1 # OpenSSL root CA configuration file.
2 # Copy to `/root/ca/openssl.cnf`.
6 default_ca = CA_default
9 # Directory and file locations.
13 new_certs_dir = $dir/newcerts
14 database = $dir/index.txt
16 RANDFILE = $dir/private/.rand
18 # The root key and root certificate.
19 private_key = $dir/private/ca.key.pem
20 certificate = $dir/certs/ca.cert.pem
22 # For certificate revocation lists.
23 crlnumber = $dir/crlnumber
24 crl = $dir/crl/ca.crl.pem
25 crl_extensions = crl_ext
28 # SHA-1 is deprecated, so use SHA-2 instead.
35 policy = policy_strict
38 # The root CA should only sign intermediate certificates that match.
39 # See the POLICY FORMAT section of `man ca`.
41 stateOrProvinceName = match
42 organizationName = match
43 organizationalUnitName = optional
45 emailAddress = optional
48 # Allow the intermediate CA to sign a more diverse range of certificates.
49 # See the POLICY FORMAT section of the `ca` man page.
50 countryName = optional
51 stateOrProvinceName = optional
52 localityName = optional
53 organizationName = optional
54 organizationalUnitName = optional
56 emailAddress = optional
59 # Options for the `req` tool (`man req`).
61 distinguished_name = req_distinguished_name
62 string_mask = utf8only
64 # SHA-1 is deprecated, so use SHA-2 instead.
67 # Extension to add when the -x509 option is used.
68 x509_extensions = v3_ca
70 [ req_distinguished_name ]
71 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
73 stateOrProvinceName = Uusimaa
75 0.organizationName = Nokia
76 organizationalUnitName = NET
77 commonName = Nokia NET
78 # emailAddress = Email Address
81 # Optionally, specify some defaults.
82 # countryName_default = GB
83 # stateOrProvinceName_default = England
84 # localityName_default =
85 # 0.organizationName_default = Alice Ltd
86 # organizationalUnitName_default =
87 # emailAddress_default =
90 # Extensions for a typical CA (`man x509v3_config`).
91 subjectKeyIdentifier = hash
92 authorityKeyIdentifier = keyid:always,issuer
93 basicConstraints = critical, CA:true
94 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
96 [ v3_intermediate_ca ]
97 # Extensions for a typical intermediate CA (`man x509v3_config`).
98 subjectKeyIdentifier = hash
99 authorityKeyIdentifier = keyid:always,issuer
100 basicConstraints = critical, CA:true, pathlen:0
101 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
104 # Extensions for client certificates (`man x509v3_config`).
105 basicConstraints = CA:FALSE
106 nsCertType = client, email
107 nsComment = "OpenSSL Generated Client Certificate"
108 subjectKeyIdentifier = hash
109 authorityKeyIdentifier = keyid,issuer
110 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
111 extendedKeyUsage = clientAuth, emailProtection
114 # Extensions for server certificates (`man x509v3_config`).
115 basicConstraints = CA:FALSE
117 nsComment = "OpenSSL Generated Server Certificate"
118 subjectKeyIdentifier = hash
119 authorityKeyIdentifier = keyid,issuer:always
120 keyUsage = critical, digitalSignature, keyEncipherment
121 extendedKeyUsage = serverAuth
124 # Extension for CRLs (`man x509v3_config`).
125 authorityKeyIdentifier=keyid:always
128 # Extension for OCSP signing certificates (`man ocsp`).
129 basicConstraints = CA:FALSE
130 subjectKeyIdentifier = hash
131 authorityKeyIdentifier = keyid,issuer
132 keyUsage = critical, digitalSignature
133 extendedKeyUsage = critical, OCSPSigning