123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 |
- [ ca ]
- # `man ca`
- default_ca = CA_default
- [ CA_default ]
- # Directory and file locations.
- dir = .
- certs = $dir/certs
- new_certs_dir = $dir/certs
- database = $dir/certs/ecc/index.txt
- serial = $dir/certs/ecc/serial
- RANDFILE = $dir/private/.rand
- # The root key and root certificate.
- private_key = $dir/certs/ca-ecc-key.pem
- certificate = $dir/certs/ca-ecc-cert.pem
- # For certificate revocation lists.
- crlnumber = $dir/certs/ecc/crlnumber
- crl_extensions = crl_ext
- default_crl_days = 1000
- # SHA-1 is deprecated, so use SHA-2 instead.
- default_md = sha256
- name_opt = ca_default
- cert_opt = ca_default
- default_days = 3650
- preserve = no
- policy = policy_loose
- [ policy_strict ]
- # The root CA should only sign intermediate certificates that match.
- # See the POLICY FORMAT section of `man ca`.
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ policy_loose ]
- # Allow the intermediate CA to sign a more diverse range of certificates.
- # See the POLICY FORMAT section of the `ca` man page.
- countryName = optional
- stateOrProvinceName = optional
- localityName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ req ]
- # Options for the `req` tool (`man req`).
- default_bits = 2048
- distinguished_name = req_distinguished_name
- string_mask = utf8only
- # SHA-1 is deprecated, so use SHA-2 instead.
- default_md = sha256
- # Extension to add when the -x509 option is used.
- x509_extensions = v3_ca
- [ req_distinguished_name ]
- countryName = US
- stateOrProvinceName = Washington
- localityName = Seattle
- 0.organizationName = wolfSSL
- organizationalUnitName = Development
- commonName = www.wolfssl.com
- emailAddress = info@wolfssl.com
- [ v3_ca ]
- # Extensions for a typical CA (`man x509v3_config`).
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer
- basicConstraints = critical, CA:true
- keyUsage = critical, digitalSignature, cRLSign, keyCertSign
- [ v3_intermediate_ca ]
- # Extensions for a typical intermediate CA (`man x509v3_config`).
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer
- basicConstraints = critical, CA:true, pathlen:0
- keyUsage = critical, digitalSignature, cRLSign, keyCertSign
- [ usr_cert ]
- # Extensions for client certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = client, email
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = clientAuth, emailProtection
- [ server_cert ]
- # Extensions for server certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = server
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer:always
- keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = serverAuth
- [ crl_ext ]
- # Extension for CRLs (`man x509v3_config`).
- authorityKeyIdentifier=keyid:always
|