WIP: re-org

.gitignore

@@ -1,5 +1,5 @@
 #
-pki-lifecycle*
+pki-lifecycle_*
 
 # Project specific files
 sftp-config.json

src/pki_bootstrap/libs/pki_funcs.sh

@@ -78,9 +78,11 @@ ca-i_gen_pki() {
   CDD=`pwd`
   SERIAL=$1
   LOOP_NUM=$2
+  ORG_URL=$3
+
   UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
-  mkdir -p "distrobution/${UNIQ_DIR_CA}"
-  cd "distrobution/${UNIQ_DIR_CA}"
+  mkdir -p "distribution/${UNIQ_DIR_CA}"
+  cd "distribution/${UNIQ_DIR_CA}"
 
   # geneate certificates, organize the files
   ca-i_gen_pki_certs $SERIAL $LOOP_NUM
@@ -130,10 +132,10 @@ ca-i_gen_pki_certs() {
 # IN: UNIQ_ID_CA, SERIAL
 #
 ca-i_gen_cert() {
+  UNIQ_ID_CA=$1
+  SERIAL=$2
+
   echo_block "Create CA Intermediate  (${UNIQ_ID_CA})"
-  # params
-  UNIQ_ID_CA=$3
-  SERIAL=$4
 
   openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
 
@@ -213,16 +215,16 @@ ca-i_cp_docs() {
   cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
 
   # client
-  cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
-  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
-  cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
-  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
 
   # server
-  cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
-  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
-  cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
-  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
 }
 
 #
@@ -230,12 +232,12 @@ ca-i_cp_docs() {
 # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
 #
 gen_server() {
-  echo_block "Generate Server Certificates  (${UNIQ_ID})"
-  # params
   UNIQ_ID=$1
   UNIQ_ID_CA=$2
   SERIAL=$3
 
+  echo_block "Generate Server Certificates  (${UNIQ_ID})"
+
   openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
 
   openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \
@@ -261,12 +263,12 @@ gen_server() {
 # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
 #
 gen_client() {
-  echo_block "Generate Client Certificates  (${UNIQ_ID})"
-  # params
   UNIQ_ID=$1
   UNIQ_ID_CA=$2
   SERIAL=$3
 
+  echo_block "Generate Client Certificates  (${UNIQ_ID})"
+
   openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
 
   openssl req -new -key "client_${UNIQ_ID}.keys.pem" \

src/pki_bootstrap/pki_bootstrap.sh

@@ -97,7 +97,7 @@ main() {
 
   app_init
   one-time-ca
-  ca-i_gen_pki 1001 2
+  ca-i_gen_pki ${ORG_URL} 1001 2
 #  gen_pki 50001 5
 #  gen_pki 80001 10
   

src/sandbox/pki-lifecycle_1976-12-05.11_53_11/cfg/ca.cnf

@@ -0,0 +1,113 @@
+# Root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = State51
+localityName_default            =
+0.organizationName_default      = ACME R&D
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+
+[ v3_ca_i ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "ACME Generated"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "ACME Generated"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+#subjectAltName = "192.168.123.129"
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

