ca.cnf 2.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. #
  2. # OpenSSL example configuration file for automated certificate creation.
  3. #
  4. # This definition stops the following lines choking if HOME or CN
  5. # is undefined.
  6. HOME = .
  7. RANDFILE = $ENV::HOME/.rnd
  8. CN = "Not Defined"
  9. default_ca = ca
  10. ####################################################################
  11. [ req ]
  12. default_bits = 1024
  13. default_keyfile = privkey.pem
  14. # Don't prompt for fields: use those in section directly
  15. prompt = no
  16. distinguished_name = req_distinguished_name
  17. x509_extensions = v3_ca # The extensions to add to the self signed cert
  18. string_mask = utf8only
  19. # req_extensions = v3_req # The extensions to add to a certificate request
  20. [ req_distinguished_name ]
  21. countryName = UK
  22. organizationName = OpenSSL Group
  23. # Take CN from environment so it can come from a script.
  24. commonName = $ENV::CN
  25. [ usr_cert ]
  26. # These extensions are added when 'ca' signs a request for an end entity
  27. # certificate
  28. basicConstraints=critical, CA:FALSE
  29. keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
  30. # This will be displayed in Netscape's comment listbox.
  31. nsComment = "OpenSSL Generated Certificate"
  32. # PKIX recommendations harmless if included in all certificates.
  33. subjectKeyIdentifier=hash
  34. authorityKeyIdentifier=keyid
  35. # OCSP responder certificate
  36. [ ocsp_cert ]
  37. basicConstraints=critical, CA:FALSE
  38. keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
  39. # This will be displayed in Netscape's comment listbox.
  40. nsComment = "OpenSSL Generated Certificate"
  41. # PKIX recommendations harmless if included in all certificates.
  42. subjectKeyIdentifier=hash
  43. authorityKeyIdentifier=keyid
  44. extendedKeyUsage=OCSPSigning
  45. [ dh_cert ]
  46. # These extensions are added when 'ca' signs a request for an end entity
  47. # DH certificate
  48. basicConstraints=critical, CA:FALSE
  49. keyUsage=critical, keyAgreement
  50. # PKIX recommendations harmless if included in all certificates.
  51. subjectKeyIdentifier=hash
  52. authorityKeyIdentifier=keyid
  53. [ v3_ca ]
  54. # Extensions for a typical CA
  55. # PKIX recommendation.
  56. subjectKeyIdentifier=hash
  57. authorityKeyIdentifier=keyid:always
  58. basicConstraints = critical,CA:true
  59. keyUsage = critical, cRLSign, keyCertSign
  60. # Minimal CA entry to allow generation of CRLs.
  61. [ca]
  62. database=index.txt
  63. crlnumber=crlnum.txt