net/data/ssl/scripts/policy.cnf

   1 CA_DIR=out
   2 CA_NAME=policy-root
   3
   4 [ca]
   5 default_ca = CA_root
   6 preserve   = yes
   7
   8 [CA_root]
   9 dir           = ${ENV::CA_DIR}
  10 key_size      = 2048
  11 algo          = sha256
  12 database      = $dir/${ENV::CA_NAME}-index.txt
  13 new_certs_dir = $dir
  14 serial        = $dir/${ENV::CA_NAME}-serial
  15 certificate   = $dir/${ENV::CA_NAME}.pem
  16 private_key   = $dir/${ENV::CA_NAME}.key
  17 RANDFILE      = $dir/.rand
  18 default_days     = 3650
  19 default_crl_days = 30
  20 default_md       = sha256
  21 policy           = policy_anything
  22 unique_subject   = no
  23 copy_extensions  = copy
  24
  25 [user_cert]
  26 basicConstraints       = critical, CA:false
  27 extendedKeyUsage       = serverAuth, clientAuth
  28 certificatePolicies    = 1.2.3.4
  29
  30 [ca_cert]
  31 basicConstraints       = critical, CA:true
  32 keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
  33
  34 [intermediate_cert]
  35 basicConstraints       = critical, CA:true
  36 keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
  37 policyConstraints      = requireExplicitPolicy:0
  38 certificatePolicies    = 1.2.3.4, 1.2.3.4.5, 1.2.3.5
  39
  40 [policy_anything]
  41 # Default signing policy
  42 countryName            = optional
  43 stateOrProvinceName    = optional
  44 localityName           = optional
  45 organizationName       = optional
  46 organizationalUnitName = optional
  47 commonName             = optional
  48 emailAddress           = optional
  49
  50 [req]
  51 default_bits       = 2048
  52 default_md         = sha256
  53 string_mask        = utf8only
  54 prompt             = no
  55 encrypt_key        = no
  56 distinguished_name = req_env_dn
  57
  58 [req_env_dn]
  59 CN = ${ENV::COMMON_NAME}
  60