ca.cnf 2.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. #
  2. # OpenSSL example configuration file for automated certificate creation.
  3. #
  4. # Comment out the next line to ignore configuration errors
  5. config_diagnostics = 1
  6. # This definition stops the following lines choking if HOME or CN
  7. # is undefined.
  8. HOME = .
  9. CN = "Not Defined"
  10. default_ca = ca
  11. ####################################################################
  12. [ req ]
  13. default_bits = 2048
  14. default_keyfile = privkey.pem
  15. # Don't prompt for fields: use those in section directly
  16. prompt = no
  17. distinguished_name = req_distinguished_name
  18. x509_extensions = v3_ca # The extensions to add to the self signed cert
  19. string_mask = utf8only
  20. # req_extensions = v3_req # The extensions to add to a certificate request
  21. [ req_distinguished_name ]
  22. countryName = UK
  23. organizationName = OpenSSL Group
  24. # Take CN from environment so it can come from a script.
  25. commonName = $ENV::CN
  26. [ usr_rsa_cert ]
  27. # These extensions are added when 'ca' signs a request for a normal end-entity
  28. # certificate with key usage restrictions compatible with RSA keys
  29. basicConstraints = CA:FALSE
  30. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  31. # Following SKID and AKID settings are meanwhile by default in all certificates.
  32. # See doc/man5/x509v3_config.pod for details.
  33. # subjectKeyIdentifier = hash
  34. # authorityKeyIdentifier = keyid, issuer
  35. [ signer_cert ]
  36. basicConstraints = CA:FALSE
  37. keyUsage = critical, digitalSignature
  38. [ dh_cert ]
  39. # These extensions are added when 'ca' signs a request for an end-entity
  40. # DH certificate, for which only key agreement makes sense
  41. basicConstraints = CA:FALSE
  42. keyUsage = critical, keyAgreement
  43. [ codesign_cert ]
  44. # These extensions are added when 'ca' signs a request for a code-signing
  45. # end-entity certificate compatible with RSA and ECC keys
  46. basicConstraints = CA:FALSE
  47. keyUsage = critical, digitalSignature
  48. extendedKeyUsage = codeSigning
  49. [ v3_ca ]
  50. # Extensions for a typical CA as required by RFC 5280 etc.
  51. # SKID and AKID are by default set according to PKIX recommendation.
  52. basicConstraints = critical, CA:true
  53. keyUsage = critical, cRLSign, keyCertSign