root-ca.conf

# Simple Root CA

# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.

[ default ]
ca                      = root-ca               # CA name
dir                     = .                     # Top dir

# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.

[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha1                  # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_reqext             # Desired extensions

[ ca_dn ]
0.domainComponent       = "me"
1.domainComponent       = "nmz"
organizationName        = "NMZ"
organizationalUnitName  = "NMZ PKI"
commonName              = "NMZ Root CA"

[ ca_reqext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash

# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.

[ ca ]
default_ca              = root-ca               # The default CA section

[ root-ca ]
certificate             = $dir/$ca/certs/$ca.crt       # The CA cert
private_key             = $dir/$ca/private/$ca.key.pem # CA private key
new_certs_dir           = $dir/$ca/certs           # Certificate archive
serial                  = $dir/$ca/db/$ca.crt.srl # Serial number file
crlnumber               = $dir/$ca/db/$ca.crl.srl # CRL number file
database                = $dir/$ca/db/$ca.db # Index file
unique_subject          = no                    # Require unique subject
default_days            = 3652                  # How long to certify for
default_md              = sha1                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = ca_default            # Subject DN display options
cert_opt                = ca_default            # Certificate display options
copy_extensions         = none                  # Copy extensions from CSR
x509_extensions         = signing_ca_ext        # Default cert extensions
default_crl_days        = 365                   # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.

[ match_pol ]
domainComponent         = match                 # Must match 'simple.org'
organizationName        = match                 # Must match 'Simple Inc'
organizationalUnitName  = optional              # Included if present
commonName              = supplied              # Must be present

[ any_pol ]
domainComponent         = optional
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

# Certificate extensions define what types of certificates the CA is able to
# create.

[ root_ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

[ int_ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true,pathlen:0
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.

[ crl_ext ]
authorityKeyIdentifier  = keyid:always
	# Simple Root CA

	# The [default] section contains global constants that can be referred to from
	# the entire configuration file. It may also hold settings pertaining to more
	# than one openssl command.

	[ default ]
	ca = root-ca # CA name
	dir = . # Top dir

	# The next part of the configuration file is used by the openssl req command.
	# It defines the CA's key pair, its DN, and the desired extensions for the CA
	# certificate.

	[ req ]
	default_bits = 2048 # RSA key size
	encrypt_key = yes # Protect private key
	default_md = sha1 # MD to use
	utf8 = yes # Input is UTF-8
	string_mask = utf8only # Emit UTF-8 strings
	prompt = no # Don't prompt for DN
	distinguished_name = ca_dn # DN section
	req_extensions = ca_reqext # Desired extensions

	[ ca_dn ]
	0.domainComponent = "me"
	1.domainComponent = "nmz"
	organizationName = "NMZ"
	organizationalUnitName = "NMZ PKI"
	commonName = "NMZ Root CA"

	[ ca_reqext ]
	keyUsage = critical,keyCertSign,cRLSign
	basicConstraints = critical,CA:true
	subjectKeyIdentifier = hash

	# The remainder of the configuration file is used by the openssl ca command.
	# The CA section defines the locations of CA assets, as well as the policies
	# applying to the CA.

	[ ca ]
	default_ca = root-ca # The default CA section

	[ root-ca ]
	certificate = $dir/$ca/certs/$ca.crt # The CA cert
	private_key = $dir/$ca/private/$ca.key.pem # CA private key
	new_certs_dir = $dir/$ca/certs # Certificate archive
	serial = $dir/$ca/db/$ca.crt.srl # Serial number file
	crlnumber = $dir/$ca/db/$ca.crl.srl # CRL number file
	database = $dir/$ca/db/$ca.db # Index file
	unique_subject = no # Require unique subject
	default_days = 3652 # How long to certify for
	default_md = sha1 # MD to use
	policy = match_pol # Default naming policy
	email_in_dn = no # Add email to cert DN
	preserve = no # Keep passed DN ordering
	name_opt = ca_default # Subject DN display options
	cert_opt = ca_default # Certificate display options
	copy_extensions = none # Copy extensions from CSR
	x509_extensions = signing_ca_ext # Default cert extensions
	default_crl_days = 365 # How long before next CRL
	crl_extensions = crl_ext # CRL extensions

	# Naming policies control which parts of a DN end up in the certificate and
	# under what circumstances certification should be denied.

	[ match_pol ]
	domainComponent = match # Must match 'simple.org'
	organizationName = match # Must match 'Simple Inc'
	organizationalUnitName = optional # Included if present
	commonName = supplied # Must be present

	[ any_pol ]
	domainComponent = optional
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional

	# Certificate extensions define what types of certificates the CA is able to
	# create.

	[ root_ca_ext ]
	keyUsage = critical,keyCertSign,cRLSign
	basicConstraints = critical,CA:true
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always

	[ int_ca_ext ]
	keyUsage = critical,keyCertSign,cRLSign
	basicConstraints = critical,CA:true,pathlen:0
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always

	# CRL extensions exist solely to point to the CA certificate that has issued
	# the CRL.

	[ crl_ext ]
	authorityKeyIdentifier = keyid:always