Initial commit.

pki/tls/cert.pem

@@ -0,0 +1 @@
+/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

pki/tls/certs/ca-bundle.crt

@@ -0,0 +1 @@
+/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

pki/tls/certs/ca-bundle.trust.crt

@@ -0,0 +1 @@
+/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

pki/tls/certs/localhost.crt

@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIIEwjCCAqqgAwIBAgIIGAnchZHei3IwDQYJKoZIhvcNAQELBQAwezELMAkGA1UE
+BhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMR8wHQYDVQQLDBZjYS03OTQxNzg5
+MjgyOTQ4NTMxMjE1MRQwEgYDVQQDDAt6aXJhLjg5OC5ybzEfMB0GCSqGSIb3DQEJ
+ARYQcm9vdEB6aXJhLjg5OC5ybzAeFw0yMDA5MjIwODI4MDFaFw0yMTA5MjcxMDA4
+MDFaMFoxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEUMBIGA1UE
+AwwLemlyYS44OTgucm8xHzAdBgkqhkiG9w0BCQEWEHJvb3RAemlyYS44OTgucm8w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WL8kPaksrTnDCcj4Ja3B
++NGtnuoIuFDViht/DTBfBYmB2E+yXyBX+z/U3cXVoPL2BF8GRvgCxtlahYXj1B54
+fkCRpsPjzurnZnh37AHRUtoCBIarUfsxeNdNucDUVlDAFedMCQ4Xsy14ugAd/zVd
+fpHdEegfyTb1tVDu7cv6QqGUDUFbHoPnxOCc2UHSHpsMJ4P5jIXz9J82Umf/SIU+
+5c+/AP5u9Zvcq2AGxhO//wAm3MMZ9O2S2CU24jAYpYsvciYQS1ItPI1IYzewlySv
+Q7rSUjTlt19Om9vXOfhNqGcQrICWRW8Ij4YVjBekZmoLTygXJh7JkGLbZVxQU4Rn
+AgMBAAGjazBpMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAJ
+BgNVHRMEAjAAMBYGA1UdEQQPMA2CC3ppcmEuODk4LnJvMB8GA1UdIwQYMBaAFI4O
+45SEa0LcJWPzqxxyvb36qo7hMA0GCSqGSIb3DQEBCwUAA4ICAQAauwjYexszL4+2
+b5hSVLMU4+eKYjsryyhs0jaXas9+ijTK426wbkBXEhdfFRz0F0U4CmubAKX8wnxY
+/GcneW82fZ7wZRc4gHHuiOaMq89MmHdtvHESMSb2Zr+BsybMelai5ZUHZdj452Zx
+2r4eTdVxDxjbsWH3qain8zYxBsFh7Z4LUnexOIk+GQYepsDOtQY3TubeDf75RUlR
+Hrxoh1EIY7tk6781q6fMaTqiQjC2zwpVgVSCrtS2iQUXsJZHCY0HCpjOiXT8DPHa
+hkC+ySY+cO2eKi01i3YM2M3KsLZj7VSLINbnhk+nrHIynMGhTbXoKJYXKq2D8j7l
+HpeQVbRr2VaFFiJdR6oPOJ5g5u9S5pHP0AoOdSQaw7G84Tj7qN+lhShowYo3APeN
+cqCmjpNNuAdjWXdC5Jf10EoI1aXeFv+uWTyKW1Dz3m2yFAkDw2/2HbgiZt9Cn1sg
+R1ml1aJnNpm+33ZPVcuG44uVMC4rK5KOxfUlnDW99ngJOi4Bl3581kl9KuOSNPsQ
+z1Yd90knFCyE9rnSdSktDEas1zktkfRq5EG2lOzsS3J3LvGoRiK/KX4IVaOM8Ir6
+Ca7+6ZvA1TRaWyKWtJXORv8XvcM3qSlZmxobCgs3PBebgSlPxBjspQKrEQIuvEiP
+GqE+KY33rltG5isQ9Xj1bdgwb9i0Sw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF6zCCA9OgAwIBAgIIbjbnRoMmxA8wDQYJKoZIhvcNAQELBQAwezELMAkGA1UE
+BhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMR8wHQYDVQQLDBZjYS03OTQxNzg5
+MjgyOTQ4NTMxMjE1MRQwEgYDVQQDDAt6aXJhLjg5OC5ybzEfMB0GCSqGSIb3DQEJ
+ARYQcm9vdEB6aXJhLjg5OC5ybzAeFw0yMDA5MjIwODI4MDFaFw0yMTA5MjcxMDA4
+MDFaMHsxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UE
+CwwWY2EtNzk0MTc4OTI4Mjk0ODUzMTIxNTEUMBIGA1UEAwwLemlyYS44OTgucm8x
+HzAdBgkqhkiG9w0BCQEWEHJvb3RAemlyYS44OTgucm8wggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDMxBjI05dzfL9xf8sFj+RFOZz9kNxzlLI+vRswRHxS
+GWXA1CEDb/wal1BKUd/qYAhBNSbICe+KYbap8VxVrVLiFxwneYk63TltsdRMf40H
+mWkC0L0YQ8PzVqZUCbc4RHDypv+x+GvRXHmkGGrcXchRVWsA+L8F2hD1+wQTidS2
+qqcwfCUzDV4hqK8jF5ZknTF6xryvOWvfpfU38tXnUYKdm31vvIwo2q8d8CoiY6Qp
+10FkYVgK/6WW5c577BM6/aqjHBbAN8l/ZDJQC0Jfq+pGtT0BE6Tis4Zun8qQyCoX
+rt7x/gFCZeSgDzU7A7T/ULZcFNL69xtCVhlBqjdGoiVKax+zT/81Et84OHDzBZxO
+Yrvq3kDJwm/5Sg3ZdvQHK8Kq8l1QS4m1AygYv8yJXAGIVBlrrmeT90WFDknMuI1l
+O4vjP6SpcJmNj0bKC+aWhtv0fbfA+ghXp+McYY43Z34W/8wlQ7AQa8BKcwX1Lk+d
+FEpZUz+j8UxsRZE3p2aatV2R2IkIRUaHnsQbtfymcG2fZs1GawBWp2SpDEyPPhf4
+I6n5uxxC9UAl7VeBeeKexGSSsry7WQ+Vd9oVmv3Y8samQ/s80HrsIIvLe31X3RHH
+ZmttALwb+9plgKhXdwoHruuPkdsMO7Qm/HNUSci66hnVqJ2u0R2u1GYesg63LXe4
+CQIDAQABo3MwcTAOBgNVHQ8BAf8EBAMCAqQwDAYDVR0TBAUwAwEB/zAaBgNVHR4E
+EzARoA8wDYILemlyYS44OTgucm8wFgYDVR0RBA8wDYILemlyYS44OTgucm8wHQYD
+VR0OBBYEFI4O45SEa0LcJWPzqxxyvb36qo7hMA0GCSqGSIb3DQEBCwUAA4ICAQCh
+pO0Za0QFj6yYyISXhD+vQBJjoEAY0MC+Ue8RI4T7GK9Ki+7LsMsmUdhXTQC5KQHm
+AyesT3u50OcMZBWhTt0u5Xkwyl3WyPc670/ZrLBdOoiHQoX3zrZp7vjwJEk3xP/Y
+6ghnQei8LOoSvW9LXUteoXRdV2ZVUGFfqPleQ6yuqBHIKWI/9/yuEBEk6SOOPN3D
+kx97QH9DUTABqJ+RX3+uTBnSZUHI0kUTHo3Hv0QmxtIQKsIizIKGXIrcTO+3ZhX0
+uZNr1DsRXfFYrKwZ8srGkqM81LeEewDvm1GS+Ol3/Df0tFd4Gk5oEEOcfeQat4x0
+HH0lp1oCKKlF2QGe9y/D6B2i76lLmqBcFR/KPAvm8b6esETkHxd4Aci8+WArwevx
+Bu8b/GphDOajATrYYCbwszXeE1WggVaaAL2zRsTEpgDaBKJUZL5kwIyEYydJKHfC
+PTBEZI6CqImpsAmDAiwHZX2H2MQ4FzD3fLHGfrCBZArxd6cjLxLojkEugPDfyBaT
+wqW99eA9YQbUC8YgbSIbNEPbFlGWQoJdxeEkLwhGLlipVY9K8g93niQR4335ZlQD
+VJvtrrw36iOuiBirD/ysVp0cVC7534Q50kV0Tul4+G8vi3Yuo+Y5G6ta40Kv7qe2
+DGCKWlZ1S8vi4AfdnKNazRqppDOzq4ygyfddMAA4YA==
+-----END CERTIFICATE-----

