1# 2# OpenSSL example configuration file for automated certificate creation. 3# 4 5# Comment out the next line to ignore configuration errors 6config_diagnostics = 1 7 8# This definition stops the following lines choking if HOME or CN 9# is undefined. 10HOME = . 11CN = "Not Defined" 12default_ca = ca 13 14#################################################################### 15[ req ] 16default_bits = 2048 17default_keyfile = privkey.pem 18# Don't prompt for fields: use those in section directly 19prompt = no 20distinguished_name = req_distinguished_name 21x509_extensions = v3_ca # The extensions to add to the self signed cert 22string_mask = utf8only 23 24# req_extensions = v3_req # The extensions to add to a certificate request 25 26[ req_distinguished_name ] 27countryName = UK 28 29organizationName = OpenSSL Group 30# Take CN from environment so it can come from a script. 31commonName = $ENV::CN 32 33[ usr_cert ] 34 35# These extensions are added when 'ca' signs a request for an end entity 36# certificate 37 38basicConstraints=critical, CA:FALSE 39keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 40 41# PKIX recommendations harmless if included in all certificates. 42subjectKeyIdentifier=hash 43authorityKeyIdentifier=keyid 44 45[ dh_cert ] 46 47# These extensions are added when 'ca' signs a request for an end entity 48# DH certificate 49 50basicConstraints=critical, CA:FALSE 51keyUsage=critical, keyAgreement 52 53# PKIX recommendations harmless if included in all certificates. 54subjectKeyIdentifier=hash 55authorityKeyIdentifier=keyid 56 57[ v3_ca ] 58 59 60# Extensions for a typical CA 61 62# PKIX recommendation. 63 64subjectKeyIdentifier=hash 65authorityKeyIdentifier=keyid:always 66basicConstraints = critical,CA:true 67keyUsage = critical, cRLSign, keyCertSign 68 69