Home | History | Annotate | Line # | Download | only in certs 
      1 #
      2 # OpenSSL example configuration file for automated certificate creation.
      3 #
      4 
      5 # This definition stops the following lines choking if HOME or CN
      6 # is undefined.
      7 HOME			= .
      8 CN			= "Not Defined"
      9 default_ca		= ca
     10 
     11 # Comment out the next line to ignore configuration errors
     12 config_diagnostics = 1
     13 
     14 ####################################################################
     15 [ req ]
     16 default_bits		= 1024
     17 default_keyfile 	= privkey.pem
     18 # Don't prompt for fields: use those in section directly
     19 prompt			= no
     20 distinguished_name	= req_distinguished_name
     21 x509_extensions	= v3_ca	# The extensions to add to the self signed cert
     22 string_mask = utf8only
     23 
     24 # req_extensions = v3_req # The extensions to add to a certificate request
     25 
     26 [ req_distinguished_name ]
     27 countryName			= UK
     28 
     29 organizationName		= OpenSSL Group
     30 # Take CN from environment so it can come from a script.
     31 commonName			= $ENV::CN
     32 
     33 [ usr_cert ]
     34 
     35 # These extensions are added when 'ca' signs a request for an end entity
     36 # certificate
     37 
     38 basicConstraints=critical, CA:FALSE
     39 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
     40 
     41 # PKIX recommendations harmless if included in all certificates.
     42 subjectKeyIdentifier=hash
     43 authorityKeyIdentifier=keyid
     44 # OCSP responder certificate
     45 [ ocsp_cert ]
     46 
     47 basicConstraints=critical, CA:FALSE
     48 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
     49 
     50 # PKIX recommendations harmless if included in all certificates.
     51 subjectKeyIdentifier=hash
     52 authorityKeyIdentifier=keyid
     53 extendedKeyUsage=OCSPSigning
     54 
     55 [ dh_cert ]
     56 
     57 # These extensions are added when 'ca' signs a request for an end entity
     58 # DH certificate
     59 
     60 basicConstraints=critical, CA:FALSE
     61 keyUsage=critical, keyAgreement
     62 
     63 # PKIX recommendations harmless if included in all certificates.
     64 subjectKeyIdentifier=hash
     65 authorityKeyIdentifier=keyid
     66 
     67 [ v3_ca ]
     68 
     69 
     70 # Extensions for a typical CA
     71 
     72 # PKIX recommendation.
     73 
     74 subjectKeyIdentifier=hash
     75 authorityKeyIdentifier=keyid:always
     76 basicConstraints = critical,CA:true
     77 keyUsage = critical, cRLSign, keyCertSign
     78 
     79 # Minimal CA entry to allow generation of CRLs.
     80 [ca]
     81 database=index.txt
     82 crlnumber=crlnum.txt
     83