conf/CA/openssl.conf

   1 # OpenSSL root CA configuration file.
   2 # Copy to `/opt/app/osaaf/CA/openssl.cnf`.
   3
   4 [ ca ]
   5 # `man ca`
   6 default_ca = CA_default
   7
   8 [ CA_default ]
   9 # Directory and file locations.
  10 dir               = .
  11 certs             = $dir/certs
  12 crl_dir           = $dir/crl
  13 new_certs_dir     = $dir/newcerts
  14 database          = $dir/index.txt
  15 serial            = $dir/serial
  16 RANDFILE          = $dir/private/.rand
  17
  18 # The root key and root certificate.
  19 private_key       = $dir/private/ca.key
  20 certificate       = $dir/certs/ca.crt
  21
  22 # For certificate revocation lists.
  23 crlnumber         = $dir/crlnumber
  24 crl               = $dir/crl/ca.crl.pem
  25 crl_extensions    = crl_ext
  26 default_crl_days  = 30
  27
  28 # SHA-1 is deprecated, so use SHA-2 instead.
  29 default_md        = sha256
  30
  31 name_opt          = ca_default
  32 cert_opt          = ca_default
  33 default_days      = 60
  34 preserve          = no
  35 policy            = policy_strict
  36
  37 [ policy_strict ]
  38 # The root CA should only sign intermediate certificates that match.
  39 # See the POLICY FORMAT section of `man ca`.
  40 countryName             = match
  41 stateOrProvinceName     = optional
  42 organizationName        = match
  43 organizationalUnitName  = supplied
  44 commonName              = supplied
  45
  46 [ policy_loose ]
  47 # Allow the intermediate CA to sign a more diverse range of certificates.
  48 # See the POLICY FORMAT section of the `ca` man page.
  49 countryName             = optional
  50 stateOrProvinceName     = optional
  51 localityName            = optional
  52 organizationName        = optional
  53 organizationalUnitName  = optional
  54 commonName              = supplied
  55 emailAddress            = optional
  56
  57 [ req ]
  58 # Options for the `req` tool (`man req`).
  59 default_bits        = 2048
  60 distinguished_name  = req_distinguished_name
  61 string_mask         = utf8only
  62
  63 # SHA-1 is deprecated, so use SHA-2 instead.
  64 default_md          = sha256
  65
  66 # Extension to add when the -x509 option is used.
  67 x509_extensions     = v3_ca
  68
  69 [ req_distinguished_name ]
  70 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  71 countryName                     = Country Name (2 letter code)
  72 stateOrProvinceName             = State or Province Name
  73 localityName                    = Locality Name
  74 0.organizationName              = Organization Name
  75 organizationalUnitName          = Organizational Unit Name
  76 commonName                      = Common Name
  77 emailAddress                    = Email Address
  78
  79 # Optionally, specify some defaults.
  80 countryName_default             =
  81 stateOrProvinceName_default     =
  82 localityName_default            =
  83 0.organizationName_default      =
  84 organizationalUnitName_default  =
  85 emailAddress_default            =
  86
  87 [ v3_ca ]
  88 # Extensions for a typical CA (`man x509v3_config`).
  89 subjectKeyIdentifier = hash
  90 authorityKeyIdentifier = keyid:always,issuer
  91 basicConstraints = critical, CA:true
  92 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  93
  94 [ v3_intermediate_ca ]
  95 # Extensions for a typical intermediate CA (`man x509v3_config`).
  96 subjectKeyIdentifier = hash
  97 authorityKeyIdentifier = keyid:always,issuer
  98 basicConstraints = critical, CA:true, pathlen:0
  99 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 100
 101 [ usr_cert ]
 102 # Extensions for client certificates (`man x509v3_config`).
 103 basicConstraints = CA:FALSE
 104 nsCertType = client, email
 105 nsComment = "OpenSSL Generated Client Certificate"
 106 subjectKeyIdentifier = hash
 107 authorityKeyIdentifier = keyid,issuer
 108 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 109 extendedKeyUsage = clientAuth, emailProtection
 110
 111 [ server_cert ]
 112 # Extensions for server certificates (`man x509v3_config`).
 113 basicConstraints = CA:FALSE
 114 nsCertType = server, client
 115 nsComment = "OpenSSL Generated Server Certificate"
 116 subjectKeyIdentifier = hash
 117 authorityKeyIdentifier = keyid,issuer:always
 118 keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
 119 extendedKeyUsage = serverAuth, clientAuth
 120
 121 [ crl_ext ]
 122 # Extension for CRLs (`man x509v3_config`).
 123 authorityKeyIdentifier=keyid:always
 124
 125 [ ocsp ]
 126 # Extension for OCSP signing certificates (`man ocsp`).
 127 basicConstraints = CA:FALSE
 128 subjectKeyIdentifier = hash
 129 authorityKeyIdentifier = keyid,issuer
 130 keyUsage = critical, digitalSignature
 131 extendedKeyUsage = critical, OCSPSigning