Roll src/third_party/WebKit eac3800:0237a66 (svn 202606:202607)
[chromium-blink-merge.git] / net / data / ssl / scripts / ca.cnf
blob1b78e01985e3f332c890c7c1f90ad34c92373677
1 # Defaults in the event they're not set in the environment
2 CA_DIR    = out
3 KEY_SIZE  = 2048
4 ALGO      = sha256
5 CERT_TYPE = root
6 CA_NAME   = req_env_dn
8 [ca]
9 default_ca = CA_root
10 preserve   = yes
12 # The default test root, used to generate certificates and CRLs.
13 [CA_root]
14 dir           = $ENV::CA_DIR
15 key_size      = $ENV::KEY_SIZE
16 algo          = $ENV::ALGO
17 cert_type     = $ENV::CERT_TYPE
18 type          = $key_size-$algo-$cert_type
19 database      = $dir/$type-index.txt
20 new_certs_dir = $dir
21 serial        = $dir/$type-serial
22 certificate   = $dir/$type.pem
23 private_key   = $dir/$type.key
24 RANDFILE      = $dir/.rand
25 default_days     = 3650
26 default_crl_days = 30
27 default_md       = sha256
28 policy           = policy_anything
29 unique_subject   = no
30 copy_extensions  = copy
32 [user_cert]
33 # Extensions to add when signing a request for an EE cert
34 basicConstraints       = critical, CA:false
35 subjectKeyIdentifier   = hash
36 authorityKeyIdentifier = keyid:always
37 extendedKeyUsage       = serverAuth,clientAuth
39 [name_constraint_bad]
40 # A leaf cert that will violate the root's imposed name constraints
41 basicConstraints       = critical, CA:false
42 subjectKeyIdentifier   = hash
43 authorityKeyIdentifier = keyid:always
44 extendedKeyUsage       = serverAuth,clientAuth
45 subjectAltName         = @san_name_constraint_bad
47 [name_constraint_good]
48 # A leaf cert that will match the root's imposed name constraints
49 basicConstraints       = critical, CA:false
50 subjectKeyIdentifier   = hash
51 authorityKeyIdentifier = keyid:always
52 extendedKeyUsage       = serverAuth,clientAuth
53 subjectAltName         = @san_name_constraint_good
55 [san_name_constraint_bad]
56 DNS.1 = test.ExAmPlE.CoM
57 DNS.2 = test.ExAmPlE.OrG
59 [san_name_constraint_good]
60 DNS.1 = test.ExAmPlE.CoM
61 DNS.2 = example.notarealtld
63 [ca_cert]
64 # Extensions to add when signing a request for an intermediate/CA cert
65 basicConstraints       = critical, CA:true
66 subjectKeyIdentifier   = hash
67 #authorityKeyIdentifier = keyid:always
68 keyUsage               = critical, keyCertSign, cRLSign
70 [crl_extensions]
71 # Extensions to add when signing a CRL
72 authorityKeyIdentifier = keyid:always
74 [policy_anything]
75 # Default signing policy
76 countryName            = optional
77 stateOrProvinceName    = optional
78 localityName           = optional
79 organizationName       = optional
80 organizationalUnitName = optional
81 commonName             = optional
82 emailAddress           = optional
84 [req]
85 # The request section used to generate the root CA certificate. This should
86 # not be used to generate end-entity certificates. For certificates other
87 # than the root CA, see README to find the appropriate configuration file
88 # (ie: openssl_cert.cnf).
89 default_bits       = $ENV::KEY_SIZE
90 default_md         = sha256
91 string_mask        = utf8only
92 prompt             = no
93 encrypt_key        = no
94 distinguished_name = $ENV::CA_NAME
95 x509_extensions    = req_ca_exts
97 [req_ca_dn]
98 C  = US
99 ST = California
100 L  = Mountain View
101 O  = Test CA
102 CN = Test Root CA
104 [req_intermediate_dn]
105 C  = US
106 ST = California
107 L  = Mountain View
108 O  = Test CA
109 CN = Test Intermediate CA
111 [req_env_dn]
112 CN = $ENV::CA_COMMON_NAME
114 [req_ca_exts]
115 basicConstraints       = critical, CA:true
116 keyUsage               = critical, keyCertSign, cRLSign
117 subjectKeyIdentifier   = hash