wolfssl.cnf 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. [ ca ]
  2. # `man ca`
  3. default_ca = CA_default
  4. [ CA_default ]
  5. # Directory and file locations relevant to where the script is executing
  6. dir = .
  7. certs = $dir/../
  8. new_certs_dir = $dir/../
  9. database = $dir/../crl/index.txt
  10. serial = $dir/../crl/serial
  11. # This should come from the system disregard local pathing
  12. RANDFILE = $dir/private/.rand
  13. # The root key and root certificate.
  14. private_key = $dir/../ca-ecc-key.pem
  15. certificate = $dir/../ca-ecc-cert.pem
  16. # For certificate revocation lists.
  17. crlnumber = $dir/../crl/crlnumber
  18. crl_extensions = crl_ext
  19. default_crl_days = 1000
  20. # SHA-1 is deprecated, so use SHA-2 instead.
  21. default_md = sha256
  22. name_opt = ca_default
  23. cert_opt = ca_default
  24. default_days = 3650
  25. preserve = no
  26. policy = policy_loose
  27. [ policy_strict ]
  28. # The root CA should only sign intermediate certificates that match.
  29. # See the POLICY FORMAT section of `man ca`.
  30. countryName = match
  31. stateOrProvinceName = match
  32. organizationName = match
  33. organizationalUnitName = optional
  34. commonName = supplied
  35. emailAddress = optional
  36. [ policy_loose ]
  37. # Allow the intermediate CA to sign a more diverse range of certificates.
  38. # See the POLICY FORMAT section of the `ca` man page.
  39. countryName = optional
  40. stateOrProvinceName = optional
  41. localityName = optional
  42. organizationName = optional
  43. organizationalUnitName = optional
  44. commonName = supplied
  45. emailAddress = optional
  46. [ req ]
  47. # Options for the `req` tool (`man req`).
  48. default_bits = 2048
  49. distinguished_name = req_distinguished_name
  50. string_mask = utf8only
  51. # SHA-1 is deprecated, so use SHA-2 instead.
  52. default_md = sha256
  53. # Extension to add when the -x509 option is used.
  54. x509_extensions = v3_ca
  55. [ req_distinguished_name ]
  56. countryName = US
  57. stateOrProvinceName = Washington
  58. localityName = Seattle
  59. 0.organizationName = wolfSSL
  60. organizationalUnitName = Development
  61. commonName = www.wolfssl.com
  62. emailAddress = info@wolfssl.com
  63. [ v3_ca ]
  64. # Extensions for a typical CA (`man x509v3_config`).
  65. subjectKeyIdentifier = hash
  66. authorityKeyIdentifier = keyid:always,issuer
  67. basicConstraints = critical, CA:true
  68. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  69. [ v3_intermediate_ca ]
  70. # Extensions for a typical intermediate CA (`man x509v3_config`).
  71. subjectKeyIdentifier = hash
  72. authorityKeyIdentifier = keyid:always,issuer
  73. basicConstraints = critical, CA:true, pathlen:0
  74. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  75. [ usr_cert ]
  76. # Extensions for client certificates (`man x509v3_config`).
  77. basicConstraints = CA:FALSE
  78. nsCertType = client, email
  79. subjectKeyIdentifier = hash
  80. authorityKeyIdentifier = keyid,issuer
  81. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  82. extendedKeyUsage = clientAuth, emailProtection
  83. [ server_cert ]
  84. # Extensions for server certificates (`man x509v3_config`).
  85. basicConstraints = CA:FALSE
  86. nsCertType = server
  87. subjectKeyIdentifier = hash
  88. authorityKeyIdentifier = keyid,issuer:always
  89. keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
  90. extendedKeyUsage = serverAuth
  91. [ crl_ext ]
  92. # Extension for CRLs (`man x509v3_config`).
  93. authorityKeyIdentifier=keyid:always