• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Defaults in the event they're not set in the environment
2CA_DIR    = out
3KEY_SIZE  = 2048
4ALGO      = sha256
5CERT_TYPE = root
6CA_NAME   = req_env_dn
7
8[ca]
9default_ca = CA_root
10preserve   = yes
11
12# The default test root, used to generate certificates and CRLs.
13[CA_root]
14dir           = $ENV::CA_DIR
15key_size      = $ENV::KEY_SIZE
16algo          = $ENV::ALGO
17cert_type     = $ENV::CERT_TYPE
18type          = $key_size-$algo-$cert_type
19database      = $dir/$type-index.txt
20new_certs_dir = $dir
21serial        = $dir/$type-serial
22certificate   = $dir/$type.pem
23private_key   = $dir/$type.key
24RANDFILE      = $dir/.rand
25default_days     = 3650
26default_crl_days = 30
27default_md       = sha256
28policy           = policy_anything
29unique_subject   = no
30copy_extensions  = copy
31
32[user_cert]
33# Extensions to add when signing a request for an EE cert
34basicConstraints       = critical, CA:false
35subjectKeyIdentifier   = hash
36authorityKeyIdentifier = keyid:always
37extendedKeyUsage       = serverAuth,clientAuth
38
39[name_constraint_bad]
40# A leaf cert that will violate the root's imposed name constraints
41basicConstraints       = critical, CA:false
42subjectKeyIdentifier   = hash
43authorityKeyIdentifier = keyid:always
44extendedKeyUsage       = serverAuth,clientAuth
45subjectAltName         = @san_name_constraint_bad
46
47[name_constraint_good]
48# A leaf cert that will match the root's imposed name constraints
49basicConstraints       = critical, CA:false
50subjectKeyIdentifier   = hash
51authorityKeyIdentifier = keyid:always
52extendedKeyUsage       = serverAuth,clientAuth
53subjectAltName         = @san_name_constraint_good
54
55[san_name_constraint_bad]
56DNS.1 = test.ExAmPlE.CoM
57DNS.2 = test.ExAmPlE.OrG
58
59[san_name_constraint_good]
60DNS.1 = test.ExAmPlE.CoM
61DNS.2 = example.notarealtld
62
63[ca_cert]
64# Extensions to add when signing a request for an intermediate/CA cert
65basicConstraints       = critical, CA:true
66subjectKeyIdentifier   = hash
67#authorityKeyIdentifier = keyid:always
68keyUsage               = critical, keyCertSign, cRLSign
69
70[crl_extensions]
71# Extensions to add when signing a CRL
72authorityKeyIdentifier = keyid:always
73
74[policy_anything]
75# Default signing policy
76countryName            = optional
77stateOrProvinceName    = optional
78localityName           = optional
79organizationName       = optional
80organizationalUnitName = optional
81commonName             = optional
82emailAddress           = optional
83
84[req]
85# The request section used to generate the root CA certificate. This should
86# not be used to generate end-entity certificates. For certificates other
87# than the root CA, see README to find the appropriate configuration file
88# (ie: openssl_cert.cnf).
89default_bits       = $ENV::KEY_SIZE
90default_md         = sha256
91string_mask        = utf8only
92prompt             = no
93encrypt_key        = no
94distinguished_name = $ENV::CA_NAME
95x509_extensions    = req_ca_exts
96
97[req_ca_dn]
98C  = US
99ST = California
100L  = Mountain View
101O  = Test CA
102CN = Test Root CA
103
104[req_intermediate_dn]
105C  = US
106ST = California
107L  = Mountain View
108O  = Test CA
109CN = Test Intermediate CA
110
111[req_env_dn]
112CN = $ENV::CA_COMMON_NAME
113
114[req_ca_exts]
115basicConstraints       = critical, CA:true
116keyUsage               = critical, keyCertSign, cRLSign
117subjectKeyIdentifier   = hash
118