1*e0c4386eSCy Schubert# 2*e0c4386eSCy Schubert# OpenSSL example configuration file for automated certificate creation. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert 5*e0c4386eSCy Schubert# Comment out the next line to ignore configuration errors 6*e0c4386eSCy Schubertconfig_diagnostics = 1 7*e0c4386eSCy Schubert 8*e0c4386eSCy Schubert# This definition stops the following lines choking if HOME or CN 9*e0c4386eSCy Schubert# is undefined. 10*e0c4386eSCy SchubertHOME = . 11*e0c4386eSCy SchubertCN = "Not Defined" 12*e0c4386eSCy Schubertdefault_ca = ca 13*e0c4386eSCy Schubert 14*e0c4386eSCy Schubert#################################################################### 15*e0c4386eSCy Schubert[ req ] 16*e0c4386eSCy Schubertdefault_bits = 2048 17*e0c4386eSCy Schubertdefault_keyfile = privkey.pem 18*e0c4386eSCy Schubert# Don't prompt for fields: use those in section directly 19*e0c4386eSCy Schubertprompt = no 20*e0c4386eSCy Schubertdistinguished_name = req_distinguished_name 21*e0c4386eSCy Schubertx509_extensions = v3_ca # The extensions to add to the self signed cert 22*e0c4386eSCy Schubertstring_mask = utf8only 23*e0c4386eSCy Schubert 24*e0c4386eSCy Schubert# req_extensions = v3_req # The extensions to add to a certificate request 25*e0c4386eSCy Schubert 26*e0c4386eSCy Schubert[ req_distinguished_name ] 27*e0c4386eSCy SchubertcountryName = UK 28*e0c4386eSCy Schubert 29*e0c4386eSCy SchubertorganizationName = OpenSSL Group 30*e0c4386eSCy Schubert# Take CN from environment so it can come from a script. 31*e0c4386eSCy SchubertcommonName = $ENV::CN 32*e0c4386eSCy Schubert 33*e0c4386eSCy Schubert[ usr_cert ] 34*e0c4386eSCy Schubert 35*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 36*e0c4386eSCy Schubert# certificate 37*e0c4386eSCy Schubert 38*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 39*e0c4386eSCy SchubertkeyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 40*e0c4386eSCy Schubert 41*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 42*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 43*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 44*e0c4386eSCy Schubert 45*e0c4386eSCy Schubert[ dh_cert ] 46*e0c4386eSCy Schubert 47*e0c4386eSCy Schubert# These extensions are added when 'ca' signs a request for an end entity 48*e0c4386eSCy Schubert# DH certificate 49*e0c4386eSCy Schubert 50*e0c4386eSCy SchubertbasicConstraints=critical, CA:FALSE 51*e0c4386eSCy SchubertkeyUsage=critical, keyAgreement 52*e0c4386eSCy Schubert 53*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 54*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 55*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid 56*e0c4386eSCy Schubert 57*e0c4386eSCy Schubert[ v3_ca ] 58*e0c4386eSCy Schubert 59*e0c4386eSCy Schubert 60*e0c4386eSCy Schubert# Extensions for a typical CA 61*e0c4386eSCy Schubert 62*e0c4386eSCy Schubert# PKIX recommendation. 63*e0c4386eSCy Schubert 64*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 65*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid:always 66*e0c4386eSCy SchubertbasicConstraints = critical,CA:true 67*e0c4386eSCy SchubertkeyUsage = critical, cRLSign, keyCertSign 68*e0c4386eSCy Schubert 69