src/sandbox/pki-lifecycle_1976-12-05.11_53_11/distribution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/ca-i.keys.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEA8dHeXccOqDHXVOtyXd3yBzcQrb8z5hyc1/pDjRxTIto66xhD
+JjnJdIersrdov/SM/RuYJf12xvOhNKaCHfBWqH60NvouLPVDR/j0LpJklHAsoch7
+z9fom8dLh04t0nhWdQFpn7AL7cDvSdQEEoHwvfK9MuyfQFOEah7yzFGmkbjB7C/N
+lmykXZ6NFfYvkn8X0vVDO0FQi/gKusmwDFE0NF7wiSGI/LlAgFpg5EDQIPynRIKc
+BPGOcUiG7Vw15IFSrfHRRxeCBXM+u20gDG6NFUN43ELQ45Gd4fhUqED52/c/a7Y0
+3scKYaZh1nGFzOOLQ/044jBkv6smiNRRUKl5ozpEL7xGb5jOzp1bsoXLLvZdwlsX
+EgtexpoqwQ4bRszk4FUK9J9vHlkIk8Dh2EogpdNAHRL0XA2ZjMUo4vDxsVSBGRN3
+SD9R9NjLgWQBu6dMS9QKaqb53Rox8B5DcSkd/yE2SFtYEk7gSATikCijIulSY28X
+MfDpsTy1Zz/xGAWx03BsoB80RZbkFo+YfsDvJCoT3gOlUXazcFKHwBgN0GIdJnLi
+Pv2o9q3T6K1csXV8lN+W7Ls7hXI7oXHrbECGIF7LqrSi0B0Vqb9lzCILPAru80Le
+ohoKXFsLeL/mFYDLYGgsqE2WF4NpiJLW4b1eFtq/4lwxOVvQeCkoFaizuJECAwEA
+AQKCAgEAnLXb/Dvu1LMQD/lRMWGO4nwd8+sQEBUE07ZcporvmYuBWS9s/M3ALyNo
+8rWHTbaG09RZIm2C1uW116/8bLh/AEy0L1isKfh7tJ2yaKf4RHX5hpKtIgGSvblG
+yhWw/k97//F9aL4mzNoWeGrMhM3unLo9QE412fMFwdvyjtRvNMpd6dkEy3H2hrEk
+T1IufCqe3tiQzErEjyCcm3Xu/9x0D2hjSwsPgm/vS/7GAcW621XAdFaME2wTWnic
+8B+s0Tu5v/4RGJg0a6HGyqGqfkP6bAhAv8URKBkLDxDmk+8fvRwa3ovC8YhdwvCX
+QOhqxF/FtbbZcUPZVpjsrQmi9LoPl6S0BXcQL5sIRpoJYIG+vviVEcoqnDAG3UQy
++B30RC4aty2QgacPqoWXKxNqfFe4QDMukMLAG+s3zM6JBk3druKWJoC6NeuJVJYM
+qYp2rHlV/dv740u/00RINEzDJbKOMbUPK/8M8dnGJeENmj8J5VAs6yvh1uxG5nk0
+ULY1Nce/AWUt5iw+eEKXDl3I4gQRpEnyEA3YiBYsnTn0J7XXUhzRGG0+/w3IS4du
+OaUAFvWYgkiVz69SikWQWUfOfb7I3WKcvtGV3D+nWr6NdYeYGH3yOe4JPckdMI/U
+4stdqSnj69Mgc4wQMKmVR1iQw9wrNpbahCEJcUixLQ/fMpYNJ70CggEBAP29iEg4
+UMZkNAVo2xH/s+4QvVSWKN3zhz8W0AWOgyEsUy+cLHV9FhkizQVwIVJYj5YY11uL
+bz1QlmJOkVZp8NttLEzgn8EB9vsOThX5TGRZfvXh0KlbcNL21kyhoeB3ttPzw/Vu
