; caddy/tls/internal-ca/ca.conf
; openssl config for generating the internal CA used by Caddy's `tls
; internal` for *.home.arpa. The generated CA cert is then installed
; on each client via `update-ca-certificates` (linux) or a profile
; (macOS / iOS).
;
; Usage:
; openssl req -x509 -newkey ed25519 -sha256 -days 3650 \
; -nodes -keyout ca.key -out ca.crt -config ca.conf
[req]
default_bits = 4096
default_md = sha256
prompt = no
distinguished_name = dn
x509_extensions = v3_ca
[dn]
C = CH
ST = Zurich
L = Home
O = homelab
OU = pki
CN = homelab Root CA
[v3_ca]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
nameConstraints = critical, @nc
certificatePolicies = @polsect
[nc]
permitted;DNS = .home.arpa
permitted;DNS = home.arpa
permitted;IP = 10.10.0.0/255.255.0.0
permitted;IP = 172.20.0.0/255.255.0.0
excluded;DNS = .com
excluded;DNS = .net
excluded;DNS = .org
[polsect]
policyIdentifier = 1.3.6.1.4.1.99999.1
CPS.1 = "https://mercemay.top/src/homelab-compose/"
userNotice.1 = @notice
[notice]
explicitText = "Internal homelab use only"