xref: /freebsd/crypto/openssl/demos/certs/ca.cnf (revision 5f757f3ff9144b609b3c433dfd370cc6bdc191ad)
1#
2# OpenSSL example configuration file for automated certificate creation.
3#
4
5# This definition stops the following lines choking if HOME or CN
6# is undefined.
7HOME			= .
8CN			= "Not Defined"
9default_ca		= ca
10
11# Comment out the next line to ignore configuration errors
12config_diagnostics = 1
13
14####################################################################
15[ req ]
16default_bits		= 1024
17default_keyfile 	= privkey.pem
18# Don't prompt for fields: use those in section directly
19prompt			= no
20distinguished_name	= req_distinguished_name
21x509_extensions	= v3_ca	# The extensions to add to the self signed cert
22string_mask = utf8only
23
24# req_extensions = v3_req # The extensions to add to a certificate request
25
26[ req_distinguished_name ]
27countryName			= UK
28
29organizationName		= OpenSSL Group
30# Take CN from environment so it can come from a script.
31commonName			= $ENV::CN
32
33[ usr_cert ]
34
35# These extensions are added when 'ca' signs a request for an end entity
36# certificate
37
38basicConstraints=critical, CA:FALSE
39keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
40
41# PKIX recommendations harmless if included in all certificates.
42subjectKeyIdentifier=hash
43authorityKeyIdentifier=keyid
44# OCSP responder certificate
45[ ocsp_cert ]
46
47basicConstraints=critical, CA:FALSE
48keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
49
50# PKIX recommendations harmless if included in all certificates.
51subjectKeyIdentifier=hash
52authorityKeyIdentifier=keyid
53extendedKeyUsage=OCSPSigning
54
55[ dh_cert ]
56
57# These extensions are added when 'ca' signs a request for an end entity
58# DH certificate
59
60basicConstraints=critical, CA:FALSE
61keyUsage=critical, keyAgreement
62
63# PKIX recommendations harmless if included in all certificates.
64subjectKeyIdentifier=hash
65authorityKeyIdentifier=keyid
66
67[ v3_ca ]
68
69
70# Extensions for a typical CA
71
72# PKIX recommendation.
73
74subjectKeyIdentifier=hash
75authorityKeyIdentifier=keyid:always
76basicConstraints = critical,CA:true
77keyUsage = critical, cRLSign, keyCertSign
78
79# Minimal CA entry to allow generation of CRLs.
80[ca]
81database=index.txt
82crlnumber=crlnum.txt
83