2011-06-01 18:36:49 +00:00
|
|
|
#
|
|
|
|
# OpenSSL example configuration file for automated certificate creation.
|
|
|
|
#
|
|
|
|
|
|
|
|
# This definition stops the following lines choking if HOME or CN
|
|
|
|
# is undefined.
|
|
|
|
HOME = .
|
|
|
|
RANDFILE = $ENV::HOME/.rnd
|
|
|
|
CN = "Not Defined"
|
2012-09-09 20:43:49 +00:00
|
|
|
default_ca = ca
|
2011-06-01 18:36:49 +00:00
|
|
|
|
|
|
|
####################################################################
|
|
|
|
[ req ]
|
|
|
|
default_bits = 1024
|
|
|
|
default_keyfile = privkey.pem
|
|
|
|
# Don't prompt for fields: use those in section directly
|
|
|
|
prompt = no
|
|
|
|
distinguished_name = req_distinguished_name
|
2013-06-12 23:22:32 +00:00
|
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
2011-06-01 18:36:49 +00:00
|
|
|
string_mask = utf8only
|
|
|
|
|
|
|
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
countryName = UK
|
|
|
|
|
|
|
|
organizationName = OpenSSL Group
|
|
|
|
# Take CN from environment so it can come from a script.
|
|
|
|
commonName = $ENV::CN
|
|
|
|
|
|
|
|
[ usr_cert ]
|
|
|
|
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
|
|
# certificate
|
|
|
|
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
|
|
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid
|
2012-09-09 20:43:49 +00:00
|
|
|
# OCSP responder certificate
|
|
|
|
[ ocsp_cert ]
|
|
|
|
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
|
|
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid
|
|
|
|
extendedKeyUsage=OCSPSigning
|
2011-06-01 18:36:49 +00:00
|
|
|
|
2012-01-25 16:33:39 +00:00
|
|
|
[ dh_cert ]
|
|
|
|
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
|
|
# DH certificate
|
|
|
|
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
|
|
keyUsage=critical, keyAgreement
|
|
|
|
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid
|
|
|
|
|
2011-06-01 18:36:49 +00:00
|
|
|
[ v3_ca ]
|
|
|
|
|
|
|
|
|
|
|
|
# Extensions for a typical CA
|
|
|
|
|
|
|
|
# PKIX recommendation.
|
|
|
|
|
|
|
|
subjectKeyIdentifier=hash
|
|
|
|
authorityKeyIdentifier=keyid:always
|
|
|
|
basicConstraints = critical,CA:true
|
|
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
|
|
|
2012-09-09 20:43:49 +00:00
|
|
|
# Minimal CA entry to allow generation of CRLs.
|
|
|
|
[ca]
|
|
|
|
database=index.txt
|
|
|
|
crlnumber=crlnum.txt
|