# Definition for testing certificates to be created and installed into the MacOS trusted keychain upon provision.
# On MacOS provision, these certificates will be written to /opt/x509.

global:
  Subject:
    C: "US"
    ST: "New York"
    L: "New York City"
    O: "MongoDB"
    OU: "Kernel"
  keyfile: "macos_key.pem"

certs:
  - name: "macos-trusted-ca.pem"
    description: CA for trusted MacOS client/server certificate chain.
    Subject: {CN: "Trusted MacOS Kernel Test CA"}
    Issuer: self
    keyfile: "macos_ca_key.pem"
    extensions:
      basicConstraints: {CA: true}
      subjectAltName:
        DNS: localhost
        IP: 127.0.0.1

  - name: "macos-trusted-client.pem"
    description: Client certificate for trusted MacOS chain.
    Subject: {CN: "Trusted MacOS Kernel Test Client"}
    Issuer: "macos-trusted-ca.pem"
    pkcs12:
      passphrase: "qwerty"
      name: "macos-trusted-client.pfx"
    extensions:
      extendedKeyUsage: [clientAuth]
      subjectAltName:
        DNS: localhost
        IP: 127.0.0.1

  - name: "macos-trusted-server.pem"
    description: Server certificate for trusted MacOS chain.
    Subject: {CN: "Trusted MacOS Kernel Test Server"}
    Issuer: "macos-trusted-ca.pem"
    pkcs12:
      passphrase: "qwerty"
      name: "macos-trusted-server.pfx"
    extensions:
      extendedKeyUsage: [serverAuth]
      subjectAltName:
        DNS: localhost
        IP: 127.0.0.1