net/data/ssl/scripts/redundant-ca.cnf

   1 CA_DIR = out
   2
   3 [ca]
   4 default_ca = CA_root
   5 preserve   = yes
   6
   7 # The default test root, used to generate certificates and CRLs.
   8 [CA_root]
   9 dir           = ${ENV::CA_DIR}
  10 database      = ${dir}/${ENV::CERTIFICATE}-index.txt
  11 new_certs_dir = ${dir}
  12 serial        = ${dir}/${ENV::CERTIFICATE}-serial
  13 certificate   = ${dir}/${ENV::CERTIFICATE}.pem
  14 private_key   = ${dir}/${ENV::CERTIFICATE}.key
  15 RANDFILE      = ${dir}/rand
  16 default_days     = 3650
  17 default_crl_days = 30
  18 default_md       = sha256
  19 policy           = policy_anything
  20 unique_subject   = no
  21
  22 [user_cert]
  23 # Extensions to add when signing a request for an EE cert
  24 basicConstraints       = critical, CA:false
  25 subjectKeyIdentifier   = hash
  26 authorityKeyIdentifier = keyid:always
  27 extendedKeyUsage       = serverAuth,clientAuth
  28
  29 [ca_cert]
  30 # Extensions to add when signing a request for an intermediate/CA cert
  31 basicConstraints       = critical, CA:true
  32 subjectKeyIdentifier   = hash
  33 #authorityKeyIdentifier = keyid:always
  34 keyUsage               = critical, keyCertSign, cRLSign
  35
  36 [crl_extensions]
  37 # Extensions to add when signing a CRL
  38 authorityKeyIdentifier = keyid:always
  39
  40 [policy_anything]
  41 # Default signing policy
  42 countryName            = optional
  43 stateOrProvinceName    = optional
  44 localityName           = optional
  45 organizationName       = optional
  46 organizationalUnitName = optional
  47 commonName             = optional
  48 emailAddress           = optional
  49
  50 [req]
  51 # The request section used to generate certificate requests.
  52 default_bits       = 2048
  53 default_md         = sha256
  54 string_mask        = utf8only
  55 prompt             = no
  56 encrypt_key        = no
  57 distinguished_name = req_env_dn
  58
  59 [req_env_dn]
  60 CN = ${ENV::CA_COMMON_NAME}