pki/tls/certs/postfix.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHzCCBAegAwIBAgICO5IwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAi0t
+MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
+DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
+bml0MRQwEgYDVQQDDAt6aXJhLjg5OC5ybzEfMB0GCSqGSIb3DQEJARYQcm9vdEB6
+aXJhLjg5OC5ybzAeFw0yMDA5MjExNzQ3NTlaFw0yMTA5MjExNzQ3NTlaMIGnMQsw
+CQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0
+eTEZMBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2Fu
+aXphdGlvbmFsVW5pdDEUMBIGA1UEAwwLemlyYS44OTgucm8xHzAdBgkqhkiG9w0B
+CQEWEHJvb3RAemlyYS44OTgucm8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQDJZ6qe6hnqx+bkqMlPaTjY8AQqis6svbOhMOwF3+kKDqWmHSyDZaSN3001
+1fExY5gMnYPp3mW4L96lF6YEUk46gcLM4o+jPRBw6pqe9WANF31RhsoumV9/cOvQ
+9Yizf+StTyyXATH/Ih4Rh3iHlsHzEGOiCgbvYddAbT/qE1w4di+jHMBZ/r3MNqIE
+vDZlyU+q5KYfp8TLkbdTuLru/XZsRRX43wIDVQFRXRj0H5oSRaBUN2iAuBUeH7uq
+t3aKPA56zJo12dtq2wzehQMouDu4fZIgsPR99RN/m4pOdVoDVU+9SmF8xlUHqCrj
+6ajxtKT9goiEXZKgSKH6SQRJBz3GioVUQtp1m46A0Ty9fW/AuQsoRkGycL17GnsV
+L7qZCx6cvWkQbJ3ksFntYNSqYQ1v2x6XPoaww1HCWZ58P89j11Ba1GtDwS38d4F9
+EdzY+1OqC6NjCP9ZfqxD4HYUKYo40/xbWOx1g/O8Qq+RK7y2GPOzRPsLtVKj2wYn
+MtauzvbHgNpy1NTyp5n9PdaSa9UlwpETtwM4MuW+Dmx+PnO/ftldqDMWIsZ2FHSt
+ACEnnzz7qaWgAzqCEnSdpnUYfXsJPh8YcFACnBpBh23/A508nAVYY4tEWWYMkchR
+Gba5OloIoiNQNs6xA5oK6U8cFsBDS5+WqF5hkeOyBARTDZ6kCQIDAQABo1MwUTAd
+BgNVHQ4EFgQUwmxLqf4lHqiJ6C9O0ByjBvphajkwHwYDVR0jBBgwFoAUwmxLqf4l
+HqiJ6C9O0ByjBvphajkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEAW4P6bEucZizc1ZcQhnWo6GAtqgVUpv5g9SyRjHpHQDpKyltQ1LcP8lUh37Hs
+huDSW2KaBTN/8m1VjbTCUi76SbKdtNNXRjWVW6kNAnmaUCWZ+RWDnwvBCfXqlHAt
++400q5Ns6f3jMZ3J9fzKnHOdVJWAaNb035+IHlJV5ahBtPyj64tOtp71g1b2qv2E
+Eks5VPYy1p35k47SxBKLpnqn7kA4tUBRNT9cDKxRchjW/wsDwunzsoliwDwWKXCR
+7fRBIRDJzAY382fxBgRIP/QoMQ7WDZrHs3vEJhgQF/YoFtR2gABa1G8fa/09PTBj
+Qsqi5OGQN2uJqxFDnCjvf1DzZEF5CQyrmG3k+KkEJ/uqQMbafkxx3JdpYgaGsTV2
+kvSTOqz2+k+iwUDk96l2cg/gHQUNqaGFAMyBDi8iQki+o77UM5CEhL09Zff0vIRf
+2OcnIj6WDZ5b/sVQN9Qbp8Hwh5epDox/m9iTjJViAY3boTmwOftwlQwMOwI5+IgB
+1kAH+5wsnJEC8bSTsvD+fXPyS7BMoBz+eQg+Ro7XrssSaEgSN9HeFyoENSrH5Pc4
+cWmPXVXlN0Vgs7rPhw20YP/MdVN7fnfD/jKMvkb/im0Eq7uhOdQe5j2e6/YM3qWw
+K0VUmNVmpbTexmLHMULYS148jMELqy2q8YyNEl1AaYkHdsw=
+-----END CERTIFICATE-----

