1# $OpenBSD: root.cnf,v 1.5 2023/09/26 21:18:01 tb Exp $ 2# For regression tests 3default_ca = CA_regress 4 5[ CA_regress ] 6# Directory and file locations. 7dir = . 8certs = $dir 9crl_dir = $dir 10database = $dir/root.txt 11serial = $dir/root.serial 12new_certs_dir = $dir 13 14# The root key and root certificate. 15private_key = $dir/root.key.pem 16certificate = $dir/root.cert.pem 17 18# For certificate revocation lists. 19crlnumber = $dir/crlnumber 20crl = $dir/ca.crl.pem 21crl_extensions = crl_ext 22default_crl_days = 30 23 24# SHA-1 is deprecated, so use SHA-2 instead. 25default_md = sha256 26 27name_opt = ca_default 28cert_opt = ca_default 29default_days = 375 30preserve = no 31policy = policy_strict 32 33[ policy_strict ] 34# The root CA should only sign intermediate certificates that match. 35# See the POLICY FORMAT section of `man ca`. 36countryName = match 37stateOrProvinceName = match 38organizationName = match 39organizationalUnitName = optional 40commonName = supplied 41emailAddress = optional 42 43[ policy_loose ] 44# Allow the intermediate CA to sign a more diverse range of certificates. 45# See the POLICY FORMAT section of the `ca` man page. 46countryName = optional 47stateOrProvinceName = optional 48localityName = optional 49organizationName = optional 50organizationalUnitName = optional 51commonName = supplied 52emailAddress = optional 53 54[ req ] 55# Options for the `req` tool (`man req`). 56default_bits = 2048 57distinguished_name = req_distinguished_name 58string_mask = utf8only 59 60# SHA-1 is deprecated, so use SHA-2 instead. 61default_md = sha256 62 63# Extension to add when the -x509 option is used. 64x509_extensions = v3_ca 65 66[ req_distinguished_name ] 67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. 68countryName = Country Name (2 letter code) 69stateOrProvinceName = State or Province Name 70localityName = Locality Name 710.organizationName = Organization Name 72organizationalUnitName = Organizational Unit Name 73commonName = Common Name 74emailAddress = Email Address 75 76# Optionally, specify some defaults. 77countryName_default = CA 78stateOrProvinceName_default = Alberta 79localityName_default = Edmonton 800.organizationName_default = OpenBSD 81organizationalUnitName_default = So and Sos 82emailAddress_default = evilsoandsos@openbsd.org 83commonName_default = Regress Root CA 84 85[ v3_ca ] 86# Extensions for a typical CA (`man x509v3.cnf`). 87subjectKeyIdentifier = hash 88authorityKeyIdentifier = keyid:always,issuer 89basicConstraints = critical, CA:true 90keyUsage = critical, digitalSignature, cRLSign, keyCertSign 91 92[ v3_intermediate_ca ] 93# Extensions for a typical intermediate CA (`man x509v3.cnf`). 94subjectKeyIdentifier = hash 95authorityKeyIdentifier = keyid:always,issuer 96basicConstraints = critical, CA:true, pathlen:0 97keyUsage = critical, digitalSignature, cRLSign, keyCertSign 98nameConstraints = critical, @ca_name_constraints 99 100[ ca_name_constraints ] 101permitted;DNS.0 = .openbsd.org 102permitted;DNS.1 = client 103permitted;email.0 = openbsd.org 104permitted;email.1 = @test.openbsd.org 105permitted;URI.0 = .openbsd.org 106permitted;dirName.0 = openbsd_dn 107permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org 108excluded;IP.0 = 0.0.0.0/0.0.0.0 109excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 110 111[ openbsd_dn ] 112C = CA 113O = OpenBSD 114 115[ usr_cert ] 116# Extensions for client certificates (`man x509v3.cnf`). 117basicConstraints = CA:FALSE 118nsCertType = client, email 119nsComment = "OpenSSL Generated Client Certificate" 120subjectKeyIdentifier = hash 121authorityKeyIdentifier = keyid,issuer 122keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment 123extendedKeyUsage = clientAuth, emailProtection 124 125[ server_cert ] 126# Extensions for server certificates (`man x509v3.cnf`). 127basicConstraints = CA:FALSE 128nsCertType = server 129nsComment = "OpenSSL Generated Server Certificate" 130subjectKeyIdentifier = hash 131authorityKeyIdentifier = keyid,issuer:always 132keyUsage = critical, digitalSignature, keyEncipherment 133extendedKeyUsage = serverAuth 134 135[ crl_ext ] 136# Extension for CRLs (`man x509v3.cnf`). 137authorityKeyIdentifier=keyid:always 138 139[ ocsp ] 140# Extension for OCSP signing certificates (`man ocsp`). 141basicConstraints = CA:FALSE 142subjectKeyIdentifier = hash 143authorityKeyIdentifier = keyid,issuer 144keyUsage = critical, digitalSignature 145extendedKeyUsage = critical, OCSPSigning 146