# # OpenSSL configuration for the Root Certification Authority. # # # This definition doesn't work if HOME isn't defined. CA_HOME = . RANDFILE = $ENV::CA_HOME/private/.rnd # # Default Certification Authority [ ca ] default_ca = root_ca # # Root Certification Authority [ root_ca ] dir = $ENV::CA_HOME certs = $dir/certs serial = $dir/root-ca.serial database = $dir/root-ca.index new_certs_dir = $dir/newcerts certificate = $dir/root-ca.cert.pem private_key = $dir/private/root-ca.key.pem default_days = 1826 # Five years crl = $dir/root-ca.crl crl_dir = $dir/crl crlnumber = $dir/root-ca.crlnum name_opt = multiline, align cert_opt = no_pubkey copy_extensions = copy crl_extensions = crl_ext default_crl_days = 180 default_md = sha256 preserve = no email_in_dn = no policy = policy unique_subject = no # # Distinguished Name Policy for CAs [ policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied # # Root CA Request Options [ req ] default_bits = 4096 default_keyfile = private/root-ca.key.pem encrypt_key = yes default_md = sha256 string_mask = utf8only utf8 = yes prompt = no req_extensions = root-ca_req_ext distinguished_name = distinguished_name subjectAltName = @subject_alt_name # # Root CA Request Extensions [ root-ca_req_ext ] subjectKeyIdentifier = hash subjectAltName = @subject_alt_name # # Distinguished Name (DN) [ distinguished_name ] organizationName = example.net commonName = example.net Root Certification Authority # # Root CA Certificate Extensions [ root-ca_ext ] basicConstraints = critical, CA:true keyUsage = critical, keyCertSign, cRLSign nameConstraints = critical, @name_constraints subjectKeyIdentifier = hash subjectAltName = @subject_alt_name authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # Intermediate CA Certificate Extensions [ intermed-ca_ext ] basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, keyCertSign, cRLSign subjectKeyIdentifier = hash subjectAltName = @subject_alt_name authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # CRL Certificate Extensions [ crl_ext ] authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy # # Certificate Authorities Alternative Names [ subject_alt_name ] URI = http://ca.example.net/ email = certmaster@example.net # # Name Constraints [ name_constraints ] permitted;DNS.1 = example.net permitted;DNS.2 = example.org permitted;DNS.3 = lan permitted;DNS.4 = onion permitted;email.1 = example.net permitted;email.2 = example.org # # Certificate download addresses for the root CA [ auth_info_access ] caIssuers;URI = ROOTCRT # # CRL Download address for the root CA [ crl_dist ] fullname = URI:ROOTCRL