
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: Generic Root CA
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 3
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "1752000h" # 200 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: true
MaxPathLen: 2
# MaxPathLenZero indicates that BasicConstraintsValid==true
# and MaxPathLen==0 should be interpreted as an actual
# maximum path length of zero. Otherwise, that combination is
# interpreted as MaxPathLen not being set.
MaxPathLenZero: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 1
- 32
- 64
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
# ExtraExtensions: true
# SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
End-Entity profile¶
Example of End-Entity profile. This will create a code signing certificate
# Config file for the End-Entity profile. Do not use TABS
---
Name: Generic code signing EndEntity Profile
DN:
Organization: Test Comp
# OrganizationalUnit: R&D
Country: FI
# Province:
#- Something
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: IMG
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 1
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "1752000h" # 200 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 1
- 2
ExtendedKeyUsage:
- 3
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
ExtraExtensions: true
SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
# EnforceUniqueDN enables the checking if a certificate has been issued with the same subject DN from the CA
# Values true or false
#EnforceUniqueDN: true
Example of Device certificate profiles¶
In this example Device Certificate issuance is Root CA and End-Entity certificate which is used for the End-Entity certificates. This example is to be used with ECDSA keys
DEVICE CA profile¶
Example of Device root CA profile.
# Config file for the SubCA profile. Do not use TABS
---
Name: Initial Device Certificate Product Family SubCA Profile
# Distinguished name of the CA
DN:
# Organization:
Organization: Laavat
# OrganizationalUnit: R&D
# Country: FI
Country: FI
# Province:
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: i.MX6
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 3
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 10
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 2
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "9999-12-31T23:59:59Z"
BasicConstraints:
BasicConstraintsValid: true
IsCA: true
MaxPathLen: 0
# MaxPathLenZero indicates that BasicConstraintsValid==true
# and MaxPathLen==0 should be interpreted as an actual
# maximum path length of zero. Otherwise, that combination is
# interpreted as MaxPathLen not being set.
MaxPathLenZero: true
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 1
- 32
- 64
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
# ExtraExtensions: true
# SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# - http://crl.laavat.com/products-0/root.crl
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
# EnforceUniqueDN enables the checking if a certificate has been issued with the same subject DN from the CA
# Values true or false
#EnforceUniqueDN: true
End-Entity profile¶
Example of End-Entity profile.
# Config file for the End-Entity profile. Do not use TABS
---
Name: Initial Device Certificate EndEntity Profile
DN:
#Organization: Test Comp
Organization: Laavat
#OrganizationalUnit: R&D
#Country: FI
Country: FI
#Province:
#- Something
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName:
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 1
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 10
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 2
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "9999-12-31T23:59:59Z"
BasicConstraints:
BasicConstraintsValid: true
IsCA: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
- 1
- 16
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
- 1
- 2
ExtraExtensions: true
SANUsage: true
# CRLDistributionPoints. List of URI strings.
CRLDistributionPoints:
- http://crl.laavat.com/e37f045c.crl
# PolicyIdentifiers. List of ASN1 policy OIDS
PolicyIdentifiers:
- 1.10.123.432.4.5
- 2.10.123.432.4.65
# EnforceUniqueDN enables the checking if a certificate has been issued with the same subject DN from the CA
# Values true or false
# EnforceUniqueDN: true
Example of Digest signing with detached signature profile¶
In this example is an End-Entity certificate which is used for the End-Entity certificates.
# Config file for the End-Entity profile. Do not use TABS
---
Name: USB detached signature entity profile
DN:
# Organization: Test Comp
# OrganizationalUnit: R&D
# Country: FI
# Province:
#- Something
# Locality:
# StreetAddress:
# PostalCode:
# SerialNumber
# CommonName: IMG
# EndEntity is 1, Sub CA profile 2 , Root profile 3
ProfileType: 1
# SignatureAlgorithms
# SHA1WithRSA = 3
# SHA256WithRSA = 4
# SHA384WithRSA = 5
# SHA512WithRSA = 6
# DSAWithSHA1 = 7
# DSAWithSHA256 = 8
# ECDSAWithSHA1 = 9
# ECDSAWithSHA256 = 10
# ECDSAWithSHA384 = 11
# ECDSAWithSHA512 = 12
# SHA256WithRSAPSS = 13
# SHA384WithRSAPSS = 14
# SHA512WithRSAPSS = 15
SignatureAlgorithm: 4
# KeyAlgorithms
# RSAAlgorithm = 1
# ECDSAAlgorithm = 2
KeyAlgorithm: 1
# Validity of the certificate in duration (max 290 years) or with absolute date in RFC3339 e.g. 9999-12-31T23:59:59Z.
# Example in absolute date "9999-12-31T23:59:59Z".
# Example in duration "1h10m10s". Only h, m and/or s are accepted.
ValidityPeriod: "876000h" # 100 Years
BasicConstraints:
BasicConstraintsValid: true
IsCA: false
AddSKI: true
AddAKI: true
# KeyUsages
# KeyUsageDigitalSignature = 1
# KeyUsageContentCommitment = 2
# KeyUsageKeyEncipherment = 4
# KeyUsageDataEncipherment = 8
# KeyUsageKeyAgreement = 16
# KeyUsageCertSign = 32
# KeyUsageCRLSign = 64
# KeyUsageEncipherOnly = 128
# KeyUsageDecipherOnly = 256
KeyUsage:
ExtendedKeyUsage:
# ExtendedKeyUsages
# ExtKeyUsageAny = 0
# ExtKeyUsageServerAuth = 1
# ExtKeyUsageClientAuth = 2
# ExtKeyUsageCodeSigning = 3
# ExtKeyUsageEmailProtection = 4
# ExtKeyUsageIPSECEndSystem = 5
# ExtKeyUsageIPSECTunnel = 6
# ExtKeyUsageIPSECUser = 7
# ExtKeyUsageTimeStamping = 8
# ExtKeyUsageOCSPSigning = 9
# ExtKeyUsageMicrosoftServerGatedCrypto = 10
# ExtKeyUsageNetscapeServerGatedCrypto = 11
# ExtKeyUsageMicrosoftCommercialCodeSigning = 12
# ExtKeyUsageMicrosoftKernelCodeSigning = 13
ExtraExtensions: true
SANUsage: true
# CRLDistributionPoints. List of URI strings.
#CRLDistributionPoints:
# PolicyIdentifiers. List of ASN1 policy OIDS
#PolicyIdentifiers:
# - 1.10.123.432.4.5
# - 2.10.123.432.4.65
# EnforceUniqueDN enables the checking if a certificate has been issued with the same subject DN from the CA
# Values true or false
#EnforceUniqueDN: true