1ceremony-type: root
2pkcs11:
3 module: /usr/lib/softhsm/libsofthsm2.so
4 pin: 1234
5 store-key-in-slot: {{ .SlotID }}
6 store-key-with-label: root signing key (ecdsa)
7key:
8 type: ecdsa
9 ecdsa-curve: P-384
10outputs:
11 public-key-path: /hierarchy/root-signing-pub-ecdsa.pem
12 certificate-path: /hierarchy/root-cert-ecdsa.pem
13certificate-profile:
14 signature-algorithm: ECDSAWithSHA384
15 common-name: CA root (ECDSA)
16 organization: good guys
17 country: US
18 not-before: 2020-01-01 12:00:00
19 not-after: 2040-01-01 12:00:00
20 key-usages:
21 - Cert Sign
22 - CRL Sign
23skip-lints:
24 # Our roots don't sign OCSP, so they don't need the Digital Signature KU.
25 - n_ca_digital_signature_not_set
View as plain text