openssl.cnf

   1 #
   2 # OpenSSL example configuration file.
   3
   4 HOME            = .
   5 RANDFILE        = $ENV::HOME/.rnd
   6
   7 ####################################################################
   8 [ ca ]
   9 default_ca  = CA_default        # The default ca section
  10
  11 [ CA_default ]
  12 default_days            = 365          # how long to certify for
  13 default_crl_days        = 365            # how long before next CRL
  14 default_md                      = sha512        # use public key default MD
  15 preserve                        = no            # keep passed DN ordering
  16
  17 unique_subject  = no
  18 email_in_dn             = no            # Don't concat the email in the DN
  19 copy_extensions = copyall          # Required to copy SANs from CSR to cert
  20
  21 dir             = ${ENV::CA_PATH}
  22 new_certs_dir   = $dir/certs
  23 database        = $dir/index.txt
  24 serial          = $dir/serial
  25 certificate     = $dir/ca.crt
  26
  27 x509_extensions = ca_extensions
  28 policy                  = ca_match
  29
  30 [ ca_extensions ]
  31 crlDistributionPoints=URI:http://www.somenet.org/somenet.crl
  32
  33 [ ca_match ]
  34 organizationName        = match
  35 countryName             = optional
  36 stateOrProvinceName     = optional
  37 localityName            = optional
  38 organizationalUnitName  = optional
  39 commonName              = supplied
  40 emailAddress            = optional
  41
  42 ####################################################################
  43 [ req ]
  44 default_bits            = 4096
  45 distinguished_name      = req_distinguished_name
  46 string_mask                     = utf8only
  47 default_md                      = sha512
  48 x509_extensions         = v3_ca
  49 req_extensions          = v3_req
  50
  51 ####################################################################
  52 [ req_distinguished_name ]
  53 0.organizationName                      = Organization Name (eg, company)
  54 0.organizationName_default      = somenet.org
  55
  56 organizationalUnitName          = Organizational Unit Name (eg, section)
  57 organizationalUnitName_default  = CertGen
  58
  59 commonName                                      = Common Name (e.g. server FQDN or YOUR name)
  60 commonName_max                          = 64
  61
  62 emailAddress                            = Email Address
  63 emailAddress_max                        = 64
  64
  65 ####################################################################
  66 [ v3_req ]
  67 basicConstraints = CA:FALSE
  68 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  69 subjectAltName = @alt_names
  70
  71 ####################################################################
  72 [ v3_ca ]
  73 subjectKeyIdentifier = hash
  74 authorityKeyIdentifier = keyid:always,issuer
  75 basicConstraints = CA:true
  76
  77 ####################################################################
  78 [ v3_ca_req ]
  79 basicConstraints = CA:true
  80 keyUsage = keyCertSign, cRLSign
  81
  82 ####################################################################
  83
  84 # ALT_NAMES MUST BE THE LAST LINE.
  85 [alt_names]
  86