+WoSvzZkwwgdlWfMDRFIH6VABE7+IXzghc9mP2Txua1Ee23HTF3rB3f2Wrosw1hNe
+OHWq8RZn2qOkNLRc78HeBx+Wg0dd4hO4pnFlV+36zNgyw1AC93Xs57gCwVOrkvab
+IW6+aI0tsox5EYIRmLS+6ymopwLE1boUNnGlOBZ311lih2gd9WmLtryROIVhkoo9
+MWRvjQxL57RBKRcCggEBAPP5KQRaXbT/B99xTeaaEVRn1yQ91Ua9oawZnJSfufts
+z/R1xcwu/Htql2TDaKfQuAxfhEBXMZfTZi9RRncYBmRZOu5Oblov8q6+/jsM9KpN
+NraeaPz3lXC7/5xjIB9OfPzmaI+khve0QCZ21DU3Uj3D72ZftKe+vJQz6M9pMhA4
+UitdnBNkQlmVVWRlTzvEkbAWbcCF8Tkut0Ov3lqsn6yZKkQ1fg3+6c8UCjvElJrW
+24fOW3gjfk3SUlRWMtCZn9HU8xYSWi6zrh3BCpx8pyly42MY+IL2R5foNDiZlomL
+vK7qhkSwqxTpjDfo9QB6+O1RkD2AQyUYcYp6KtM05JcCggEAJPCj14fDUq6h2CvE
+wOEOC9mKBrd5qZ5bkTa8ACMYOgse7S56VnxobC5h1KnXYAqelMZ3C8/H2RBTZGp1
+xDPWKcvCCEsnVsz3bONPQOmzUmSpFBjU7OLwEPZ4il15mJk1F7REUgXHzcteTjAH
+/1Wk+7j9CEg4kjol6ttqqVxNZl4HzUFyBDRO1Epb/7YboGCAdqkccWNlKtRBFvb1
+oJ82QQ/Ko9m0Bcg+wnQLhr16FcYgP/gkPFFfl9Vmu1dLAMH97TVsRtSc0GeOBweh
+F8xEXUA8kAu/Zqgz8DZBuz5YEsFv4e1+f3fVqLW71arOZrNpnBlxYQi5mRqYWTLv
+v5FA7wKCAQEA72EmlKXR0dh1shBrHftHS6kDWATvcZR4v/L1RoKeKgqu1C6GX/wu
+MS35051D33yUSVei3Lpw54Y9eenmGM5S3z0J7G66KfVnyXuO2QOyQDK4n2A4pRSL
+5WwgtiIwj2ckjcPJDj+hSgPq+ZKYToq0P/QyviDjkb89KrDwGioeO/n27aPQktpJ
+m7pBadtZbcxGIh8vmroRYEjs+hXiNtevZ9t0tC5EO5lFcbA5BkGwiWiNR+f6qZsx
+v0vBCgz1mOVTAcBOrvZc0/vquDkDn11TawDWCRKkK2NYBb2JF4vjP5wDCyEDkvxB
+MKiisuz5D3qZKclgnGdv+kLMjNGnmUoJiwKCAQEAqi/xTluBlmWtzi9fcic7WTeG
+FgXDaX5/llyr04bpT9NwMLCM3nMV/XHO7p7kVlC6+mIrLh0IwSN9UQ/evKdGHEQf
+EQ7CrE68xnD64Z8EUWAjarw+N+8plEfbgYjzayEVcLs6wMlkzoKWnKy3YHmTENQI
+KvDwk6LWW1R6kIJVE5IKzhCv7y8H9xVITy+4oIqGo75cB+I2Jo8+mEA/VAdQTtmd
+/NPDLnifmebU79Wjyf7FRPPlfk00wu6OChlaqLrlfJI6AvB/TccA9qM8oGXVTz2B
+/qYayhhOULBjcIKpiadQkM+CH3nJqEor7ZV8e5oo99wQSXSyeugchT1MjEqsQg==
+-----END RSA PRIVATE KEY-----

