scripts/ssl_mgmt/openssl.cnf.in

73 rader
1.6 KiB
Plaintext

#
# OpenSSL configuration file.
#
# Establish working directory
dir = .
[ ca ]
default_ca = CA_Default
[ CA_Default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/ca-cert.pem
private_key = $dir/private/ca-key.pem
default_days = @LENGTH@ # Certificates are signed for default_days days
default_md = sha1
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
# We want those extensions only to generate the root certificates, so
# we specify it on the command line:
x509_extensions = v3_x509
[ policy_match ]
localityName = match
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Keys' size:
default_bits = 2048
# Name of the generated key (specify it as a CLI argument if different):
default_keyfile = newkeys/key.pem
# Hash algorithm:
default_md = sha1
# Authorised characters:
string_mask = nombstr
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
organizationName = @ORG@
organizationalUnitName = @ORGUNIT@
localityName = @LOCALITY@
stateOrProvinceName = @STATE@
countryName = @COUNTRY@
commonName = @COMMONNAME@
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @ALTNAME@
[ v3_x509 ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always