1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
CA_DIR = out
[ca]
default_ca = CA_root
preserve = yes
# The default test root, used to generate certificates and CRLs.
[CA_root]
dir = ${ENV::CA_DIR}
database = ${dir}/${ENV::CERTIFICATE}-index.txt
new_certs_dir = ${dir}
serial = ${dir}/${ENV::CERTIFICATE}-serial
certificate = ${dir}/${ENV::CERTIFICATE}.pem
private_key = ${dir}/${ENV::CERTIFICATE}.key
RANDFILE = ${dir}/rand
default_days = 3650
default_crl_days = 30
default_md = sha256
policy = policy_anything
unique_subject = no
[user_cert]
# Extensions to add when signing a request for an EE cert
basicConstraints = critical, CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = IP:127.0.0.1
[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign
[ca_cert_with_aki]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, keyCertSign, cRLSign
[crl_extensions]
# Extensions to add when signing a CRL
authorityKeyIdentifier = keyid:always
[policy_anything]
# Default signing policy
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[req]
# The request section used to generate certificate requests.
default_bits = 2048
default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
distinguished_name = req_env_dn
[req_env_dn]
CN = ${ENV::CA_COMMON_NAME}
|
