Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
103 lines (85 sloc)
4.15 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simple Root CA | |
# The [default] section contains global constants that can be referred to from | |
# the entire configuration file. It may also hold settings pertaining to more | |
# than one openssl command. | |
[ default ] | |
ca = root-ca # CA name | |
dir = . # Top dir | |
# The next part of the configuration file is used by the openssl req command. | |
# It defines the CA's key pair, its DN, and the desired extensions for the CA | |
# certificate. | |
[ req ] | |
default_bits = 2048 # RSA key size | |
encrypt_key = yes # Protect private key | |
default_md = sha1 # MD to use | |
utf8 = yes # Input is UTF-8 | |
string_mask = utf8only # Emit UTF-8 strings | |
prompt = no # Don't prompt for DN | |
distinguished_name = ca_dn # DN section | |
req_extensions = ca_reqext # Desired extensions | |
[ ca_dn ] | |
0.domainComponent = "me" | |
1.domainComponent = "nmz" | |
organizationName = "NMZ" | |
organizationalUnitName = "NMZ PKI" | |
commonName = "NMZ Root CA" | |
[ ca_reqext ] | |
keyUsage = critical,keyCertSign,cRLSign | |
basicConstraints = critical,CA:true | |
subjectKeyIdentifier = hash | |
# The remainder of the configuration file is used by the openssl ca command. | |
# The CA section defines the locations of CA assets, as well as the policies | |
# applying to the CA. | |
[ ca ] | |
default_ca = root-ca # The default CA section | |
[ root-ca ] | |
certificate = $dir/$ca/certs/$ca.crt # The CA cert | |
private_key = $dir/$ca/private/$ca.key.pem # CA private key | |
new_certs_dir = $dir/$ca/certs # Certificate archive | |
serial = $dir/$ca/db/$ca.crt.srl # Serial number file | |
crlnumber = $dir/$ca/db/$ca.crl.srl # CRL number file | |
database = $dir/$ca/db/$ca.db # Index file | |
unique_subject = no # Require unique subject | |
default_days = 3652 # How long to certify for | |
default_md = sha1 # MD to use | |
policy = match_pol # Default naming policy | |
email_in_dn = no # Add email to cert DN | |
preserve = no # Keep passed DN ordering | |
name_opt = ca_default # Subject DN display options | |
cert_opt = ca_default # Certificate display options | |
copy_extensions = none # Copy extensions from CSR | |
x509_extensions = signing_ca_ext # Default cert extensions | |
default_crl_days = 365 # How long before next CRL | |
crl_extensions = crl_ext # CRL extensions | |
# Naming policies control which parts of a DN end up in the certificate and | |
# under what circumstances certification should be denied. | |
[ match_pol ] | |
domainComponent = match # Must match 'simple.org' | |
organizationName = match # Must match 'Simple Inc' | |
organizationalUnitName = optional # Included if present | |
commonName = supplied # Must be present | |
[ any_pol ] | |
domainComponent = optional | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = optional | |
emailAddress = optional | |
# Certificate extensions define what types of certificates the CA is able to | |
# create. | |
[ root_ca_ext ] | |
keyUsage = critical,keyCertSign,cRLSign | |
basicConstraints = critical,CA:true | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always | |
[ int_ca_ext ] | |
keyUsage = critical,keyCertSign,cRLSign | |
basicConstraints = critical,CA:true,pathlen:0 | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always | |
# CRL extensions exist solely to point to the CA certificate that has issued | |
# the CRL. | |
[ crl_ext ] | |
authorityKeyIdentifier = keyid:always | |