openssl.cnf

   1 #
   2 # OpenSSL example configuration file.
   3
   4 HOME            = .
   5 RANDFILE        = $ENV::HOME/.rnd
   6
   7 ####################################################################
   8 [ ca ]
   9 default_ca  = CA_default        # The default ca section
  10
  11 [ CA_default ]
  12 default_days            = 365          # how long to certify for
  13 default_crl_days        = 365            # how long before next CRL
  14 default_md                      = sha512        # use public key default MD
  15 preserve                        = no            # keep passed DN ordering
  16
  17 email_in_dn             = yes            # Don't concat the email in the DN
  18 copy_extensions = copyall          # Required to copy SANs from CSR to cert
  19 name_opt        = ca_default            # Subject Name options
  20 cert_opt        = ca_default            # Certificate field options
  21
  22 dir             = ${ENV::CA_PATH}
  23 new_certs_dir   = $dir/certs
  24 database        = $dir/index.txt
  25 serial          = $dir/serial
  26 certificate     = $dir/ca.crt
  27
  28 x509_extensions = ca_extensions
  29 policy                  = ca_match
  30 unique_subject  = no
  31
  32 [ ca_extensions ]
  33 crlDistributionPoints=URI:http://www.somenet.org/somenet.crl
  34
  35 [ ca_match ]
  36 organizationName        = match
  37 countryName             = optional
  38 stateOrProvinceName     = optional
  39 localityName            = optional
  40 organizationalUnitName  = optional
  41 commonName              = supplied
  42 emailAddress            = optional
  43
  44 ####################################################################
  45 [ req ]
  46 default_bits            = 4096
  47 distinguished_name      = req_distinguished_name
  48 string_mask                     = utf8only
  49 default_md                      = sha512
  50 x509_extensions         = v3_ca
  51 req_extensions          = v3_req
  52
  53 ####################################################################
  54 [ req_distinguished_name ]
  55 0.organizationName                      = Organization Name (eg, company)
  56 0.organizationName_default      = somenet.org
  57
  58 organizationalUnitName          = Organizational Unit Name (eg, section)
  59 organizationalUnitName_default  = CertGen
  60
  61 commonName                                      = Common Name (e.g. server FQDN or YOUR name)
  62 commonName_max                          = 64
  63
  64 emailAddress                            = Email Address
  65 emailAddress_max                        = 64
  66
  67 ####################################################################
  68 [ v3_req ]
  69 basicConstraints = CA:FALSE
  70 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  71 subjectAltName = @alt_names
  72
  73 ####################################################################
  74 [ v3_ca ]
  75 subjectKeyIdentifier = hash
  76 authorityKeyIdentifier = keyid:always,issuer
  77 basicConstraints = CA:true
  78
  79 ####################################################################
  80 [ v3_ca_req ]
  81 basicConstraints = CA:true
  82 keyUsage = keyCertSign, cRLSign
  83
  84 ####################################################################
  85
  86 # ALT_NAMES MUST BE THE LAST LINE.
  87 [alt_names]
  88