1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = .
RANDFILE = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca = root_ca
#
# Root Certification Authority
[ root_ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/root-ca.serial
database = $dir/root-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/root-ca.cert.pem
private_key = $dir/private/root-ca.key.pem
default_days = 1826 # Five years
crl = $dir/root-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/root-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 180
default_md = sha256
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
#
# Distinguished Name Policy for CAs
[ policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
#
# Root CA Request Options
[ req ]
default_bits = 4096
default_keyfile = private/root-ca.key.pem
encrypt_key = yes
default_md = sha256
string_mask = utf8only
utf8 = yes
prompt = no
req_extensions = root-ca_req_ext
distinguished_name = distinguished_name
subjectAltName = @subject_alt_name
#
# Root CA Request Extensions
[ root-ca_req_ext ]
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
#
# Distinguished Name (DN)
[ distinguished_name ]
organizationName = example.net
commonName = example.net Root Certification Authority
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
nameConstraints = critical, @name_constraints
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# Intermediate CA Certificate Extensions
[ intermed-ca_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
subjectAltName = @subject_alt_name
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
authorityInfoAccess = @auth_info_access
crlDistributionPoints = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI = http://ca.example.net/
email = certmaster@example.net
#
# Name Constraints
[ name_constraints ]
permitted;DNS.1 = example.net
permitted;DNS.2 = example.org
permitted;DNS.3 = lan
permitted;DNS.4 = onion
permitted;email.1 = example.net
permitted;email.2 = example.org
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI = ROOTCRT
#
# CRL Download address for the root CA
[ crl_dist ]
fullname = URI:ROOTCRL
|