src/sandbox/pki-lifecycle_1976-12-05.11_53_11/distribution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/SERIAL

@@ -0,0 +1 @@
+10028

src/sandbox/pki-lifecycle_1976-12-05.11_53_11/distribution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/ca-i.keys.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEA8dHeXccOqDHXVOtyXd3yBzcQrb8z5hyc1/pDjRxTIto66xhD
+JjnJdIersrdov/SM/RuYJf12xvOhNKaCHfBWqH60NvouLPVDR/j0LpJklHAsoch7
+z9fom8dLh04t0nhWdQFpn7AL7cDvSdQEEoHwvfK9MuyfQFOEah7yzFGmkbjB7C/N
+lmykXZ6NFfYvkn8X0vVDO0FQi/gKusmwDFE0NF7wiSGI/LlAgFpg5EDQIPynRIKc
+BPGOcUiG7Vw15IFSrfHRRxeCBXM+u20gDG6NFUN43ELQ45Gd4fhUqED52/c/a7Y0
+3scKYaZh1nGFzOOLQ/044jBkv6smiNRRUKl5ozpEL7xGb5jOzp1bsoXLLvZdwlsX
+EgtexpoqwQ4bRszk4FUK9J9vHlkIk8Dh2EogpdNAHRL0XA2ZjMUo4vDxsVSBGRN3
+SD9R9NjLgWQBu6dMS9QKaqb53Rox8B5DcSkd/yE2SFtYEk7gSATikCijIulSY28X
+MfDpsTy1Zz/xGAWx03BsoB80RZbkFo+YfsDvJCoT3gOlUXazcFKHwBgN0GIdJnLi
+Pv2o9q3T6K1csXV8lN+W7Ls7hXI7oXHrbECGIF7LqrSi0B0Vqb9lzCILPAru80Le
+ohoKXFsLeL/mFYDLYGgsqE2WF4NpiJLW4b1eFtq/4lwxOVvQeCkoFaizuJECAwEA
+AQKCAgEAnLXb/Dvu1LMQD/lRMWGO4nwd8+sQEBUE07ZcporvmYuBWS9s/M3ALyNo
+8rWHTbaG09RZIm2C1uW116/8bLh/AEy0L1isKfh7tJ2yaKf4RHX5hpKtIgGSvblG
+yhWw/k97//F9aL4mzNoWeGrMhM3unLo9QE412fMFwdvyjtRvNMpd6dkEy3H2hrEk
+T1IufCqe3tiQzErEjyCcm3Xu/9x0D2hjSwsPgm/vS/7GAcW621XAdFaME2wTWnic
+8B+s0Tu5v/4RGJg0a6HGyqGqfkP6bAhAv8URKBkLDxDmk+8fvRwa3ovC8YhdwvCX
+QOhqxF/FtbbZcUPZVpjsrQmi9LoPl6S0BXcQL5sIRpoJYIG+vviVEcoqnDAG3UQy
++B30RC4aty2QgacPqoWXKxNqfFe4QDMukMLAG+s3zM6JBk3druKWJoC6NeuJVJYM
+qYp2rHlV/dv740u/00RINEzDJbKOMbUPK/8M8dnGJeENmj8J5VAs6yvh1uxG5nk0
+ULY1Nce/AWUt5iw+eEKXDl3I4gQRpEnyEA3YiBYsnTn0J7XXUhzRGG0+/w3IS4du
+OaUAFvWYgkiVz69SikWQWUfOfb7I3WKcvtGV3D+nWr6NdYeYGH3yOe4JPckdMI/U
+4stdqSnj69Mgc4wQMKmVR1iQw9wrNpbahCEJcUixLQ/fMpYNJ70CggEBAP29iEg4
+UMZkNAVo2xH/s+4QvVSWKN3zhz8W0AWOgyEsUy+cLHV9FhkizQVwIVJYj5YY11uL
+bz1QlmJOkVZp8NttLEzgn8EB9vsOThX5TGRZfvXh0KlbcNL21kyhoeB3ttPzw/Vu
+WoSvzZkwwgdlWfMDRFIH6VABE7+IXzghc9mP2Txua1Ee23HTF3rB3f2Wrosw1hNe
+OHWq8RZn2qOkNLRc78HeBx+Wg0dd4hO4pnFlV+36zNgyw1AC93Xs57gCwVOrkvab
+IW6+aI0tsox5EYIRmLS+6ymopwLE1boUNnGlOBZ311lih2gd9WmLtryROIVhkoo9
+MWRvjQxL57RBKRcCggEBAPP5KQRaXbT/B99xTeaaEVRn1yQ91Ua9oawZnJSfufts
