1 # OpenSSL root CA configuration file.
2 # Copy to `$root/ca/openssl.cnf`.
6 default_ca = CA_default
9 # Directory and file locations.
13 new_certs_dir = $dir/newcerts
14 database = $dir/index.txt
16 RANDFILE = $dir/private/.rand
18 # The root key and root certificate.
19 private_key = $dir/private/ca.key.pem
20 certificate = $dir/certs/ca.cert.pem
22 # For certificate revocation lists.
23 crlnumber = $dir/crlnumber
24 crl = $dir/crl/ca.crl.pem
25 crl_extensions = crl_ext
28 # SHA-1 is deprecated, so use SHA-2 instead.
35 policy = policy_strict
38 # The root CA should only sign intermediate certificates that match.
39 # See the POLICY FORMAT section of `man ca`.
41 stateOrProvinceName = match
42 organizationName = match
43 organizationalUnitName = optional
45 emailAddress = optional
48 # Allow the intermediate CA to sign a more diverse range of certificates.
49 # See the POLICY FORMAT section of the `ca` man page.
50 countryName = optional
51 stateOrProvinceName = optional
52 localityName = optional
53 organizationName = optional
54 organizationalUnitName = optional
56 emailAddress = optional
59 # Options for the `req` tool (`man req`).
61 distinguished_name = req_distinguished_name
62 string_mask = utf8only
64 # SHA-1 is deprecated, so use SHA-2 instead.
67 # Extension to add when the -x509 option is used.
68 x509_extensions = v3_ca
70 [ req_distinguished_name ]
71 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
72 countryName = Country Name (2 letter code)
73 stateOrProvinceName = State or Province Name
74 localityName = Locality Name
75 0.organizationName = Organization Name
76 organizationalUnitName = Organizational Unit Name
77 commonName = Common Name
78 emailAddress = Email Address
80 # Optionally, specify some defaults.
81 countryName_default = GB
82 stateOrProvinceName_default = England
83 localityName_default =
84 0.organizationName_default = Xmlsecurity Test
85 organizationalUnitName_default =
86 emailAddress_default =
89 # Extensions for a typical CA (`man x509v3_config`).
90 subjectKeyIdentifier = hash
91 authorityKeyIdentifier = keyid:always,issuer
92 basicConstraints = critical, CA:true
93 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
95 [ v3_intermediate_ca ]
96 # Extensions for a typical intermediate CA (`man x509v3_config`).
97 subjectKeyIdentifier = hash
98 authorityKeyIdentifier = keyid:always,issuer
99 basicConstraints = critical, CA:true, pathlen:0
100 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
103 # Extensions for client certificates (`man x509v3_config`).
104 basicConstraints = CA:FALSE
105 nsCertType = client, email
106 nsComment = "OpenSSL Generated Client Certificate"
107 subjectKeyIdentifier = hash
108 authorityKeyIdentifier = keyid,issuer
109 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
110 extendedKeyUsage = clientAuth, emailProtection
113 # Extensions for server certificates (`man x509v3_config`).
114 basicConstraints = CA:FALSE
116 nsComment = "OpenSSL Generated Server Certificate"
117 subjectKeyIdentifier = hash
118 authorityKeyIdentifier = keyid,issuer:always
119 keyUsage = critical, digitalSignature, keyEncipherment
120 extendedKeyUsage = serverAuth
123 # Extension for CRLs (`man x509v3_config`).
124 authorityKeyIdentifier=keyid:always
127 # Extension for OCSP signing certificates (`man ocsp`).
128 basicConstraints = CA:FALSE
129 subjectKeyIdentifier = hash
130 authorityKeyIdentifier = keyid,issuer
131 keyUsage = critical, digitalSignature
132 extendedKeyUsage = critical, OCSPSigning