|  | # | 
|  | # OpenSSL example configuration file for automated certificate creation. | 
|  | # | 
|  |  | 
|  | # This definition stops the following lines choking if HOME or CN | 
|  | # is undefined. | 
|  | HOME			= . | 
|  | RANDFILE		= $ENV::HOME/.rnd | 
|  | CN			= "Not Defined" | 
|  | default_ca		= ca | 
|  |  | 
|  | #################################################################### | 
|  | [ req ] | 
|  | default_bits		= 2048 | 
|  | default_keyfile 	= privkey.pem | 
|  | # Don't prompt for fields: use those in section directly | 
|  | prompt			= no | 
|  | distinguished_name	= req_distinguished_name | 
|  | x509_extensions	= v3_ca	# The extensions to add to the self signed cert | 
|  | string_mask = utf8only | 
|  |  | 
|  | # req_extensions = v3_req # The extensions to add to a certificate request | 
|  |  | 
|  | [ req_distinguished_name ] | 
|  | countryName			= UK | 
|  |  | 
|  | organizationName		= OpenSSL Group | 
|  | # Take CN from environment so it can come from a script. | 
|  | commonName			= $ENV::CN | 
|  |  | 
|  | [ usr_cert ] | 
|  |  | 
|  | # These extensions are added when 'ca' signs a request for an end entity | 
|  | # certificate | 
|  |  | 
|  | basicConstraints=critical, CA:FALSE | 
|  | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment | 
|  |  | 
|  | # PKIX recommendations harmless if included in all certificates. | 
|  | subjectKeyIdentifier=hash | 
|  | authorityKeyIdentifier=keyid | 
|  |  | 
|  | [ dh_cert ] | 
|  |  | 
|  | # These extensions are added when 'ca' signs a request for an end entity | 
|  | # DH certificate | 
|  |  | 
|  | basicConstraints=critical, CA:FALSE | 
|  | keyUsage=critical, keyAgreement | 
|  |  | 
|  | # PKIX recommendations harmless if included in all certificates. | 
|  | subjectKeyIdentifier=hash | 
|  | authorityKeyIdentifier=keyid | 
|  |  | 
|  | [ v3_ca ] | 
|  |  | 
|  |  | 
|  | # Extensions for a typical CA | 
|  |  | 
|  | # PKIX recommendation. | 
|  |  | 
|  | subjectKeyIdentifier=hash | 
|  | authorityKeyIdentifier=keyid:always | 
|  | basicConstraints = critical,CA:true | 
|  | keyUsage = critical, cRLSign, keyCertSign | 
|  |  |