blob: 12a0f8d4f7e6345d9240077bd42fd25a3a8d4936 [file] [log] [blame]
# This is an openssl configuration file. It is used by the command
# generate_cert
# to generate self-signed certificates. Using a configuration file like this
# seems to be the only way to generate a certificate with an IP address in the
# Subject Alternative Name section. This is necessary if you want to access
# a server via an IP address. The tag <IP_ADDRESS> below is replaced by the
# value of the flag --ip-address passed to the generate_cert command
# and the tag <HOSTNAME> below is replaced by the value of the flag --hostname.
# Note that if you plan to access the Shuffler via a host name (including a
# a DNS name) then you must pass the host name to the --hostname flag.
# openssl will also prompt you for the hostname to use as the CN (Common Name)
# and you must enter it there also. But this is not sufficient because the C++
# version of the gRPC tls client is strict in verifying the hostname: Because
# the certificate contains at least one Subject Alternateive name (SAN) the
# Common Name (CN) will not be used at all for host name verification. Therefore
# the hostname must also be listed as a SAN. On the other hand the host name
# must also be entered into openssl's CN prompt because it will get used as the
# CN of the issuer.
HOME = .
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
commonName = Common Name (Server FQDN)
commonName_default = localhost
commonName_max = 64
[ v3_ca ]
subjectAltName = @alt_names
basicConstraints = CA:true
IP.1 = @@@IP_ADDRESS@@@
DNS.1 = @@@HOSTNAME@@@