# # OpenSSL configuration file. # # Establish working directory dir = . [ ca ] default_ca = CA_Default [ CA_Default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/certs/ca-cert.pem private_key = $dir/private/ca-key.pem default_days = @LENGTH@ # Certificates are signed for default_days days default_md = sha1 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy # We want those extensions only to generate the root certificates, so # we specify it on the command line: x509_extensions = v3_x509 [ policy_match ] localityName = match countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Keys' size: default_bits = 2048 # Name of the generated key (specify it as a CLI argument if different): default_keyfile = newkeys/key.pem # Hash algorithm: default_md = sha1 # Authorised characters: string_mask = nombstr prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] organizationName = @ORG@ organizationalUnitName = @ORGUNIT@ localityName = @LOCALITY@ stateOrProvinceName = @STATE@ countryName = @COUNTRY@ commonName = @COMMONNAME@ [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash subjectAltName = @ALTNAME@ [ v3_x509 ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always