1*e0c4386eSCy Schubert# 2*e0c4386eSCy Schubert# OpenSSL example configuration file for automated certificate creation. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert 5*e0c4386eSCy Schubert# This definition stops the following lines choking if HOME or CN 6*e0c4386eSCy Schubert# is undefined. 7*e0c4386eSCy SchubertHOME = . 8*e0c4386eSCy SchubertCN = "Not Defined" 9*e0c4386eSCy Schubertdefault_ca = ca 10*e0c4386eSCy Schubert 11*e0c4386eSCy Schubert# Comment out the next line to ignore configuration errors 12*e0c4386eSCy Schubertconfig_diagnostics = 1 13*e0c4386eSCy Schubert 14*e0c4386eSCy Schubert#################################################################### 15*e0c4386eSCy Schubert[ req ] 16*e0c4386eSCy Schubertdefault_bits = 1024 17*e0c4386eSCy Schubertdefault_keyfile = privkey.pem 18*e0c4386eSCy Schubert# Don't prompt for fields: use those in section directly 19*e0c4386eSCy Schubertprompt = no 20*e0c4386eSCy Schubertdistinguished_name = req_distinguished_name 21*e0c4386eSCy Schubertx509_extensions = v3_ca # The extensions to add to the self signed cert 22*e0c4386eSCy Schubertstring_mask = utf8only 23*e0c4386eSCy Schubert 24*e0c4386eSCy Schubert# req_extensions = v3_req # The extensions to add to a certificate request 25*e0c4386eSCy Schubert 26*e0c4386eSCy Schubert[ req_distinguished_name ] 27*e0c4386eSCy SchubertcountryName = UK 28*e0c4386eSCy Schubert 29*e0c4386eSCy SchubertorganizationName = OpenSSL Group 30*e0c4386eSCy Schubert# Take CN from environment so it can come from a script. 31*e0c4386eSCy SchubertcommonName = $ENV::CN 32*e0c4386eSCy Schubert 33*e0c4386eSCy Schubert[ usr_cert ] 34*e0c4386eSCy Schubert 35*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 36*e0c4386eSCy Schubert# certificate 37*e0c4386eSCy Schubert 38*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 39*e0c4386eSCy SchubertkeyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 40*e0c4386eSCy Schubert 41*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 42*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 43*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 44*e0c4386eSCy Schubert# OCSP responder certificate 45*e0c4386eSCy Schubert[ ocsp_cert ] 46*e0c4386eSCy Schubert 47*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 48*e0c4386eSCy SchubertkeyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 49*e0c4386eSCy Schubert 50*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 51*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 52*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 53*e0c4386eSCy SchubertextendedKeyUsage=OCSPSigning 54*e0c4386eSCy Schubert 55*e0c4386eSCy Schubert[ dh_cert ] 56*e0c4386eSCy Schubert 57*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 58*e0c4386eSCy Schubert# DH certificate 59*e0c4386eSCy Schubert 60*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 61*e0c4386eSCy SchubertkeyUsage=critical, keyAgreement 62*e0c4386eSCy Schubert 63*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 64*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 65*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 66*e0c4386eSCy Schubert 67*e0c4386eSCy Schubert[ v3_ca ] 68*e0c4386eSCy Schubert 69*e0c4386eSCy Schubert 70*e0c4386eSCy Schubert# Extensions for a typical CA 71*e0c4386eSCy Schubert 72*e0c4386eSCy Schubert# PKIX recommendation. 73*e0c4386eSCy Schubert 74*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 75*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid:always 76*e0c4386eSCy SchubertbasicConstraints = critical,CA:true 77*e0c4386eSCy SchubertkeyUsage = critical, cRLSign, keyCertSign 78*e0c4386eSCy Schubert 79*e0c4386eSCy Schubert# Minimal CA entry to allow generation of CRLs. 80*e0c4386eSCy Schubert[ca] 81*e0c4386eSCy Schubertdatabase=index.txt 82*e0c4386eSCy Schubertcrlnumber=crlnum.txt 83