net/data/ssl/scripts/client-certs.cnf

   1 ID=1
   2 CA_DIR=out
   3
   4 [ca]
   5 default_ca = ca_settings
   6 preserve   = yes
   7
   8 [ca_settings]
   9 dir             = ${ENV::CA_DIR}
  10 database        = $dir/${ENV::ID}-index.txt
  11 new_certs_dir   = $dir
  12 serial          = $dir/${ENV::ID}-serial
  13 certificate     = $dir/${ENV::ID}.pem
  14 private_key     = $dir/${ENV::ID}.key
  15 RANDFILE        = $dir/rand
  16 default_md      = sha256
  17 default_days    = 3650
  18 policy          = policy_anything
  19 unique_subject  = no
  20 copy_extensions = copy
  21
  22 [policy_anything]
  23 # Default signing policy
  24 countryName            = optional
  25 stateOrProvinceName    = optional
  26 localityName           = optional
  27 organizationName       = optional
  28 organizationalUnitName = optional
  29 commonName             = optional
  30 emailAddress           = optional
  31
  32 [req]
  33 default_bits       = 2048
  34 default_md         = sha256
  35 string_mask        = utf8only
  36 prompt             = no
  37 encrypt_key        = no
  38 distinguished_name = req_env_dn
  39
  40 [user_cert]
  41 # Extensions to add when signing a request for an EE cert
  42 basicConstraints = critical, CA:false
  43 extendedKeyUsage = serverAuth,clientAuth
  44
  45 [ca_cert]
  46 # Extensions to add when signing a request for an intermediate/CA cert
  47 basicConstraints = critical, CA:true
  48 keyUsage         = critical, keyCertSign, cRLSign
  49
  50 [req_env_dn]
  51 CN = ${ENV::COMMON_NAME}