openssl.cnf

   1 #
   2 # OpenSSL example configuration file.
   3
   4 HOME            = .
   5 RANDFILE        = $ENV::HOME/.rnd
   6
   7 ####################################################################
   8 [ ca ]
   9 default_ca  = CA_default        # The default ca section
  10
  11 [ CA_default ]
  12 default_days            = 365          # how long to certify for
  13 default_crl_days        = 365            # how long before next CRL
  14 default_md                      = sha512        # use public key default MD
  15 preserve                        = no            # keep passed DN ordering
  16
  17 x509_extensions         = ca_extensions     # The extensions to add to the cert
  18
  19 unique_subject  = no
  20 email_in_dn             = no            # Don't concat the email in the DN
  21 copy_extensions = copyall          # Required to copy SANs from CSR to cert
  22
  23 dir             = ${ENV::CA_PATH}
  24 new_certs_dir   = $dir/certs
  25 database        = $dir/index.txt
  26 serial          = $dir/serial
  27 certificate     = $dir/ca.crt
  28
  29 policy          = policy_match
  30
  31 [ policy_match ]
  32 organizationName        = match
  33 countryName             = optional
  34 stateOrProvinceName     = optional
  35 localityName            = optional
  36 organizationalUnitName  = optional
  37 commonName              = supplied
  38 emailAddress            = optional
  39
  40 ####################################################################
  41 [ req ]
  42 default_bits            = 4096
  43 distinguished_name      = req_distinguished_name
  44 string_mask                     = utf8only
  45 default_md                      = sha512
  46 x509_extensions         = v3_ca
  47 req_extensions          = v3_req
  48
  49 ####################################################################
  50 [ req_distinguished_name ]
  51 0.organizationName                      = Organization Name (eg, company)
  52 0.organizationName_default      = somenet.org
  53
  54 organizationalUnitName          = Organizational Unit Name (eg, section)
  55 organizationalUnitName_default  = CertGen
  56
  57 commonName                                      = Common Name (e.g. server FQDN or YOUR name)
  58 commonName_max                          = 64
  59
  60 emailAddress                            = Email Address
  61 emailAddress_max                        = 64
  62
  63 ####################################################################
  64 [ v3_req ]
  65 basicConstraints = CA:FALSE
  66 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  67 subjectAltName = @alt_names
  68
  69 ####################################################################
  70 [ v3_ca ]
  71 subjectKeyIdentifier = hash
  72 authorityKeyIdentifier = keyid:always,issuer
  73 basicConstraints = CA:true
  74
  75 ####################################################################
  76 [ v3_ca_req ]
  77 basicConstraints = CA:true
  78 keyUsage = keyCertSign, cRLSign
  79
  80 ####################################################################
  81
  82 # ALT_NAMES MUST BE THE LAST LINE.
  83 [alt_names]
  84