1*e0c4386eSCy Schubert# 2*e0c4386eSCy Schubert# OpenSSL configuration file to create apps directory certificates 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert 5*e0c4386eSCy Schubert# This definition stops the following lines choking if HOME or CN 6*e0c4386eSCy Schubert# is undefined. 7*e0c4386eSCy SchubertHOME = . 8*e0c4386eSCy SchubertCN = "Not Defined" 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubert# Comment out the next line to ignore configuration errors 11*e0c4386eSCy Schubertconfig_diagnostics = 1 12*e0c4386eSCy Schubert 13*e0c4386eSCy Schubert 14*e0c4386eSCy Schubert#################################################################### 15*e0c4386eSCy Schubert[ req ] 16*e0c4386eSCy Schubertdefault_bits = 2048 17*e0c4386eSCy Schubertdefault_keyfile = privkey.pem 18*e0c4386eSCy Schubert# Don't prompt for fields: use those in section directly 19*e0c4386eSCy Schubertprompt = no 20*e0c4386eSCy Schubertdistinguished_name = req_distinguished_name 21*e0c4386eSCy Schubertx509_extensions = v3_ca # The extensions to add to the self signed cert 22*e0c4386eSCy Schubertstring_mask = utf8only 23*e0c4386eSCy Schubert 24*e0c4386eSCy Schubert# req_extensions = v3_req # The extensions to add to a certificate request 25*e0c4386eSCy Schubert 26*e0c4386eSCy Schubert[ req_distinguished_name ] 27*e0c4386eSCy SchubertcountryName = UK 28*e0c4386eSCy Schubert 29*e0c4386eSCy SchubertorganizationName = OpenSSL Group 30*e0c4386eSCy SchubertorganizationalUnitName = FOR TESTING PURPOSES ONLY 31*e0c4386eSCy Schubert# Take CN from environment so it can come from a script. 32*e0c4386eSCy SchubertcommonName = $ENV::CN 33*e0c4386eSCy Schubert 34*e0c4386eSCy Schubert[ usr_cert ] 35*e0c4386eSCy Schubert 36*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 37*e0c4386eSCy Schubert# certificate 38*e0c4386eSCy Schubert 39*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 40*e0c4386eSCy SchubertkeyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 41*e0c4386eSCy Schubert 42*e0c4386eSCy Schubert[ ec_cert ] 43*e0c4386eSCy Schubert 44*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 45*e0c4386eSCy Schubert# certificate 46*e0c4386eSCy Schubert 47*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 48*e0c4386eSCy SchubertkeyUsage=critical, nonRepudiation, digitalSignature, keyAgreement 49*e0c4386eSCy Schubert 50*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 51*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 52*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 53*e0c4386eSCy Schubert 54*e0c4386eSCy Schubert[ v3_ca ] 55*e0c4386eSCy Schubert 56*e0c4386eSCy Schubert 57*e0c4386eSCy Schubert# Extensions for a typical CA 58*e0c4386eSCy Schubert 59*e0c4386eSCy Schubert# PKIX recommendation. 60*e0c4386eSCy Schubert 61*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 62*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid:always 63*e0c4386eSCy SchubertbasicConstraints = critical,CA:true 64*e0c4386eSCy SchubertkeyUsage = critical, cRLSign, keyCertSign 65*e0c4386eSCy Schubert 66*e0c4386eSCy Schubert 67