xmlsecurity/qa/create-certs/templates/intermediate.cnf

   1 # OpenSSL intermediate CA configuration file.
   2 # Copy to `$root/ca/intermediate/openssl.cnf`.
   3
   4 [ ca ]
   5 # `man ca`
   6 default_ca = CA_default
   7
   8 [ CA_default ]
   9 # Directory and file locations.
  10 dir               = @ROOT@/ca/intermediate
  11 certs             = $dir/certs
  12 crl_dir           = $dir/crl
  13 new_certs_dir     = $dir/newcerts
  14 database          = $dir/index.txt
  15 serial            = $dir/serial
  16 RANDFILE          = $dir/private/.rand
  17
  18 # The root key and root certificate.
  19 private_key       = $dir/private/intermediate.key.pem
  20 certificate       = $dir/certs/intermediate.cert.pem
  21
  22 # For certificate revocation lists.
  23 crlnumber         = $dir/crlnumber
  24 crl               = $dir/crl/intermediate.crl.pem
  25 crl_extensions    = crl_ext
  26 default_crl_days  = 30
  27
  28 # SHA-1 is deprecated, so use SHA-2 instead.
  29 default_md        = sha256
  30
  31 name_opt          = ca_default
  32 cert_opt          = ca_default
  33 default_days      = 375
  34 preserve          = no
  35 policy            = policy_loose
  36
  37 [ policy_strict ]
  38 # The root CA should only sign intermediate certificates that match.
  39 # See the POLICY FORMAT section of `man ca`.
  40 countryName             = match
  41 stateOrProvinceName     = match
  42 organizationName        = match
  43 organizationalUnitName  = optional
  44 commonName              = supplied
  45 emailAddress            = optional
  46
  47 [ policy_loose ]
  48 # Allow the intermediate CA to sign a more diverse range of certificates.
  49 # See the POLICY FORMAT section of the `ca` man page.
  50 countryName             = optional
  51 stateOrProvinceName     = optional
  52 localityName            = optional
  53 organizationName        = optional
  54 organizationalUnitName  = optional
  55 commonName              = supplied
  56 emailAddress            = optional
  57
  58 [ req ]
  59 # Options for the `req` tool (`man req`).
  60 default_bits        = 2048
  61 distinguished_name  = req_distinguished_name
  62 string_mask         = utf8only
  63
  64 # SHA-1 is deprecated, so use SHA-2 instead.
  65 default_md          = sha256
  66
  67 # Extension to add when the -x509 option is used.
  68 x509_extensions     = v3_ca
  69
  70 [ req_distinguished_name ]
  71 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  72 countryName                     = Country Name (2 letter code)
  73 stateOrProvinceName             = State or Province Name
  74 localityName                    = Locality Name
  75 0.organizationName              = Organization Name
  76 organizationalUnitName          = Organizational Unit Name
  77 commonName                      = Common Name
  78 emailAddress                    = Email Address
  79
  80 # Optionally, specify some defaults.
  81 countryName_default             = GB
  82 stateOrProvinceName_default     = England
  83 localityName_default            =
  84 0.organizationName_default      = Xmlsecurity Test
  85 organizationalUnitName_default  =
  86 emailAddress_default            =
  87
  88 [ v3_ca ]
  89 # Extensions for a typical CA (`man x509v3_config`).
  90 subjectKeyIdentifier = hash
  91 authorityKeyIdentifier = keyid:always,issuer
  92 basicConstraints = critical, CA:true
  93 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  94
  95 [ v3_intermediate_ca ]
  96 # Extensions for a typical intermediate CA (`man x509v3_config`).
  97 subjectKeyIdentifier = hash
  98 authorityKeyIdentifier = keyid:always,issuer
  99 basicConstraints = critical, CA:true, pathlen:0
 100 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 101
 102 [ usr_cert ]
 103 # Extensions for client certificates (`man x509v3_config`).
 104 basicConstraints = CA:FALSE
 105 nsCertType = client, email
 106 nsComment = "OpenSSL Generated Client Certificate"
 107 subjectKeyIdentifier = hash
 108 authorityKeyIdentifier = keyid,issuer
 109 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 110 extendedKeyUsage = clientAuth, emailProtection
 111
 112 [ server_cert ]
 113 # Extensions for server certificates (`man x509v3_config`).
 114 basicConstraints = CA:FALSE
 115 nsCertType = server
 116 nsComment = "OpenSSL Generated Server Certificate"
 117 subjectKeyIdentifier = hash
 118 authorityKeyIdentifier = keyid,issuer:always
 119 keyUsage = critical, digitalSignature, keyEncipherment
 120 extendedKeyUsage = serverAuth
 121
 122 [ crl_ext ]
 123 # Extension for CRLs (`man x509v3_config`).
 124 authorityKeyIdentifier=keyid:always
 125
 126 [ ocsp ]
 127 # Extension for OCSP signing certificates (`man ocsp`).
 128 basicConstraints = CA:FALSE
 129 subjectKeyIdentifier = hash
 130 authorityKeyIdentifier = keyid,issuer
 131 keyUsage = critical, digitalSignature
 132 extendedKeyUsage = critical, OCSPSigning