1 # Defaults in the event they're not set in the environment
12 # The default test root, used to generate certificates and CRLs.
15 key_size = $ENV::KEY_SIZE
17 cert_type = $ENV::CERT_TYPE
18 type = $key_size-$algo-$cert_type
19 database = $dir/$type-index.txt
21 serial = $dir/$type-serial
22 certificate = $dir/$type.pem
23 private_key = $dir/$type.key
28 policy = policy_anything
30 copy_extensions = copy
33 # Extensions to add when signing a request for an EE cert
34 basicConstraints = critical, CA:false
35 subjectKeyIdentifier = hash
36 authorityKeyIdentifier = keyid:always
37 extendedKeyUsage = serverAuth,clientAuth
40 # A leaf cert that will violate the root's imposed name constraints
41 basicConstraints = critical, CA:false
42 subjectKeyIdentifier = hash
43 authorityKeyIdentifier = keyid:always
44 extendedKeyUsage = serverAuth,clientAuth
45 subjectAltName = @san_name_constraint_bad
47 [name_constraint_good]
48 # A leaf cert that will match the root's imposed name constraints
49 basicConstraints = critical, CA:false
50 subjectKeyIdentifier = hash
51 authorityKeyIdentifier = keyid:always
52 extendedKeyUsage = serverAuth,clientAuth
53 subjectAltName = @san_name_constraint_good
55 [san_name_constraint_bad]
56 DNS.1 = test.ExAmPlE.CoM
57 DNS.2 = test.ExAmPlE.OrG
59 [san_name_constraint_good]
60 DNS.1 = test.ExAmPlE.CoM
61 DNS.2 = example.notarealtld
64 # Extensions to add when signing a request for an intermediate/CA cert
65 basicConstraints = critical, CA:true
66 subjectKeyIdentifier = hash
67 #authorityKeyIdentifier = keyid:always
68 keyUsage = critical, keyCertSign, cRLSign
71 # Extensions to add when signing a CRL
72 authorityKeyIdentifier = keyid:always
75 # Default signing policy
76 countryName = optional
77 stateOrProvinceName = optional
78 localityName = optional
79 organizationName = optional
80 organizationalUnitName = optional
82 emailAddress = optional
85 # The request section used to generate the root CA certificate. This should
86 # not be used to generate end-entity certificates. For certificates other
87 # than the root CA, see README to find the appropriate configuration file
88 # (ie: openssl_cert.cnf).
89 default_bits = $ENV::KEY_SIZE
91 string_mask = utf8only
94 distinguished_name = $ENV::CA_NAME
95 x509_extensions = req_ca_exts
104 [req_intermediate_dn]
109 CN = Test Intermediate CA
112 CN = $ENV::CA_COMMON_NAME
115 basicConstraints = critical, CA:true
116 keyUsage = critical, keyCertSign, cRLSign
117 subjectKeyIdentifier = hash