scripts/ssl_mgmt/openssl.cnf.in

#
# OpenSSL configuration file.
#

# Establish working directory
dir = .

[ ca ]
default_ca = CA_Default

[ CA_Default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/ca-cert.pem
private_key = $dir/private/ca-key.pem
default_days = #LENGTH# # Certificates are signed for default_days days
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
# Keys' size:
default_bits = 2048
# Name of the generated key (specify it as a CLI argument if different):
default_keyfile = newkeys/key.pem
# Hash algorithm:
default_md = md5
# Authorised characters:
string_mask = nombstr
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
# We want those extensions only to generate the root certificates, so
# we specify it on the command line:
x509_extensions = v3_ca

[ req_distinguished_name ]
organizationName = #ORG#
organizationalUnitName = #ORGUNIT#
localityName = #LOCALITY#
stateOrProvinceName = #STATE#
countryName = #COUNTRY#
commonName = #COMMONNAME#

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = #ALTNAME#