-
Notifications
You must be signed in to change notification settings - Fork 1
/
rootca.cnf
151 lines (125 loc) · 4.2 KB
/
rootca.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = /opt/rootca
RANDFILE = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca = root_ca
#
# Root Certification Authority
[ root_ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/root-ca.serial
database = $dir/root-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/root-ca.cert.pem
private_key = $dir/private/root-ca.key.pem
default_days = 1826 # 5 years
crl = $dir/root-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/root-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 180
default_md = sha384
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
x509_extensions = usr_cert # The extensions to add to the cert
#
# Distinguished Name Policy for CAs
[ policy ]
countryName = supplied
stateOrProvinceName = optional
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
#
# Root CA Request Options
[ req ]
default_bits = 4096
default_keyfile = private/root-ca.key.pem
encrypt_key = yes
default_md = sha384
string_mask = utf8only
utf8 = yes
prompt = yes
req_extensions = root-ca_req_ext
distinguished_name = distinguished_name
subjectAltName = @subject_alt_name
#
# Root CA Request Extensions
[ root-ca_req_ext ]
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName =blausee.eu
commonName =Blausee.eu Root Certification Authority
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =Hessen
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default =Blausee
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI = http://blausee.eu/
email = s.butzek@gmx.de
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
#
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
#
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ user_ext ]
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate download addresses for the root CA
[ auth_info_access ]
#caIssuers;URI = http://ca.example.net/certs/example.net_Root_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
#fullname = URI:http://ca.example.net/crl/example.net_Root_Certification_Authority.crl
# EOF