103 lines
4.2 KiB
Plaintext
103 lines
4.2 KiB
Plaintext
# Simple Root CA
|
|
|
|
# The [default] section contains global constants that can be referred to from
|
|
# the entire configuration file. It may also hold settings pertaining to more
|
|
# than one openssl command.
|
|
|
|
[ default ]
|
|
ca = root-ca # CA name
|
|
dir = . # Top dir
|
|
|
|
# The next part of the configuration file is used by the openssl req command.
|
|
# It defines the CA's key pair, its DN, and the desired extensions for the CA
|
|
# certificate.
|
|
|
|
[ req ]
|
|
default_bits = 2048 # RSA key size
|
|
encrypt_key = yes # Protect private key
|
|
default_md = sha256 # MD to use
|
|
utf8 = yes # Input is UTF-8
|
|
string_mask = utf8only # Emit UTF-8 strings
|
|
prompt = no # Don't prompt for DN
|
|
distinguished_name = ca_dn # DN section
|
|
req_extensions = ca_reqext # Desired extensions
|
|
|
|
[ ca_dn ]
|
|
0.domainComponent = "org"
|
|
1.domainComponent = "simple"
|
|
organizationName = "Simple Inc"
|
|
commonName = "Simple Root CA"
|
|
|
|
[ ca_reqext ]
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
basicConstraints = critical,CA:true
|
|
subjectKeyIdentifier = hash
|
|
|
|
# The remainder of the configuration file is used by the openssl ca command.
|
|
# The CA section defines the locations of CA assets, as well as the policies
|
|
# applying to the CA.
|
|
|
|
[ ca ]
|
|
default_ca = root_ca # The default CA section
|
|
|
|
[ root_ca ]
|
|
certificate = $dir/ca/$ca.crt # The CA cert
|
|
private_key = $dir/ca/$ca/private/$ca.key # CA private key
|
|
new_certs_dir = $dir/ca/$ca # Certificate archive
|
|
serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
|
|
crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
|
|
database = $dir/ca/$ca/db/$ca.db # Index file
|
|
rand_serial = yes # Use random serial numbers
|
|
unique_subject = no # Require unique subject
|
|
default_days = 3652 # How long to certify for
|
|
default_md = sha256 # MD to use
|
|
policy = match_pol # Default naming policy
|
|
email_in_dn = no # Add email to cert DN
|
|
preserve = no # Keep passed DN ordering
|
|
name_opt = multiline,-esc_msb,utf8 # Subject DN display options
|
|
cert_opt = ca_default # Certificate display options
|
|
copy_extensions = none # Copy extensions from CSR
|
|
x509_extensions = signing_ca_ext # Default cert extensions
|
|
default_crl_days = 365 # How long before next CRL
|
|
crl_extensions = crl_ext # CRL extensions
|
|
|
|
# Naming policies control which parts of a DN end up in the certificate and
|
|
# under what circumstances certification should be denied.
|
|
|
|
[ match_pol ]
|
|
domainComponent = match # Must match 'simple.org'
|
|
organizationName = match # Must match 'Simple Inc'
|
|
organizationalUnitName = optional # Included if present
|
|
commonName = supplied # Must be present
|
|
|
|
[ any_pol ]
|
|
domainComponent = optional
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = optional
|
|
emailAddress = optional
|
|
|
|
# Certificate extensions define what types of certificates the CA is able to
|
|
# create.
|
|
|
|
[ root_ca_ext ]
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
basicConstraints = critical,CA:true
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
[ signing_ca_ext ]
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
basicConstraints = critical,CA:true,pathlen:0
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
# CRL extensions exist solely to point to the CA certificate that has issued
|
|
# the CRL.
|
|
|
|
[ crl_ext ]
|
|
authorityKeyIdentifier = keyid:always
|