| # |
| # OpenSSL configuration for the Root Certification Authority. |
| # |
| |
| # |
| # This definition doesn't work if HOME isn't defined. |
| CA_HOME = . |
| RANDFILE = $ENV::CA_HOME/private/.rnd |
| |
| # |
| # Default Certification Authority |
| [ ca ] |
| default_ca = root_ca |
| |
| # |
| # Root Certification Authority |
| [ root_ca ] |
| dir = $ENV::CA_HOME |
| certs = $dir/certs |
| serial = $dir/root-ca.serial |
| database = $dir/root-ca.index |
| new_certs_dir = $dir/newcerts |
| certificate = $dir/root-ca.cert.pem |
| private_key = $dir/private/root-ca.key.pem |
| default_days = 1826 # Five years |
| crl = $dir/root-ca.crl |
| crl_dir = $dir/crl |
| crlnumber = $dir/root-ca.crlnum |
| name_opt = multiline, align |
| cert_opt = no_pubkey |
| copy_extensions = copy |
| crl_extensions = crl_ext |
| default_crl_days = 180 |
| default_md = sha256 |
| preserve = no |
| email_in_dn = no |
| policy = policy |
| unique_subject = no |
| |
| # |
| # Distinguished Name Policy for CAs |
| [ policy ] |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = supplied |
| organizationalUnitName = optional |
| commonName = supplied |
| |
| # |
| # Root CA Request Options |
| [ req ] |
| default_bits = 4096 |
| default_keyfile = private/root-ca.key.pem |
| encrypt_key = yes |
| default_md = sha256 |
| string_mask = utf8only |
| utf8 = yes |
| prompt = no |
| req_extensions = root-ca_req_ext |
| distinguished_name = distinguished_name |
| subjectAltName = @subject_alt_name |
| |
| # |
| # Root CA Request Extensions |
| [ root-ca_req_ext ] |
| subjectKeyIdentifier = hash |
| subjectAltName = @subject_alt_name |
| |
| # |
| # Distinguished Name (DN) |
| [ distinguished_name ] |
| organizationName = example.net |
| commonName = example.net Root Certification Authority |
| |
| # |
| # Root CA Certificate Extensions |
| [ root-ca_ext ] |
| basicConstraints = critical, CA:true |
| keyUsage = critical, keyCertSign, cRLSign |
| nameConstraints = critical, @name_constraints |
| subjectKeyIdentifier = hash |
| subjectAltName = @subject_alt_name |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| authorityInfoAccess = @auth_info_access |
| crlDistributionPoints = crl_dist |
| |
| # |
| # Intermediate CA Certificate Extensions |
| [ intermed-ca_ext ] |
| basicConstraints = critical, CA:true, pathlen:0 |
| keyUsage = critical, keyCertSign, cRLSign |
| subjectKeyIdentifier = hash |
| subjectAltName = @subject_alt_name |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| authorityInfoAccess = @auth_info_access |
| crlDistributionPoints = crl_dist |
| |
| # |
| # CRL Certificate Extensions |
| [ crl_ext ] |
| authorityKeyIdentifier = keyid:always |
| issuerAltName = issuer:copy |
| |
| # |
| # Certificate Authorities Alternative Names |
| [ subject_alt_name ] |
| URI = http://ca.example.net/ |
| email = certmaster@example.net |
| |
| # |
| # Name Constraints |
| [ name_constraints ] |
| permitted;DNS.1 = example.net |
| permitted;DNS.2 = example.org |
| permitted;DNS.3 = lan |
| permitted;DNS.4 = onion |
| permitted;email.1 = example.net |
| permitted;email.2 = example.org |
| |
| # |
| # Certificate download addresses for the root CA |
| [ auth_info_access ] |
| caIssuers;URI = ROOTCRT |
| |
| # |
| # CRL Download address for the root CA |
| [ crl_dist ] |
| fullname = URI:ROOTCRL |