pki/tls/ct_log_list.cnf

@@ -0,0 +1,9 @@
+# This file specifies the Certificate Transparency logs
+# that are to be trusted.
+
+# Google's list of logs can be found here:
+#       www.certificate-transparency.org/known-logs
+# A Python program to convert the log list to OpenSSL's format can be
+# found here:
+#       https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
+# Use the "--openssl_output" flag.

pki/tls/openssl.cnf

@@ -0,0 +1,368 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+# Load default TLS policy configuration
+
+openssl_conf = default_modules
+
+[ default_modules ]
+
+ssl_conf = ssl_module
+
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include /etc/crypto-policies/back-ends/opensslcnf.config
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= /etc/pki/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use SHA-256 by default
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= XX
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= Default Province
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Default City
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Default Company Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= /etc/pki/CA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)

pki/tls/private/localhost.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1WL8kPaksrTnD
+Ccj4Ja3B+NGtnuoIuFDViht/DTBfBYmB2E+yXyBX+z/U3cXVoPL2BF8GRvgCxtla
+hYXj1B54fkCRpsPjzurnZnh37AHRUtoCBIarUfsxeNdNucDUVlDAFedMCQ4Xsy14
+ugAd/zVdfpHdEegfyTb1tVDu7cv6QqGUDUFbHoPnxOCc2UHSHpsMJ4P5jIXz9J82
+Umf/SIU+5c+/AP5u9Zvcq2AGxhO//wAm3MMZ9O2S2CU24jAYpYsvciYQS1ItPI1I
+YzewlySvQ7rSUjTlt19Om9vXOfhNqGcQrICWRW8Ij4YVjBekZmoLTygXJh7JkGLb
+ZVxQU4RnAgMBAAECggEAbgREGalqy9bflwqFqL27F1VrZ2hkVRv0tkfN/Js0wEDs
+tiBT4UPCrH2ZsPtGPR8ipsvqFjXR2mVmkXs1ygzy22jEpVhFuRvb+Lx6004ToDki
+V10FkkPvH4lPHTFW4brnzFC9fKx1pz0llftJfOlKJ8lUloh5iWcZ96CjVABh4hWp
+le+vIuuVeC1+mWLXG7NAHI6i6FKCLaERa+ES7e7Sb9QH+hSXlMnpsYex5FqOfr6U
+NQJoBPsGyMGemBArzJL7VZDnv36UxxxvcTRwAx/g/Cv6iFOOIg8o32LJQL1nOtOC
+pQgtdOMZkc2G6DWsp4w33dRIpTaAPfv5egUSmVkPMQKBgQDt877YSRBiT3U8RhBG
+nuS0oK2iKq9OWpUGEC9CvkaulgLr+lXH1ei8ZSowrA3CoTPzQyWzMANh8K66/B9D
+3ktbkLdv2id6sYbSOOFSTASxhV4wzZvJuhmmwU4tIcCTZYt0TdXdozmLbH7Q0L9Z
+w0MYFmWIr8KMqGA8ZTbMrgNZfwKBgQDDGehZQMHwP+TRPnGQpBoz/uMxJatVJvyW
+rUPbF4Rm6QbLLygGaE/W9vo0sRs8rn5iSjXV2/OlYIxBLyxQVwaQ5NBm6+5INzMi
+sf27Y5TJU8f+UF4qYr5ACJbXpLJo7fEdy2Pp08UG+NxMVLtnJcAlrUK+0m0v/IYy
+AAAvVS25GQKBgQCvDVMH4HBqMpRHnC+bFIeiDlbOZ2KCXQcm578s9bgf9gH+QjLb
+CZXnCvGHzvtshJUoT+yrLxY99gdFTfdeQWnk2cjpQ28pxvItM2Un2v7U7g2GD6yd
+Mghu8eSmNR9sEBcQn7ZHEC5kUJPW4Mr0qT5xuQBHFy4jtjbeF4PB/f4+1wKBgBqY
+n4n7P/TmYOT9ZDHZjRDlgEck4XRcOja4K/XkANKelaSBKy2kbq3ZQUaJljLxfp0b
+jLc4osA6pyQDsEDLfEOoTZiaNQN3MutZ5EL1UkUXvL24av3QNCs6gIWpGAEh3qq3
+HUm06rkGl9F4A4wOI2F/ewfUW7oc7JZIVb4eGHuRAoGAI4FC/cxs/26Ua6polQ5M
+/VL2K0r9JUvmI5aDB+oLOp9WeN5+Qh9q8syJsv8vtXVvm/Ix/cktLSl556/JskNO
+0HLbaP8fw82nVQDx7IrPGOm32G1pNKq3U8WnNw/HYQbgbuEAeMyWlHadh2js13Bi
+bT5vv+K2UReRJjCJOPT7kAc=
+-----END PRIVATE KEY-----

