| 1 | #
|
|---|
| 2 | # OpenSSL example configuration file for automated certificate creation.
|
|---|
| 3 | #
|
|---|
| 4 |
|
|---|
| 5 | # This definition stops the following lines choking if HOME or CN
|
|---|
| 6 | # is undefined.
|
|---|
| 7 | HOME = .
|
|---|
| 8 | CN = "Not Defined"
|
|---|
| 9 | default_ca = ca
|
|---|
| 10 |
|
|---|
| 11 | # Comment out the next line to ignore configuration errors
|
|---|
| 12 | config_diagnostics = 1
|
|---|
| 13 |
|
|---|
| 14 | ####################################################################
|
|---|
| 15 | [ req ]
|
|---|
| 16 | default_bits = 1024
|
|---|
| 17 | default_keyfile = privkey.pem
|
|---|
| 18 | # Don't prompt for fields: use those in section directly
|
|---|
| 19 | prompt = no
|
|---|
| 20 | distinguished_name = req_distinguished_name
|
|---|
| 21 | x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|---|
| 22 | string_mask = utf8only
|
|---|
| 23 |
|
|---|
| 24 | # req_extensions = v3_req # The extensions to add to a certificate request
|
|---|
| 25 |
|
|---|
| 26 | [ req_distinguished_name ]
|
|---|
| 27 | countryName = UK
|
|---|
| 28 |
|
|---|
| 29 | organizationName = OpenSSL Group
|
|---|
| 30 | # Take CN from environment so it can come from a script.
|
|---|
| 31 | commonName = $ENV::CN
|
|---|
| 32 |
|
|---|
| 33 | [ usr_cert ]
|
|---|
| 34 |
|
|---|
| 35 | # These extensions are added when 'ca' signs a request for an end entity
|
|---|
| 36 | # certificate
|
|---|
| 37 |
|
|---|
| 38 | basicConstraints=critical, CA:FALSE
|
|---|
| 39 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|---|
| 40 |
|
|---|
| 41 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 42 | subjectKeyIdentifier=hash
|
|---|
| 43 | authorityKeyIdentifier=keyid
|
|---|
| 44 | # OCSP responder certificate
|
|---|
| 45 | [ ocsp_cert ]
|
|---|
| 46 |
|
|---|
| 47 | basicConstraints=critical, CA:FALSE
|
|---|
| 48 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|---|
| 49 |
|
|---|
| 50 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 51 | subjectKeyIdentifier=hash
|
|---|
| 52 | authorityKeyIdentifier=keyid
|
|---|
| 53 | extendedKeyUsage=OCSPSigning
|
|---|
| 54 |
|
|---|
| 55 | [ dh_cert ]
|
|---|
| 56 |
|
|---|
| 57 | # These extensions are added when 'ca' signs a request for an end entity
|
|---|
| 58 | # DH certificate
|
|---|
| 59 |
|
|---|
| 60 | basicConstraints=critical, CA:FALSE
|
|---|
| 61 | keyUsage=critical, keyAgreement
|
|---|
| 62 |
|
|---|
| 63 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 64 | subjectKeyIdentifier=hash
|
|---|
| 65 | authorityKeyIdentifier=keyid
|
|---|
| 66 |
|
|---|
| 67 | [ v3_ca ]
|
|---|
| 68 |
|
|---|
| 69 |
|
|---|
| 70 | # Extensions for a typical CA
|
|---|
| 71 |
|
|---|
| 72 | # PKIX recommendation.
|
|---|
| 73 |
|
|---|
| 74 | subjectKeyIdentifier=hash
|
|---|
| 75 | authorityKeyIdentifier=keyid:always
|
|---|
| 76 | basicConstraints = critical,CA:true
|
|---|
| 77 | keyUsage = critical, cRLSign, keyCertSign
|
|---|
| 78 |
|
|---|
| 79 | # Minimal CA entry to allow generation of CRLs.
|
|---|
| 80 | [ca]
|
|---|
| 81 | database=index.txt
|
|---|
| 82 | crlnumber=crlnum.txt
|
|---|
