xref: /freebsd/crypto/openssl/test/smime-certs/ca.cnf (revision 59c8e88e72633afbc47a4ace0d2170d00d51f7dc)
1#
2# OpenSSL example configuration file for automated certificate creation.
3#
4
5# Comment out the next line to ignore configuration errors
6config_diagnostics = 1
7
8# This definition stops the following lines choking if HOME or CN
9# is undefined.
10HOME			= .
11CN			= "Not Defined"
12default_ca		= ca
13
14####################################################################
15[ req ]
16default_bits		= 2048
17default_keyfile 	= privkey.pem
18# Don't prompt for fields: use those in section directly
19prompt			= no
20distinguished_name	= req_distinguished_name
21x509_extensions	= v3_ca	# The extensions to add to the self signed cert
22string_mask = utf8only
23
24# req_extensions = v3_req # The extensions to add to a certificate request
25
26[ req_distinguished_name ]
27countryName			= UK
28
29organizationName		= OpenSSL Group
30# Take CN from environment so it can come from a script.
31commonName			= $ENV::CN
32
33[ usr_cert ]
34
35# These extensions are added when 'ca' signs a request for an end entity
36# certificate
37
38basicConstraints=critical, CA:FALSE
39keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
40
41# PKIX recommendations harmless if included in all certificates.
42subjectKeyIdentifier=hash
43authorityKeyIdentifier=keyid
44
45[ dh_cert ]
46
47# These extensions are added when 'ca' signs a request for an end entity
48# DH certificate
49
50basicConstraints=critical, CA:FALSE
51keyUsage=critical, keyAgreement
52
53# PKIX recommendations harmless if included in all certificates.
54subjectKeyIdentifier=hash
55authorityKeyIdentifier=keyid
56
57[ v3_ca ]
58
59
60# Extensions for a typical CA
61
62# PKIX recommendation.
63
64subjectKeyIdentifier=hash
65authorityKeyIdentifier=keyid:always
66basicConstraints = critical,CA:true
67keyUsage = critical, cRLSign, keyCertSign
68
69