pki/tls/private/postfix.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEAyWeqnuoZ6sfm5KjJT2k42PAEKorOrL2zoTDsBd/pCg6lph0s
+g2Wkjd9NNdXxMWOYDJ2D6d5luC/epRemBFJOOoHCzOKPoz0QcOqanvVgDRd9UYbK
+Lplff3Dr0PWIs3/krU8slwEx/yIeEYd4h5bB8xBjogoG72HXQG0/6hNcOHYvoxzA
+Wf69zDaiBLw2ZclPquSmH6fEy5G3U7i67v12bEUV+N8CA1UBUV0Y9B+aEkWgVDdo
+gLgVHh+7qrd2ijwOesyaNdnbatsM3oUDKLg7uH2SILD0ffUTf5uKTnVaA1VPvUph
+fMZVB6gq4+mo8bSk/YKIhF2SoEih+kkESQc9xoqFVELadZuOgNE8vX1vwLkLKEZB
+snC9exp7FS+6mQsenL1pEGyd5LBZ7WDUqmENb9selz6GsMNRwlmefD/PY9dQWtRr
+Q8Et/HeBfRHc2PtTqgujYwj/WX6sQ+B2FCmKONP8W1jsdYPzvEKvkSu8thjzs0T7
+C7VSo9sGJzLWrs72x4DactTU8qeZ/T3WkmvVJcKRE7cDODLlvg5sfj5zv37ZXagz
+FiLGdhR0rQAhJ588+6mloAM6ghJ0naZ1GH17CT4fGHBQApwaQYdt/wOdPJwFWGOL
+RFlmDJHIURm2uTpaCKIjUDbOsQOaCulPHBbAQ0uflqheYZHjsgQEUw2epAkCAwEA
+AQKCAgEAverial3oOItuP7qlshtPvsl9tDwWLa/ovhwqxFNjJdev/ldOTU1AgYPL
+A/QNL3xxuZui85qCos+JDHajVznhiKwp7BfMSKrhYQjo6vIJM+8tff4zkwOPmNX7
+mJyf3lvAYGjjbDV1VtduMStkzb6sfy66NOdtqLfDSX57oZfGA3v26cHH5FUh1nrC
+BuMQDKVrWYOo3vrNyQRMMkdlBs29qNTwpjBsboXu6zF1wWY3W/mJ+UASbCapyzEz
+PwUnY6zEHqnm1NbtX/LVTNNyqigoMI1AiVE0C75ZN6CNJ/Ti/3en7KBCE23WapT6
+dNY2OE4WsvMvFlpCVKCJFUFbKB4K8guT8xidST4HAKa++k/n1j8pt+IkPuvCG8Jf
+CGfDMlGWEQalu6ZmRmB6MD9AF2JRcsEFNpz2le3Cc3mkvafY2OpRn0MuQoAmV1W2
+OD2EYY9KU+/DG+H5RIMLUnYzbL6WX35nRpLVUXIHHOcmVXKFJWHhzIB8wecbyw8x
+VsmUJl9jS3aZzrALXIoFZkk7Q2mHeqz/tQj9uzCDYs5U9zFS6n3Livw2C6T5ERqs
+EJ2ZINj8iEjGD/eGOCaK8gREaXCCPods4F4TfmcDwW4o6haUPCN02CgikRLquxqj
+ltbm4BmfpsicKWoWpuWhhQ63neKOFWUWB4npBgVqHoUJKKrvHg0CggEBAO6THgNK
+ffJ444aGGcqKOcxKCt9hukhlzMK2IoB3oneTDjn+wU5FnAtqZMqRhJC850gsQDJX
+L+I8btADM3oZxU/jQexlWz+8hjCadRCztV8zHaNDeiIuqA5Lfz3Ig3I1/pdlWL/L