+z/R1xcwu/Htql2TDaKfQuAxfhEBXMZfTZi9RRncYBmRZOu5Oblov8q6+/jsM9KpN
+NraeaPz3lXC7/5xjIB9OfPzmaI+khve0QCZ21DU3Uj3D72ZftKe+vJQz6M9pMhA4
+UitdnBNkQlmVVWRlTzvEkbAWbcCF8Tkut0Ov3lqsn6yZKkQ1fg3+6c8UCjvElJrW
+24fOW3gjfk3SUlRWMtCZn9HU8xYSWi6zrh3BCpx8pyly42MY+IL2R5foNDiZlomL
+vK7qhkSwqxTpjDfo9QB6+O1RkD2AQyUYcYp6KtM05JcCggEAJPCj14fDUq6h2CvE
+wOEOC9mKBrd5qZ5bkTa8ACMYOgse7S56VnxobC5h1KnXYAqelMZ3C8/H2RBTZGp1
+xDPWKcvCCEsnVsz3bONPQOmzUmSpFBjU7OLwEPZ4il15mJk1F7REUgXHzcteTjAH
+/1Wk+7j9CEg4kjol6ttqqVxNZl4HzUFyBDRO1Epb/7YboGCAdqkccWNlKtRBFvb1
+oJ82QQ/Ko9m0Bcg+wnQLhr16FcYgP/gkPFFfl9Vmu1dLAMH97TVsRtSc0GeOBweh
+F8xEXUA8kAu/Zqgz8DZBuz5YEsFv4e1+f3fVqLW71arOZrNpnBlxYQi5mRqYWTLv
+v5FA7wKCAQEA72EmlKXR0dh1shBrHftHS6kDWATvcZR4v/L1RoKeKgqu1C6GX/wu
+MS35051D33yUSVei3Lpw54Y9eenmGM5S3z0J7G66KfVnyXuO2QOyQDK4n2A4pRSL
+5WwgtiIwj2ckjcPJDj+hSgPq+ZKYToq0P/QyviDjkb89KrDwGioeO/n27aPQktpJ
+m7pBadtZbcxGIh8vmroRYEjs+hXiNtevZ9t0tC5EO5lFcbA5BkGwiWiNR+f6qZsx
+v0vBCgz1mOVTAcBOrvZc0/vquDkDn11TawDWCRKkK2NYBb2JF4vjP5wDCyEDkvxB
+MKiisuz5D3qZKclgnGdv+kLMjNGnmUoJiwKCAQEAqi/xTluBlmWtzi9fcic7WTeG
+FgXDaX5/llyr04bpT9NwMLCM3nMV/XHO7p7kVlC6+mIrLh0IwSN9UQ/evKdGHEQf
+EQ7CrE68xnD64Z8EUWAjarw+N+8plEfbgYjzayEVcLs6wMlkzoKWnKy3YHmTENQI
+KvDwk6LWW1R6kIJVE5IKzhCv7y8H9xVITy+4oIqGo75cB+I2Jo8+mEA/VAdQTtmd
+/NPDLnifmebU79Wjyf7FRPPlfk00wu6OChlaqLrlfJI6AvB/TccA9qM8oGXVTz2B
+/qYayhhOULBjcIKpiadQkM+CH3nJqEor7ZV8e5oo99wQSXSyeugchT1MjEqsQg==
+-----END RSA PRIVATE KEY-----

src/sandbox/pki-lifecycle_1976-12-05.11_53_11/distribution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf

@@ -0,0 +1,55 @@
+#
+#
+#  IMPORTANT INFO
+#
+#
+[ v3_server ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "ACME Corp"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+#subjectAltName = IP:192.168.123.129
+
+[ alt_names ]
+DNS.1 = "skunkworks.acme.xyz"
+
+#
+#
+# FORCED TO INCLUDE THIS JUNK
+#
+#
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+#x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = State51
+localityName_default            =
+0.organizationName_default      = ACME R&D
+organizationalUnitName_default  =
+emailAddress_default            =
+