3 # ============LICENSE_START====================================================
5 # ===========================================================================
6 # Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
7 # ===========================================================================
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
12 # http://www.apache.org/licenses/LICENSE-2.0
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
19 # ============LICENSE_END====================================================
21 # OpenSSL root CA configuration file.
22 # Copy to `/opt/app/osaaf/CA/openssl.cnf`.
26 default_ca = CA_default
29 # Directory and file locations.
33 new_certs_dir = $dir/newcerts
34 database = $dir/index.txt
36 RANDFILE = $dir/private/.rand
38 # The root key and root certificate.
39 private_key = $dir/private/ca.key
40 certificate = $dir/certs/ca.crt
42 # For certificate revocation lists.
43 crlnumber = $dir/crlnumber
44 crl = $dir/crl/ca.crl.pem
45 crl_extensions = crl_ext
48 # SHA-1 is deprecated, so use SHA-2 instead.
55 policy = policy_strict
58 # The root CA should only sign intermediate certificates that match.
59 # See the POLICY FORMAT section of `man ca`.
61 stateOrProvinceName = optional
62 organizationName = match
63 organizationalUnitName = supplied
67 # Allow the intermediate CA to sign a more diverse range of certificates.
68 # See the POLICY FORMAT section of the `ca` man page.
69 countryName = optional
70 stateOrProvinceName = optional
71 localityName = optional
72 organizationName = optional
73 organizationalUnitName = optional
75 emailAddress = optional
78 # Options for the `req` tool (`man req`).
80 distinguished_name = req_distinguished_name
81 string_mask = utf8only
83 # SHA-1 is deprecated, so use SHA-2 instead.
86 # Extension to add when the -x509 option is used.
87 x509_extensions = v3_ca
89 [ req_distinguished_name ]
90 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
91 countryName = Country Name (2 letter code)
92 stateOrProvinceName = State or Province Name
93 localityName = Locality Name
94 0.organizationName = Organization Name
95 organizationalUnitName = Organizational Unit Name
96 commonName = Common Name
97 emailAddress = Email Address
99 # Optionally, specify some defaults.
100 countryName_default =
101 stateOrProvinceName_default =
102 localityName_default =
103 0.organizationName_default =
104 organizationalUnitName_default =
105 emailAddress_default =
108 # Extensions for a typical CA (`man x509v3_config`).
109 subjectKeyIdentifier = hash
110 authorityKeyIdentifier = keyid:always,issuer
111 basicConstraints = critical, CA:true
112 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
114 [ v3_intermediate_ca ]
115 # Extensions for a typical intermediate CA (`man x509v3_config`).
116 subjectKeyIdentifier = hash
117 authorityKeyIdentifier = keyid:always,issuer
118 basicConstraints = critical, CA:true, pathlen:0
119 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
122 # Extensions for client certificates (`man x509v3_config`).
123 basicConstraints = CA:FALSE
124 nsCertType = client, email
125 nsComment = "OpenSSL Generated Client Certificate"
126 subjectKeyIdentifier = hash
127 authorityKeyIdentifier = keyid,issuer
128 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
129 extendedKeyUsage = clientAuth, emailProtection
132 # Extensions for server certificates (`man x509v3_config`).
133 basicConstraints = CA:FALSE
134 nsCertType = server, client
135 nsComment = "OpenSSL Generated Server Certificate"
136 subjectKeyIdentifier = hash
137 authorityKeyIdentifier = keyid,issuer:always
138 keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
139 extendedKeyUsage = serverAuth, clientAuth
142 # Extension for CRLs (`man x509v3_config`).
143 authorityKeyIdentifier=keyid:always
146 # Extension for OCSP signing certificates (`man ocsp`).
147 basicConstraints = CA:FALSE
148 subjectKeyIdentifier = hash
149 authorityKeyIdentifier = keyid,issuer
150 keyUsage = critical, digitalSignature
151 extendedKeyUsage = critical, OCSPSigning