+hzEKTgSyicVpdoafFznbhhh29cEW79GMXBCa15ozLoVsQfDfm8vRBbIkYS/myOyW
+wu0wEyIchwoU7sRiSsefBO+pOIAQo5XCpEakdHlQ1grkV6hNEn28aDJgKYLi2tBj
+VktdGzdGRV+YghVug/pfeZp0LFkxK/qdFdjKzQKNoIOBpB5mf2VrjekNnHJ9aZ/e
+C1vf8ab92cwyEzcCggEBANgdjCxMYB6hQhWL5bSNjp4MN62WDy5uiod+2JV0p+Qk
+t7DK9KJaXkxGwAUCdeXzjB9FzcpgqZgUQa/wpZCuAaMAE+UQLb/UT8OnkJdDrfYP
+efggTLKEGNRS6NNzqYVpb8IaNdX4LA/LGY101r9B2sKyd8VXoDU4GQOgKWMb76ZH
+xsANhKbKMoD5yK1Ux6go+RStzgiPwmh3dpBEjyx5caB+8xBthrzgi3zuah5X+XOK
+e+hYoU0UAf1HGkndDnj621Ef3Z+TvaIGlusB256IUsh//WNdTlM1X4A04TMcAwdJ
+up80LlN9XSzQgy8IKwlIF11yNKfUm24B+o1JSvRzIr8CggEAVpS9h6Q5IQ4ORHvW
+UFLptuIIIBlvaWbIcMF4s/a2135e4104+hb5EouCGKHG4mAr711fzuUlU41rCcKf
+o+hGWz+2ZPxDqVXZvTnQ0kblw67hSqbqZA1aoBV2EA385i4CPx9gnfpXDc0Xk0zY
+AvTLNv/1heHNQIOrnG+eiQXPQ5duN1/rujAXnjsIZ2dsEcJyItg2guYTx9ByoSaJ
+O3dtT4f8a4WiXPeksZVYSLlitOBqBLz5cOp9hW6zDz6Y8e9EIWQC1S2325HmlqDB
+/Hd0fiKlcu/DSfJvRc86jrEDhLHUxOBxKEicLwwzn7LwxWtTI5mwA3yp0qXrJRdr
+O1fQ8QKCAQEAwzwmNpqktucNMTPZxvue3G7DGeEXQ+X+5ZsVBCeHyJXXEDK5P7YN
+vDCqJZxsb9lOO64u0+XxL/8UvGHU4FgiCGP4lRXBjqu5h1JoUA6HKGQg1qQvRZIK
+cD2aMfQqL+jpWludSPhSrc3X/q+PlOZkP0FE7BVWGN3d0yWsXemN3RS4myVbMeY2
+K8f7n4KYf/TL1/+PwrJEeWV6yaf2A8KOgOROpwebEiR0Pt+PJGxrYRK5D1SKG3y4
+s1u5hwLZoTdWS/pSl2e7h5UWX6WlBpm214Swn0RajtcHuGWNEEP9BGd53XshYrE9
+LFAOQr3JSzBCU1vp77gk1gOZmmuc+CrPNwKCAQEAokk37mcrsaN/1qy88tWZ0Iro
+EUdXRsCxf1riS2Hn93l+Gs6B7+UrKn5vPIJi163hqStpX+iciPfimrrBUhOEdyEE
+Dzmwo4ZjcNFssc4amYVsLXy037JAkuotqhasttxlzkC/OJBjXEfvvmsSRFnqqr9G
+/3HAXhzWXTYuMEa2VQiOgyfD2nY1FmA/efVsnbi/PWO4WOnS4z+LuAZRmL5ylIkg
+vnLKmqGwitigwPdz/48YCr0r1aIW5P6IzQIzEQTjSTyZv48CYLiafMkhjWkkWO5Y
+16umJSrBMEC1KEqcm8Lax07ecdKrpy5lOrcxLL0hhCFwycIeZ/Tei4rnjK8//w==
+-----END RSA PRIVATE KEY-----