test/certificates/openssl.cnf

   1 # OpenSSL root CA configuration file.
   2 # Copy to `/root/ca/openssl.cnf`.
   3
   4 [ ca ]
   5 # `man ca`
   6 default_ca = CA_default
   7
   8 [ CA_default ]
   9 # Directory and file locations.
  10 dir               = /root/ca
  11 certs             = $dir/certs
  12 crl_dir           = $dir/crl
  13 new_certs_dir     = $dir/newcerts
  14 database          = $dir/index.txt
  15 serial            = $dir/serial
  16 RANDFILE          = $dir/private/.rand
  17
  18 # The root key and root certificate.
  19 private_key       = $dir/private/ca.key.pem
  20 certificate       = $dir/certs/ca.cert.pem
  21
  22 # For certificate revocation lists.
  23 crlnumber         = $dir/crlnumber
  24 crl               = $dir/crl/ca.crl.pem
  25 crl_extensions    = crl_ext
  26 default_crl_days  = 30
  27
  28 # SHA-1 is deprecated, so use SHA-2 instead.
  29 default_md        = sha256
  30
  31 name_opt          = ca_default
  32 cert_opt          = ca_default
  33 default_days      = 375
  34 preserve          = no
  35 policy            = policy_strict
  36
  37 [ policy_strict ]
  38 # The root CA should only sign intermediate certificates that match.
  39 # See the POLICY FORMAT section of `man ca`.
  40 countryName             = match
  41 stateOrProvinceName     = match
  42 organizationName        = match
  43 organizationalUnitName  = optional
  44 commonName              = supplied
  45 emailAddress            = optional
  46
  47 [ policy_loose ]
  48 # Allow the intermediate CA to sign a more diverse range of certificates.
  49 # See the POLICY FORMAT section of the `ca` man page.
  50 countryName             = optional
  51 stateOrProvinceName     = optional
  52 localityName            = optional
  53 organizationName        = optional
  54 organizationalUnitName  = optional
  55 commonName              = supplied
  56 emailAddress            = optional
  57
  58 [ req ]
  59 # Options for the `req` tool (`man req`).
  60 default_bits        = 2048
  61 distinguished_name  = req_distinguished_name
  62 string_mask         = utf8only
  63
  64 # SHA-1 is deprecated, so use SHA-2 instead.
  65 default_md          = sha256
  66
  67 # Extension to add when the -x509 option is used.
  68 x509_extensions     = v3_ca
  69
  70 [ req_distinguished_name ]
  71 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  72 countryName                     = FI
  73 stateOrProvinceName             = Uusimaa
  74 localityName                    = Espoo
  75 0.organizationName              = Nokia
  76 organizationalUnitName          = NET
  77 commonName                      = Nokia NET
  78 # emailAddress                    = Email Address
  79 emailAddress                    =
  80
  81 # Optionally, specify some defaults.
  82 # countryName_default             = GB
  83 # stateOrProvinceName_default     = England
  84 # localityName_default            =
  85 # 0.organizationName_default      = Alice Ltd
  86 # organizationalUnitName_default  =
  87 # emailAddress_default            =
  88
  89 [ v3_ca ]
  90 # Extensions for a typical CA (`man x509v3_config`).
  91 subjectKeyIdentifier = hash
  92 authorityKeyIdentifier = keyid:always,issuer
  93 basicConstraints = critical, CA:true
  94 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  95
  96 [ v3_intermediate_ca ]
  97 # Extensions for a typical intermediate CA (`man x509v3_config`).
  98 subjectKeyIdentifier = hash
  99 authorityKeyIdentifier = keyid:always,issuer
 100 basicConstraints = critical, CA:true, pathlen:0
 101 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 102
 103 [ usr_cert ]
 104 # Extensions for client certificates (`man x509v3_config`).
 105 basicConstraints = CA:FALSE
 106 nsCertType = client, email
 107 nsComment = "OpenSSL Generated Client Certificate"
 108 subjectKeyIdentifier = hash
 109 authorityKeyIdentifier = keyid,issuer
 110 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 111 extendedKeyUsage = clientAuth, emailProtection
 112
 113 [ server_cert ]
 114 # Extensions for server certificates (`man x509v3_config`).
 115 basicConstraints = CA:FALSE
 116 nsCertType = server
 117 nsComment = "OpenSSL Generated Server Certificate"
 118 subjectKeyIdentifier = hash
 119 authorityKeyIdentifier = keyid,issuer:always
 120 keyUsage = critical, digitalSignature, keyEncipherment
 121 extendedKeyUsage = serverAuth
 122
 123 [ crl_ext ]
 124 # Extension for CRLs (`man x509v3_config`).
 125 authorityKeyIdentifier=keyid:always
 126
 127 [ ocsp ]
 128 # Extension for OCSP signing certificates (`man ocsp`).
 129 basicConstraints = CA:FALSE
 130 subjectKeyIdentifier = hash
 131 authorityKeyIdentifier = keyid,issuer
 132 keyUsage = critical, digitalSignature
 133 extendedKeyUsage = critical, OCSPSigning