David Benjamin | 33b5692 | 2022-12-31 17:16:53 -0500 | [diff] [blame] | 1 | # [ v3_ca ] |
| 2 | |
| 3 | |
| 4 | # Extensions for a typical CA |
| 5 | |
| 6 | # PKIX recommendation. |
| 7 | |
| 8 | subjectKeyIdentifier=hash |
| 9 | authorityKeyIdentifier=keyid:always |
| 10 | basicConstraints = critical,CA:true |
| 11 | keyUsage = critical, cRLSign, keyCertSign |
| 12 | |
| 13 | |
| 14 | # |
| 15 | # OpenSSL example configuration file for automated certificate creation. |
| 16 | # |
| 17 | |
| 18 | # This definition stops the following lines choking if HOME or CN |
| 19 | # is undefined. |
| 20 | HOME = . |
| 21 | RANDFILE = $ENV::HOME/.rnd |
| 22 | CN = "Not Defined" |
| 23 | default_ca = ca |
| 24 | |
| 25 | #################################################################### |
| 26 | [ req ] |
| 27 | default_bits = 2048 |
| 28 | default_keyfile = privkey.pem |
| 29 | # Don't prompt for fields: use those in section directly |
| 30 | prompt = no |
| 31 | distinguished_name = req_distinguished_name |
| 32 | x509_extensions = v3_ca # The extensions to add to the self signed cert |
| 33 | string_mask = utf8only |
| 34 | |
| 35 | # req_extensions = v3_req # The extensions to add to a certificate request |
| 36 | |
| 37 | [ req_distinguished_name ] |
| 38 | countryName = UK |
| 39 | |
| 40 | organizationName = OpenSSL Group |
| 41 | # Take CN from environment so it can come from a script. |
| 42 | commonName = $ENV::CN |
| 43 | |
| 44 | [ usr_cert ] |
| 45 | |
| 46 | # These extensions are added when 'ca' signs a request for an end entity |
| 47 | # certificate |
| 48 | |
| 49 | basicConstraints=critical, CA:FALSE |
| 50 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment |
| 51 | |
| 52 | # PKIX recommendations harmless if included in all certificates. |
| 53 | subjectKeyIdentifier=hash |
| 54 | authorityKeyIdentifier=keyid |
| 55 | |
| 56 | [ dh_cert ] |
| 57 | |
| 58 | # These extensions are added when 'ca' signs a request for an end entity |
| 59 | # DH certificate |
| 60 | |
| 61 | basicConstraints=critical, CA:FALSE |
| 62 | keyUsage=critical, keyAgreement |
| 63 | |
| 64 | # PKIX recommendations harmless if included in all certificates. |
| 65 | subjectKeyIdentifier=hash |
| 66 | authorityKeyIdentifier=keyid |
| 67 | |
| 68 | [ v3_ca ] |
| 69 | |
| 70 | |
| 71 | # Extensions for a typical CA |
| 72 | |
| 73 | # PKIX recommendation. |
| 74 | |
| 75 | subjectKeyIdentifier=hash |
| 76 | authorityKeyIdentifier=keyid:always |
| 77 | basicConstraints = critical,CA:true |
| 78 | keyUsage = critical, cRLSign, keyCertSign |
| 79 | |