Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| # Simple Root CA | |
| # The [default] section contains global constants that can be referred to from | |
| # the entire configuration file. It may also hold settings pertaining to more | |
| # than one openssl command. | |
| [ default ] | |
| ca = root-ca # CA name | |
| dir = . # Top dir | |
| # The next part of the configuration file is used by the openssl req command. | |
| # It defines the CA's key pair, its DN, and the desired extensions for the CA | |
| # certificate. | |
| [ req ] | |
| default_bits = 2048 # RSA key size | |
| encrypt_key = yes # Protect private key | |
| default_md = sha1 # MD to use | |
| utf8 = yes # Input is UTF-8 | |
| string_mask = utf8only # Emit UTF-8 strings | |
| prompt = no # Don't prompt for DN | |
| distinguished_name = ca_dn # DN section | |
| req_extensions = ca_reqext # Desired extensions | |
| [ ca_dn ] | |
| 0.domainComponent = "me" | |
| 1.domainComponent = "nmz" | |
| organizationName = "NMZ" | |
| organizationalUnitName = "NMZ PKI" | |
| commonName = "NMZ Root CA" | |
| [ ca_reqext ] | |
| keyUsage = critical,keyCertSign,cRLSign | |
| basicConstraints = critical,CA:true | |
| subjectKeyIdentifier = hash | |
| # The remainder of the configuration file is used by the openssl ca command. | |
| # The CA section defines the locations of CA assets, as well as the policies | |
| # applying to the CA. | |
| [ ca ] | |
| default_ca = root-ca # The default CA section | |
| [ root-ca ] | |
| certificate = $dir/$ca/certs/$ca.crt # The CA cert | |
| private_key = $dir/$ca/private/$ca.key.pem # CA private key | |
| new_certs_dir = $dir/$ca/certs # Certificate archive | |
| serial = $dir/$ca/db/$ca.crt.srl # Serial number file | |
| crlnumber = $dir/$ca/db/$ca.crl.srl # CRL number file | |
| database = $dir/$ca/db/$ca.db # Index file | |
| unique_subject = no # Require unique subject | |
| default_days = 3652 # How long to certify for | |
| default_md = sha1 # MD to use | |
| policy = match_pol # Default naming policy | |
| email_in_dn = no # Add email to cert DN | |
| preserve = no # Keep passed DN ordering | |
| name_opt = ca_default # Subject DN display options | |
| cert_opt = ca_default # Certificate display options | |
| copy_extensions = none # Copy extensions from CSR | |
| x509_extensions = signing_ca_ext # Default cert extensions | |
| default_crl_days = 365 # How long before next CRL | |
| crl_extensions = crl_ext # CRL extensions | |
| # Naming policies control which parts of a DN end up in the certificate and | |
| # under what circumstances certification should be denied. | |
| [ match_pol ] | |
| domainComponent = match # Must match 'simple.org' | |
| organizationName = match # Must match 'Simple Inc' | |
| organizationalUnitName = optional # Included if present | |
| commonName = supplied # Must be present | |
| [ any_pol ] | |
| domainComponent = optional | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = optional | |
| emailAddress = optional | |
| # Certificate extensions define what types of certificates the CA is able to | |
| # create. | |
| [ root_ca_ext ] | |
| keyUsage = critical,keyCertSign,cRLSign | |
| basicConstraints = critical,CA:true | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always | |
| [ int_ca_ext ] | |
| keyUsage = critical,keyCertSign,cRLSign | |
| basicConstraints = critical,CA:true,pathlen:0 | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always | |
| # CRL extensions exist solely to point to the CA certificate that has issued | |
| # the CRL. | |
| [ crl_ext ] | |
| authorityKeyIdentifier = keyid:always | |