okd/roles/etcd/templates/openssl_append.j2

[ {{ etcd_req_ext }} ]
basicConstraints = critical,CA:FALSE
keyUsage         = digitalSignature,keyEncipherment
subjectAltName   = ${ENV::SAN}

[ {{ etcd_ca_name }} ]
dir             = {{ etcd_ca_dir }}
crl_dir         = {{ etcd_ca_crl_dir }}
database        = {{ etcd_ca_db }}
new_certs_dir   = {{ etcd_ca_new_certs_dir }}
certificate     = {{ etcd_ca_cert }}
serial          = {{ etcd_ca_serial }}
private_key     = {{ etcd_ca_key }}
crl_number      = {{ etcd_ca_crl_number }}
x509_extensions = {{ etcd_ca_exts_client }}
default_days    = {{ etcd_ca_default_days }}
default_md      = sha256
preserve        = no
name_opt        = ca_default
cert_opt        = ca_default
policy          = policy_anything
unique_subject  = no
copy_extensions = copy

[ {{ etcd_ca_exts_self }} ]
authorityKeyIdentifier = keyid,issuer
basicConstraints       = critical,CA:TRUE,pathlen:0
keyUsage               = critical,digitalSignature,keyEncipherment,keyCertSign
subjectKeyIdentifier   = hash

[ {{ etcd_ca_exts_peer }} ]
authorityKeyIdentifier = keyid,issuer:always
basicConstraints       = critical,CA:FALSE
extendedKeyUsage       = clientAuth,serverAuth
keyUsage               = digitalSignature,keyEncipherment
subjectKeyIdentifier   = hash

[ {{ etcd_ca_exts_server }} ]
authorityKeyIdentifier = keyid,issuer:always
basicConstraints       = critical,CA:FALSE
extendedKeyUsage       = serverAuth
keyUsage               = digitalSignature,keyEncipherment
subjectKeyIdentifier   = hash

[ {{ etcd_ca_exts_client }} ]
authorityKeyIdentifier = keyid,issuer:always
basicConstraints       = critical,CA:FALSE
extendedKeyUsage       = clientAuth
keyUsage               = digitalSignature,keyEncipherment
subjectKeyIdentifier   = hash