Get the style color and number just once
[LibreOffice.git] / xmlsecurity / qa / create-certs / templates / root.cnf
blob1298d74d3a51ac778deba6855c9ee4553051a8d2
1 # OpenSSL root CA configuration file.
2 # Copy to `$root/ca/openssl.cnf`.
4 [ ca ]
5 # `man ca`
6 default_ca = CA_default
8 [ CA_default ]
9 # Directory and file locations.
10 dir               = @ROOT@/ca
11 certs             = $dir/certs
12 crl_dir           = $dir/crl
13 new_certs_dir     = $dir/newcerts
14 database          = $dir/index.txt
15 serial            = $dir/serial
16 RANDFILE          = $dir/private/.rand
18 # The root key and root certificate.
19 private_key       = $dir/private/ca.key.pem
20 certificate       = $dir/certs/ca.cert.pem
22 # For certificate revocation lists.
23 crlnumber         = $dir/crlnumber
24 crl               = $dir/crl/ca.crl.pem
25 crl_extensions    = crl_ext
26 default_crl_days  = 30
28 # SHA-1 is deprecated, so use SHA-2 instead.
29 default_md        = sha256
31 name_opt          = ca_default
32 cert_opt          = ca_default
33 default_days      = 375
34 preserve          = no
35 policy            = policy_strict
37 [ policy_strict ]
38 # The root CA should only sign intermediate certificates that match.
39 # See the POLICY FORMAT section of `man ca`.
40 countryName             = match
41 stateOrProvinceName     = match
42 organizationName        = match
43 organizationalUnitName  = optional
44 commonName              = supplied
45 emailAddress            = optional
47 [ policy_loose ]
48 # Allow the intermediate CA to sign a more diverse range of certificates.
49 # See the POLICY FORMAT section of the `ca` man page.
50 countryName             = optional
51 stateOrProvinceName     = optional
52 localityName            = optional
53 organizationName        = optional
54 organizationalUnitName  = optional
55 commonName              = supplied
56 emailAddress            = optional
58 [ req ]
59 # Options for the `req` tool (`man req`).
60 default_bits        = 2048
61 distinguished_name  = req_distinguished_name
62 string_mask         = utf8only
64 # SHA-1 is deprecated, so use SHA-2 instead.
65 default_md          = sha256
67 # Extension to add when the -x509 option is used.
68 x509_extensions     = v3_ca
70 [ req_distinguished_name ]
71 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
72 countryName                     = Country Name (2 letter code)
73 stateOrProvinceName             = State or Province Name
74 localityName                    = Locality Name
75 0.organizationName              = Organization Name
76 organizationalUnitName          = Organizational Unit Name
77 commonName                      = Common Name
78 emailAddress                    = Email Address
80 # Optionally, specify some defaults.
81 countryName_default             = GB
82 stateOrProvinceName_default     = England
83 localityName_default            =
84 0.organizationName_default      = Xmlsecurity Test
85 organizationalUnitName_default  =
86 emailAddress_default            =
88 [ v3_ca ]
89 # Extensions for a typical CA (`man x509v3_config`).
90 subjectKeyIdentifier = hash
91 authorityKeyIdentifier = keyid:always,issuer
92 basicConstraints = critical, CA:true
93 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
95 [ v3_intermediate_ca ]
96 # Extensions for a typical intermediate CA (`man x509v3_config`).
97 subjectKeyIdentifier = hash
98 authorityKeyIdentifier = keyid:always,issuer
99 basicConstraints = critical, CA:true, pathlen:0
100 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
102 [ usr_cert ]
103 # Extensions for client certificates (`man x509v3_config`).
104 basicConstraints = CA:FALSE
105 nsCertType = client, email
106 nsComment = "OpenSSL Generated Client Certificate"
107 subjectKeyIdentifier = hash
108 authorityKeyIdentifier = keyid,issuer
109 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
110 extendedKeyUsage = clientAuth, emailProtection
112 [ server_cert ]
113 # Extensions for server certificates (`man x509v3_config`).
114 basicConstraints = CA:FALSE
115 nsCertType = server
116 nsComment = "OpenSSL Generated Server Certificate"
117 subjectKeyIdentifier = hash
118 authorityKeyIdentifier = keyid,issuer:always
119 keyUsage = critical, digitalSignature, keyEncipherment
120 extendedKeyUsage = serverAuth
122 [ crl_ext ]
123 # Extension for CRLs (`man x509v3_config`).
124 authorityKeyIdentifier=keyid:always
126 [ ocsp ]
127 # Extension for OCSP signing certificates (`man ocsp`).
128 basicConstraints = CA:FALSE
129 subjectKeyIdentifier = hash
130 authorityKeyIdentifier = keyid,issuer
131 keyUsage = critical, digitalSignature
132 extendedKeyUsage = critical, OCSPSigning