You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl.cnf.j2 4.2KB

7 jaren geleden
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127
  1. [ ca ]
  2. # `man ca`
  3. default_ca = CA_default
  4. [ CA_default ]
  5. # Directory and file locations.
  6. dir = {{ certificate_authority_directory }}
  7. certs = $dir/certs
  8. crl_dir = $dir/crl
  9. new_certs_dir = $dir/newcerts
  10. database = $dir/index
  11. serial = $dir/serial
  12. RANDFILE = $dir/private/.rand
  13. # The root key and root certificate.
  14. private_key = $dir/private/ca.key.pem
  15. certificate = $dir/certs/ca.cert.pem
  16. # For certificate revocation lists.
  17. crlnumber = $dir/crlnumber
  18. crl = $dir/crl/ca.crl.pem
  19. crl_extensions = crl_ext
  20. default_crl_days = 30
  21. # SHA-1 is deprecated, so use SHA-2 instead.
  22. default_md = sha256
  23. name_opt = ca_default
  24. cert_opt = ca_default
  25. default_days = 375
  26. preserve = no
  27. policy = policy_{{ certificate_authority_policy }}
  28. [ policy_strict ]
  29. # The root CA should only sign intermediate certificates that match.
  30. # See the POLICY FORMAT section of `man ca`.
  31. countryName = match
  32. stateOrProvinceName = match
  33. organizationName = match
  34. organizationalUnitName = optional
  35. commonName = supplied
  36. emailAddress = optional
  37. [ policy_strict_org ]
  38. # The root CA should only sign intermediate certificates that match.
  39. # See the POLICY FORMAT section of `man ca`.
  40. countryName = optional
  41. stateOrProvinceName = optional
  42. organizationName = match
  43. organizationalUnitName = optional
  44. commonName = supplied
  45. emailAddress = optional
  46. [ policy_loose ]
  47. # Allow the intermediate CA to sign a more diverse range of certificates.
  48. # See the POLICY FORMAT section of the `ca` man page.
  49. countryName = optional
  50. stateOrProvinceName = optional
  51. localityName = optional
  52. organizationName = optional
  53. organizationalUnitName = optional
  54. commonName = supplied
  55. emailAddress = optional
  56. [ req ]
  57. # Options for the `req` tool (`man req`).
  58. default_bits = 2048
  59. distinguished_name = req_distinguished_name
  60. string_mask = utf8only
  61. # SHA-1 is deprecated, so use SHA-2 instead.
  62. default_md = sha256
  63. # Extension to add when the -x509 option is used.
  64. #x509_extensions = v3_ca
  65. [ req_distinguished_name ]
  66. # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  67. countryName = Country Name (2 letter code)
  68. stateOrProvinceName = State or Province Name
  69. localityName = Locality Name
  70. 0.organizationName = Organization Name
  71. organizationalUnitName = Organizational Unit Name
  72. commonName = Common Name
  73. emailAddress = Email Address
  74. # Optionally, specify some defaults.
  75. countryName_default = {{ certificate_authority_country | default('') }}
  76. stateOrProvinceName_default = {{ certificate_authority_state | default('') }}
  77. localityName_default = {{ certificate_authority_locality | default('') }}
  78. 0.organizationName_default = {{ certificate_authority_organization | default('') }}
  79. organizationalUnitName_default = {{ certificate_authority_organizational_unit | default('') }}
  80. #emailAddress_default =
  81. {% include "extensions.cnf.j2" %}
  82. [ usr_cert ]
  83. # Extensions for client certificates (`man x509v3_config`).
  84. basicConstraints = CA:FALSE
  85. nsCertType = client, email
  86. nsComment = "OpenSSL Generated Client Certificate"
  87. subjectKeyIdentifier = hash
  88. authorityKeyIdentifier = keyid,issuer
  89. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  90. extendedKeyUsage = clientAuth, emailProtection
  91. [ server_cert ]
  92. # Extensions for server certificates (`man x509v3_config`).
  93. basicConstraints = CA:FALSE
  94. nsCertType = server
  95. nsComment = "OpenSSL Generated Server Certificate"
  96. subjectKeyIdentifier = hash
  97. authorityKeyIdentifier = keyid,issuer:always
  98. keyUsage = critical, digitalSignature, keyEncipherment
  99. extendedKeyUsage = serverAuth
  100. [ crl_ext ]
  101. # Extension for CRLs (`man x509v3_config`).
  102. authorityKeyIdentifier=keyid:always
  103. [ ocsp ]
  104. # Extension for OCSP signing certificates (`man ocsp`).
  105. basicConstraints = CA:FALSE
  106. subjectKeyIdentifier = hash
  107. authorityKeyIdentifier = keyid,issuer
  108. keyUsage = critical, digitalSignature
  109. extendedKeyUsage = critical, OCSPSigning