• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# OpenSSL configuration for the Root Certification Authority.
3#
4
5#
6# This definition doesn't work if HOME isn't defined.
7CA_HOME                 = .
8RANDFILE                = $ENV::CA_HOME/private/.rnd
9
10#
11# Default Certification Authority
12[ ca ]
13default_ca              = root_ca
14
15#
16# Root Certification Authority
17[ root_ca ]
18dir                     = $ENV::CA_HOME
19certs                   = $dir/certs
20serial                  = $dir/root-ca.serial
21database                = $dir/root-ca.index
22new_certs_dir           = $dir/newcerts
23certificate             = $dir/root-ca.cert.pem
24private_key             = $dir/private/root-ca.key.pem
25default_days            = 1826 # Five years
26crl                     = $dir/root-ca.crl
27crl_dir                 = $dir/crl
28crlnumber               = $dir/root-ca.crlnum
29name_opt                = multiline, align
30cert_opt                = no_pubkey
31copy_extensions         = copy
32crl_extensions          = crl_ext
33default_crl_days        = 180
34default_md              = sha256
35preserve                = no
36email_in_dn             = no
37policy                  = policy
38unique_subject          = no
39
40#
41# Distinguished Name Policy for CAs
42[ policy ]
43countryName             = optional
44stateOrProvinceName     = optional
45localityName            = optional
46organizationName        = supplied
47organizationalUnitName  = optional
48commonName              = supplied
49
50#
51# Root CA Request Options
52[ req ]
53default_bits            = 4096
54default_keyfile         = private/root-ca.key.pem
55encrypt_key             = yes
56default_md              = sha256
57string_mask             = utf8only
58utf8                    = yes
59prompt                  = no
60req_extensions          = root-ca_req_ext
61distinguished_name      = distinguished_name
62subjectAltName          = @subject_alt_name
63
64#
65# Root CA Request Extensions
66[ root-ca_req_ext ]
67subjectKeyIdentifier    = hash
68subjectAltName          = @subject_alt_name
69
70#
71# Distinguished Name (DN)
72[ distinguished_name ]
73organizationName        = example.net
74commonName              = example.net Root Certification Authority
75
76#
77# Root CA Certificate Extensions
78[ root-ca_ext ]
79basicConstraints        = critical, CA:true
80keyUsage                = critical, keyCertSign, cRLSign
81nameConstraints         = critical, @name_constraints
82subjectKeyIdentifier    = hash
83subjectAltName          = @subject_alt_name
84authorityKeyIdentifier  = keyid:always
85issuerAltName           = issuer:copy
86authorityInfoAccess     = @auth_info_access
87crlDistributionPoints   = crl_dist
88
89#
90# Intermediate CA Certificate Extensions
91[ intermed-ca_ext ]
92basicConstraints        = critical, CA:true, pathlen:0
93keyUsage                = critical, keyCertSign, cRLSign
94subjectKeyIdentifier    = hash
95subjectAltName          = @subject_alt_name
96authorityKeyIdentifier  = keyid:always
97issuerAltName           = issuer:copy
98authorityInfoAccess     = @auth_info_access
99crlDistributionPoints   = crl_dist
100
101#
102# CRL Certificate Extensions
103[ crl_ext ]
104authorityKeyIdentifier  = keyid:always
105issuerAltName           = issuer:copy
106
107#
108# Certificate Authorities Alternative Names
109[ subject_alt_name ]
110URI                     = http://ca.example.net/
111email                   = certmaster@example.net
112
113#
114# Name Constraints
115[ name_constraints ]
116permitted;DNS.1         = example.net
117permitted;DNS.2         = example.org
118permitted;DNS.3         = lan
119permitted;DNS.4         = onion
120permitted;email.1       = example.net
121permitted;email.2       = example.org
122
123#
124# Certificate download addresses for the root CA
125[ auth_info_access ]
126caIssuers;URI           = ROOTCRT
127
128#
129# CRL Download address for the root CA
130[ crl_dist ]
131fullname                = URI:ROOTCRL
132