| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | # |
| 2 | # OpenSSL example configuration file for automated certificate creation. |
| 3 | # |
| 4 | |
| 5 | # This definition stops the following lines choking if HOME or CN |
| 6 | # is undefined. |
| 7 | HOME = . |
| 8 | RANDFILE = $ENV::HOME/.rnd |
| 9 | CN = "Not Defined" |
| 10 | default_ca = ca |
| 11 | |
| 12 | #################################################################### |
| 13 | [ req ] |
| 14 | default_bits = 1024 |
| 15 | default_keyfile = privkey.pem |
| 16 | # Don't prompt for fields: use those in section directly |
| 17 | prompt = no |
| 18 | distinguished_name = req_distinguished_name |
| 19 | x509_extensions = v3_ca # The extensions to add to the self signed cert |
| 20 | string_mask = utf8only |
| 21 | |
| 22 | # req_extensions = v3_req # The extensions to add to a certificate request |
| 23 | |
| 24 | [ req_distinguished_name ] |
| 25 | countryName = UK |
| 26 | |
| 27 | organizationName = OpenSSL Group |
| 28 | # Take CN from environment so it can come from a script. |
| 29 | commonName = $ENV::CN |
| 30 | |
| 31 | [ usr_cert ] |
| 32 | |
| 33 | # These extensions are added when 'ca' signs a request for an end entity |
| 34 | # certificate |
| 35 | |
| 36 | basicConstraints=critical, CA:FALSE |
| 37 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment |
| 38 | |
| 39 | # This will be displayed in Netscape's comment listbox. |
| 40 | nsComment = "OpenSSL Generated Certificate" |
| 41 | |
| 42 | # PKIX recommendations harmless if included in all certificates. |
| 43 | subjectKeyIdentifier=hash |
| 44 | authorityKeyIdentifier=keyid |
| 45 | # OCSP responder certificate |
| 46 | [ ocsp_cert ] |
| 47 | |
| 48 | basicConstraints=critical, CA:FALSE |
| 49 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment |
| 50 | |
| 51 | # This will be displayed in Netscape's comment listbox. |
| 52 | nsComment = "OpenSSL Generated Certificate" |
| 53 | |
| 54 | # PKIX recommendations harmless if included in all certificates. |
| 55 | subjectKeyIdentifier=hash |
| 56 | authorityKeyIdentifier=keyid |
| 57 | extendedKeyUsage=OCSPSigning |
| 58 | |
| 59 | [ dh_cert ] |
| 60 | |
| 61 | # These extensions are added when 'ca' signs a request for an end entity |
| 62 | # DH certificate |
| 63 | |
| 64 | basicConstraints=critical, CA:FALSE |
| 65 | keyUsage=critical, keyAgreement |
| 66 | |
| 67 | # PKIX recommendations harmless if included in all certificates. |
| 68 | subjectKeyIdentifier=hash |
| 69 | authorityKeyIdentifier=keyid |
| 70 | |
| 71 | [ v3_ca ] |
| 72 | |
| 73 | |
| 74 | # Extensions for a typical CA |
| 75 | |
| 76 | # PKIX recommendation. |
| 77 | |
| 78 | subjectKeyIdentifier=hash |
| 79 | authorityKeyIdentifier=keyid:always |
| 80 | basicConstraints = critical,CA:true |
| 81 | keyUsage = critical, cRLSign, keyCertSign |
| 82 | |
| 83 | # Minimal CA entry to allow generation of CRLs. |
| 84 | [ca] |
| 85 | database=index.txt |
| 86 | crlnumber=crlnum.txt |