Instrumental | 31d847e | 2018-03-26 14:17:19 -0700 | [diff] [blame] | 1 | # OpenSSL root CA configuration file. |
| 2 | # Copy to `/opt/app/osaaf/CA/openssl.cnf`. |
| 3 | |
| 4 | [ ca ] |
| 5 | # `man ca` |
| 6 | default_ca = CA_default |
| 7 | |
| 8 | [ CA_default ] |
| 9 | # Directory and file locations. |
| 10 | dir = . |
| 11 | certs = $dir/certs |
| 12 | crl_dir = $dir/crl |
| 13 | new_certs_dir = $dir/newcerts |
| 14 | database = $dir/index.txt |
| 15 | serial = $dir/serial |
| 16 | RANDFILE = $dir/private/.rand |
| 17 | |
| 18 | # The root key and root certificate. |
| 19 | private_key = $dir/private/ca.key |
| 20 | certificate = $dir/certs/ca.crt |
| 21 | |
| 22 | # For certificate revocation lists. |
| 23 | crlnumber = $dir/crlnumber |
| 24 | crl = $dir/crl/ca.crl.pem |
| 25 | crl_extensions = crl_ext |
| 26 | default_crl_days = 30 |
| 27 | |
| 28 | # SHA-1 is deprecated, so use SHA-2 instead. |
| 29 | default_md = sha256 |
| 30 | |
| 31 | name_opt = ca_default |
| 32 | cert_opt = ca_default |
| 33 | default_days = 60 |
| 34 | preserve = no |
| 35 | policy = policy_strict |
| 36 | |
| 37 | [ policy_strict ] |
| 38 | # The root CA should only sign intermediate certificates that match. |
| 39 | # See the POLICY FORMAT section of `man ca`. |
| 40 | countryName = match |
| 41 | stateOrProvinceName = optional |
| 42 | organizationName = match |
| 43 | organizationalUnitName = supplied |
| 44 | commonName = supplied |
| 45 | |
| 46 | [ policy_loose ] |
| 47 | # Allow the intermediate CA to sign a more diverse range of certificates. |
| 48 | # See the POLICY FORMAT section of the `ca` man page. |
| 49 | countryName = optional |
| 50 | stateOrProvinceName = optional |
| 51 | localityName = optional |
| 52 | organizationName = optional |
| 53 | organizationalUnitName = optional |
| 54 | commonName = supplied |
| 55 | emailAddress = optional |
| 56 | |
| 57 | [ req ] |
| 58 | # Options for the `req` tool (`man req`). |
| 59 | default_bits = 2048 |
| 60 | distinguished_name = req_distinguished_name |
| 61 | string_mask = utf8only |
| 62 | |
| 63 | # SHA-1 is deprecated, so use SHA-2 instead. |
| 64 | default_md = sha256 |
| 65 | |
| 66 | # Extension to add when the -x509 option is used. |
| 67 | x509_extensions = v3_ca |
| 68 | |
| 69 | [ req_distinguished_name ] |
| 70 | # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. |
| 71 | countryName = Country Name (2 letter code) |
| 72 | stateOrProvinceName = State or Province Name |
| 73 | localityName = Locality Name |
| 74 | 0.organizationName = Organization Name |
| 75 | organizationalUnitName = Organizational Unit Name |
| 76 | commonName = Common Name |
| 77 | emailAddress = Email Address |
| 78 | |
| 79 | # Optionally, specify some defaults. |
| 80 | countryName_default = |
| 81 | stateOrProvinceName_default = |
| 82 | localityName_default = |
| 83 | 0.organizationName_default = |
| 84 | organizationalUnitName_default = |
| 85 | emailAddress_default = |
| 86 | |
| 87 | [ v3_ca ] |
| 88 | # Extensions for a typical CA (`man x509v3_config`). |
| 89 | subjectKeyIdentifier = hash |
| 90 | authorityKeyIdentifier = keyid:always,issuer |
| 91 | basicConstraints = critical, CA:true |
| 92 | keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
| 93 | |
| 94 | [ v3_intermediate_ca ] |
| 95 | # Extensions for a typical intermediate CA (`man x509v3_config`). |
| 96 | subjectKeyIdentifier = hash |
| 97 | authorityKeyIdentifier = keyid:always,issuer |
| 98 | basicConstraints = critical, CA:true, pathlen:0 |
| 99 | keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
| 100 | |
| 101 | [ usr_cert ] |
| 102 | # Extensions for client certificates (`man x509v3_config`). |
| 103 | basicConstraints = CA:FALSE |
| 104 | nsCertType = client, email |
| 105 | nsComment = "OpenSSL Generated Client Certificate" |
| 106 | subjectKeyIdentifier = hash |
| 107 | authorityKeyIdentifier = keyid,issuer |
| 108 | keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment |
| 109 | extendedKeyUsage = clientAuth, emailProtection |
| 110 | |
| 111 | [ server_cert ] |
| 112 | # Extensions for server certificates (`man x509v3_config`). |
| 113 | basicConstraints = CA:FALSE |
| 114 | nsCertType = server, client |
| 115 | nsComment = "OpenSSL Generated Server Certificate" |
| 116 | subjectKeyIdentifier = hash |
| 117 | authorityKeyIdentifier = keyid,issuer:always |
| 118 | keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation |
| 119 | extendedKeyUsage = serverAuth, clientAuth |
| 120 | |
| 121 | [ crl_ext ] |
| 122 | # Extension for CRLs (`man x509v3_config`). |
| 123 | authorityKeyIdentifier=keyid:always |
| 124 | |
| 125 | [ ocsp ] |
| 126 | # Extension for OCSP signing certificates (`man ocsp`). |
| 127 | basicConstraints = CA:FALSE |
| 128 | subjectKeyIdentifier = hash |
| 129 | authorityKeyIdentifier = keyid,issuer |
| 130 | keyUsage = critical, digitalSignature |
| 131 | extendedKeyUsage = critical, OCSPSigning |