ca.cnf 2.0 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. #
  2. # OpenSSL example configuration file for automated certificate creation.
  3. #
  4. # This definition stops the following lines choking if HOME or CN
  5. # is undefined.
  6. HOME = .
  7. CN = "Not Defined"
  8. default_ca = ca
  9. ####################################################################
  10. [ req ]
  11. default_bits = 1024
  12. default_keyfile = privkey.pem
  13. # Don't prompt for fields: use those in section directly
  14. prompt = no
  15. distinguished_name = req_distinguished_name
  16. x509_extensions = v3_ca # The extensions to add to the self signed cert
  17. string_mask = utf8only
  18. # req_extensions = v3_req # The extensions to add to a certificate request
  19. [ req_distinguished_name ]
  20. countryName = UK
  21. organizationName = OpenSSL Group
  22. # Take CN from environment so it can come from a script.
  23. commonName = $ENV::CN
  24. [ usr_cert ]
  25. # These extensions are added when 'ca' signs a request for an end entity
  26. # certificate
  27. basicConstraints=critical, CA:FALSE
  28. keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
  29. # PKIX recommendations harmless if included in all certificates.
  30. subjectKeyIdentifier=hash
  31. authorityKeyIdentifier=keyid
  32. # OCSP responder certificate
  33. [ ocsp_cert ]
  34. basicConstraints=critical, CA:FALSE
  35. keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
  36. # PKIX recommendations harmless if included in all certificates.
  37. subjectKeyIdentifier=hash
  38. authorityKeyIdentifier=keyid
  39. extendedKeyUsage=OCSPSigning
  40. [ dh_cert ]
  41. # These extensions are added when 'ca' signs a request for an end entity
  42. # DH certificate
  43. basicConstraints=critical, CA:FALSE
  44. keyUsage=critical, keyAgreement
  45. # PKIX recommendations harmless if included in all certificates.
  46. subjectKeyIdentifier=hash
  47. authorityKeyIdentifier=keyid
  48. [ v3_ca ]
  49. # Extensions for a typical CA
  50. # PKIX recommendation.
  51. subjectKeyIdentifier=hash
  52. authorityKeyIdentifier=keyid:always
  53. basicConstraints = critical,CA:true
  54. keyUsage = critical, cRLSign, keyCertSign
  55. # Minimal CA entry to allow generation of CRLs.
  56. [ca]
  57. database=index.txt
  58. crlnumber=crlnum.txt