| base_dir = . |
| certificate = $base_dir/cacert.pem # The CA certifcate |
| private_key = $base_dir/cakey.pem # The CA private key |
| new_certs_dir = $base_dir # Location for new certs after signing |
| database = $base_dir/index.txt # Database index file |
| serial = $base_dir/serial.txt # The current serial number |
| |
| unique_subject = no # Set to 'no' to allow creation of |
| # several certificates with same subject. |
| |
| HOME = . |
| RANDFILE = $ENV::HOME/.rnd |
| |
| #################################################################### |
| [ ca ] |
| default_ca = CA_default # The default ca section |
| |
| [ CA_default ] |
| |
| default_days = 10000 # How long to certify for |
| default_crl_days = 30 # How long before next CRL |
| default_md = sha256 # Use public key default MD |
| preserve = no # Keep passed DN ordering |
| |
| x509_extensions = ca_extensions # The extensions to add to the cert |
| |
| email_in_dn = no # Don't concat the email in the DN |
| copy_extensions = copy # Required to copy SANs from CSR to cert |
| |
| #################################################################### |
| [ req ] |
| default_bits = 4096 |
| default_keyfile = cakey.pem |
| distinguished_name = ca_distinguished_name |
| x509_extensions = ca_extensions |
| string_mask = utf8only |
| |
| #################################################################### |
| [ ca_distinguished_name ] |
| countryName = Country Name (2 letter code) |
| countryName_default = US |
| |
| stateOrProvinceName = State or Province Name (full name) |
| stateOrProvinceName_default = Maryland |
| |
| localityName = Locality Name (eg, city) |
| localityName_default = Baltimore |
| |
| organizationName = Organization Name (eg, company) |
| organizationName_default = Test CA, Limited |
| |
| organizationalUnitName = Organizational Unit (eg, division) |
| organizationalUnitName_default = Server Research Department |
| |
| commonName = Common Name (e.g. server FQDN or YOUR name) |
| commonName_default = Test CA |
| |
| emailAddress = Email Address |
| emailAddress_default = test@example.com |
| |
| #################################################################### |
| [ ca_extensions ] |
| |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always, issuer |
| basicConstraints = critical, CA:true |
| keyUsage = keyCertSign, cRLSign |
| |
| |
| |
| |
| #################################################################### |
| [ signing_policy ] |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| #################################################################### |
| [ signing_req ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer |
| basicConstraints = CA:FALSE |
| keyUsage = digitalSignature, keyEncipherment |