1 # OpenSSL root CA configuration file.
2 # Copy to `/opt/app/osaaf/CA/openssl.cnf`.
6 default_ca = CA_default
9 # Directory and file locations.
13 new_certs_dir = $dir/newcerts
14 database = $dir/index.txt
16 RANDFILE = $dir/private/.rand
18 # The root key and root certificate.
19 private_key = $dir/private/ca.key
20 certificate = $dir/certs/ca.crt
22 # For certificate revocation lists.
23 crlnumber = $dir/crlnumber
24 crl = $dir/crl/ca.crl.pem
25 crl_extensions = crl_ext
28 # SHA-1 is deprecated, so use SHA-2 instead.
35 policy = policy_strict
38 # The root CA should only sign intermediate certificates that match.
39 # See the POLICY FORMAT section of `man ca`.
41 stateOrProvinceName = optional
42 organizationName = match
43 organizationalUnitName = supplied
47 # Allow the intermediate CA to sign a more diverse range of certificates.
48 # See the POLICY FORMAT section of the `ca` man page.
49 countryName = optional
50 stateOrProvinceName = optional
51 localityName = optional
52 organizationName = optional
53 organizationalUnitName = optional
55 emailAddress = optional
58 # Options for the `req` tool (`man req`).
60 distinguished_name = req_distinguished_name
61 string_mask = utf8only
63 # SHA-1 is deprecated, so use SHA-2 instead.
66 # Extension to add when the -x509 option is used.
67 x509_extensions = v3_ca
69 [ req_distinguished_name ]
70 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
71 countryName = Country Name (2 letter code)
72 stateOrProvinceName = State or Province Name
73 localityName = Locality Name
74 0.organizationName = Organization Name
75 organizationalUnitName = Organizational Unit Name
76 commonName = Common Name
77 emailAddress = Email Address
79 # Optionally, specify some defaults.
81 stateOrProvinceName_default =
82 localityName_default =
83 0.organizationName_default =
84 organizationalUnitName_default =
85 emailAddress_default =
88 # Extensions for a typical CA (`man x509v3_config`).
89 subjectKeyIdentifier = hash
90 authorityKeyIdentifier = keyid:always,issuer
91 basicConstraints = critical, CA:true
92 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
94 [ v3_intermediate_ca ]
95 # Extensions for a typical intermediate CA (`man x509v3_config`).
96 subjectKeyIdentifier = hash
97 authorityKeyIdentifier = keyid:always,issuer
98 basicConstraints = critical, CA:true, pathlen:0
99 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
102 # Extensions for client certificates (`man x509v3_config`).
103 basicConstraints = CA:FALSE
104 nsCertType = client, email
105 nsComment = "OpenSSL Generated Client Certificate"
106 subjectKeyIdentifier = hash
107 authorityKeyIdentifier = keyid,issuer
108 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
109 extendedKeyUsage = clientAuth, emailProtection
112 # Extensions for server certificates (`man x509v3_config`).
113 basicConstraints = CA:FALSE
114 nsCertType = server, client
115 nsComment = "OpenSSL Generated Server Certificate"
116 subjectKeyIdentifier = hash
117 authorityKeyIdentifier = keyid,issuer:always
118 keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
119 extendedKeyUsage = serverAuth, clientAuth
122 # Extension for CRLs (`man x509v3_config`).
123 authorityKeyIdentifier=keyid:always
126 # Extension for OCSP signing certificates (`man ocsp`).
127 basicConstraints = CA:FALSE
128 subjectKeyIdentifier = hash
129 authorityKeyIdentifier = keyid,issuer
130 keyUsage = critical, digitalSignature
131 extendedKeyUsage = critical, OCSPSigning