wolfssl.cnf 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. [ ca ]
  2. # `man ca`
  3. default_ca = CA_default
  4. [ CA_default ]
  5. # Directory and file locations.
  6. dir = .
  7. certs = $dir/certs
  8. new_certs_dir = $dir/certs
  9. database = $dir/certs/ecc/index.txt
  10. serial = $dir/certs/ecc/serial
  11. RANDFILE = $dir/private/.rand
  12. # The root key and root certificate.
  13. private_key = $dir/certs/ca-ecc-key.pem
  14. certificate = $dir/certs/ca-ecc-cert.pem
  15. # For certificate revocation lists.
  16. crlnumber = $dir/certs/ecc/crlnumber
  17. crl_extensions = crl_ext
  18. default_crl_days = 1000
  19. # SHA-1 is deprecated, so use SHA-2 instead.
  20. default_md = sha256
  21. name_opt = ca_default
  22. cert_opt = ca_default
  23. default_days = 3650
  24. preserve = no
  25. policy = policy_loose
  26. [ policy_strict ]
  27. # The root CA should only sign intermediate certificates that match.
  28. # See the POLICY FORMAT section of `man ca`.
  29. countryName = match
  30. stateOrProvinceName = match
  31. organizationName = match
  32. organizationalUnitName = optional
  33. commonName = supplied
  34. emailAddress = optional
  35. [ policy_loose ]
  36. # Allow the intermediate CA to sign a more diverse range of certificates.
  37. # See the POLICY FORMAT section of the `ca` man page.
  38. countryName = optional
  39. stateOrProvinceName = optional
  40. localityName = optional
  41. organizationName = optional
  42. organizationalUnitName = optional
  43. commonName = supplied
  44. emailAddress = optional
  45. [ req ]
  46. # Options for the `req` tool (`man req`).
  47. default_bits = 2048
  48. distinguished_name = req_distinguished_name
  49. string_mask = utf8only
  50. # SHA-1 is deprecated, so use SHA-2 instead.
  51. default_md = sha256
  52. # Extension to add when the -x509 option is used.
  53. x509_extensions = v3_ca
  54. [ req_distinguished_name ]
  55. countryName = US
  56. stateOrProvinceName = Washington
  57. localityName = Seattle
  58. 0.organizationName = wolfSSL
  59. organizationalUnitName = Development
  60. commonName = www.wolfssl.com
  61. emailAddress = info@wolfssl.com
  62. [ v3_ca ]
  63. # Extensions for a typical CA (`man x509v3_config`).
  64. subjectKeyIdentifier = hash
  65. authorityKeyIdentifier = keyid:always,issuer
  66. basicConstraints = critical, CA:true
  67. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  68. [ v3_intermediate_ca ]
  69. # Extensions for a typical intermediate CA (`man x509v3_config`).
  70. subjectKeyIdentifier = hash
  71. authorityKeyIdentifier = keyid:always,issuer
  72. basicConstraints = critical, CA:true, pathlen:0
  73. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  74. [ usr_cert ]
  75. # Extensions for client certificates (`man x509v3_config`).
  76. basicConstraints = CA:FALSE
  77. nsCertType = client, email
  78. subjectKeyIdentifier = hash
  79. authorityKeyIdentifier = keyid,issuer
  80. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  81. extendedKeyUsage = clientAuth, emailProtection
  82. [ server_cert ]
  83. # Extensions for server certificates (`man x509v3_config`).
  84. basicConstraints = CA:FALSE
  85. nsCertType = server
  86. subjectKeyIdentifier = hash
  87. authorityKeyIdentifier = keyid,issuer:always
  88. keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
  89. extendedKeyUsage = serverAuth
  90. [ crl_ext ]
  91. # Extension for CRLs (`man x509v3_config`).
  92. authorityKeyIdentifier=keyid:always