|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 |
- [ ca ]
- # `man ca`
- default_ca = CA_default
-
- [ CA_default ]
- # Directory and file locations.
- dir = {{ certificate_authority_directory }}
- certs = $dir/certs
- crl_dir = $dir/crl
- new_certs_dir = $dir/newcerts
- database = $dir/index
- serial = $dir/serial
- RANDFILE = $dir/private/.rand
-
- # The root key and root certificate.
- private_key = $dir/private/ca.key.pem
- certificate = $dir/certs/ca.cert.pem
-
- # For certificate revocation lists.
- crlnumber = $dir/crlnumber
- crl = $dir/crl/ca.crl.pem
- crl_extensions = crl_ext
- default_crl_days = 30
-
- # SHA-1 is deprecated, so use SHA-2 instead.
- default_md = sha256
-
- name_opt = ca_default
- cert_opt = ca_default
- default_days = 375
- preserve = no
- policy = policy_{{ certificate_authority_policy }}
-
- [ policy_strict ]
- # The root CA should only sign intermediate certificates that match.
- # See the POLICY FORMAT section of `man ca`.
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
-
- [ policy_strict_org ]
- # The root CA should only sign intermediate certificates that match.
- # See the POLICY FORMAT section of `man ca`.
- countryName = optional
- stateOrProvinceName = optional
- organizationName = match
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
-
- [ policy_loose ]
- # Allow the intermediate CA to sign a more diverse range of certificates.
- # See the POLICY FORMAT section of the `ca` man page.
- countryName = optional
- stateOrProvinceName = optional
- localityName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
-
- [ req ]
- # Options for the `req` tool (`man req`).
- default_bits = 2048
- distinguished_name = req_distinguished_name
- string_mask = utf8only
-
- # SHA-1 is deprecated, so use SHA-2 instead.
- default_md = sha256
-
- # Extension to add when the -x509 option is used.
- #x509_extensions = v3_ca
-
- [ req_distinguished_name ]
- # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
- countryName = Country Name (2 letter code)
- stateOrProvinceName = State or Province Name
- localityName = Locality Name
- 0.organizationName = Organization Name
- organizationalUnitName = Organizational Unit Name
- commonName = Common Name
- emailAddress = Email Address
-
- # Optionally, specify some defaults.
- countryName_default = {{ certificate_authority_country | default('') }}
- stateOrProvinceName_default = {{ certificate_authority_state | default('') }}
- localityName_default = {{ certificate_authority_locality | default('') }}
- 0.organizationName_default = {{ certificate_authority_organization | default('') }}
- organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }}
- #emailAddress_default =
-
- {% include "extensions.cnf.j2" %}
-
- [ usr_cert ]
- # Extensions for client certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = client, email
- nsComment = "OpenSSL Generated Client Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = clientAuth, emailProtection
-
- [ server_cert ]
- # Extensions for server certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = server
- nsComment = "OpenSSL Generated Server Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer:always
- keyUsage = critical, digitalSignature, keyEncipherment
- extendedKeyUsage = serverAuth
-
- [ crl_ext ]
- # Extension for CRLs (`man x509v3_config`).
- authorityKeyIdentifier=keyid:always
-
- [ ocsp ]
- # Extension for OCSP signing certificates (`man ocsp`).
- basicConstraints = CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- keyUsage = critical, digitalSignature
- extendedKeyUsage = critical, OCSPSigning
|