| 1 | #
|
|---|
| 2 | # OpenSSL example configuration file for automated certificate creation.
|
|---|
| 3 | #
|
|---|
| 4 |
|
|---|
| 5 | # This definition stops the following lines choking if HOME or CN
|
|---|
| 6 | # is undefined.
|
|---|
| 7 | HOME = .
|
|---|
| 8 | RANDFILE = $ENV::HOME/.rnd
|
|---|
| 9 | CN = "Not Defined"
|
|---|
| 10 | default_ca = ca
|
|---|
| 11 |
|
|---|
| 12 | ####################################################################
|
|---|
| 13 | [ req ]
|
|---|
| 14 | default_bits = 1024
|
|---|
| 15 | default_keyfile = privkey.pem
|
|---|
| 16 | # Don't prompt for fields: use those in section directly
|
|---|
| 17 | prompt = no
|
|---|
| 18 | distinguished_name = req_distinguished_name
|
|---|
| 19 | x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|---|
| 20 | string_mask = utf8only
|
|---|
| 21 |
|
|---|
| 22 | # req_extensions = v3_req # The extensions to add to a certificate request
|
|---|
| 23 |
|
|---|
| 24 | [ req_distinguished_name ]
|
|---|
| 25 | countryName = UK
|
|---|
| 26 |
|
|---|
| 27 | organizationName = OpenSSL Group
|
|---|
| 28 | # Take CN from environment so it can come from a script.
|
|---|
| 29 | commonName = $ENV::CN
|
|---|
| 30 |
|
|---|
| 31 | [ usr_cert ]
|
|---|
| 32 |
|
|---|
| 33 | # These extensions are added when 'ca' signs a request for an end entity
|
|---|
| 34 | # certificate
|
|---|
| 35 |
|
|---|
| 36 | basicConstraints=critical, CA:FALSE
|
|---|
| 37 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|---|
| 38 |
|
|---|
| 39 | # This will be displayed in Netscape's comment listbox.
|
|---|
| 40 | nsComment = "OpenSSL Generated Certificate"
|
|---|
| 41 |
|
|---|
| 42 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 43 | subjectKeyIdentifier=hash
|
|---|
| 44 | authorityKeyIdentifier=keyid
|
|---|
| 45 | # OCSP responder certificate
|
|---|
| 46 | [ ocsp_cert ]
|
|---|
| 47 |
|
|---|
| 48 | basicConstraints=critical, CA:FALSE
|
|---|
| 49 | keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|---|
| 50 |
|
|---|
| 51 | # This will be displayed in Netscape's comment listbox.
|
|---|
| 52 | nsComment = "OpenSSL Generated Certificate"
|
|---|
| 53 |
|
|---|
| 54 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 55 | subjectKeyIdentifier=hash
|
|---|
| 56 | authorityKeyIdentifier=keyid
|
|---|
| 57 | extendedKeyUsage=OCSPSigning
|
|---|
| 58 |
|
|---|
| 59 | [ dh_cert ]
|
|---|
| 60 |
|
|---|
| 61 | # These extensions are added when 'ca' signs a request for an end entity
|
|---|
| 62 | # DH certificate
|
|---|
| 63 |
|
|---|
| 64 | basicConstraints=critical, CA:FALSE
|
|---|
| 65 | keyUsage=critical, keyAgreement
|
|---|
| 66 |
|
|---|
| 67 | # PKIX recommendations harmless if included in all certificates.
|
|---|
| 68 | subjectKeyIdentifier=hash
|
|---|
| 69 | authorityKeyIdentifier=keyid
|
|---|
| 70 |
|
|---|
| 71 | [ v3_ca ]
|
|---|
| 72 |
|
|---|
| 73 |
|
|---|
| 74 | # Extensions for a typical CA
|
|---|
| 75 |
|
|---|
| 76 | # PKIX recommendation.
|
|---|
| 77 |
|
|---|
| 78 | subjectKeyIdentifier=hash
|
|---|
| 79 | authorityKeyIdentifier=keyid:always
|
|---|
| 80 | basicConstraints = critical,CA:true
|
|---|
| 81 | keyUsage = critical, cRLSign, keyCertSign
|
|---|
| 82 |
|
|---|
| 83 | # Minimal CA entry to allow generation of CRLs.
|
|---|
| 84 | [ca]
|
|---|
| 85 | database=index.txt
|
|---|
| 86 | crlnumber=crlnum.txt
|
|---|
