add example root ca configuration

2011-05-03 20:15:04 +02:00 · 2011-05-03 20:15:04 +02:00 · 4df618e834
commit 4df618e834
parent 28925793fc
2 changed files with 69 additions and 0 deletions
--- a/4
+++ b/4
@ -1 +1,5 @@
 This directory contains various OpenSSL configuration examples and scripts.
+
+Configuration files:
+
+- rootca.conf    - Example root CA configuration
--- a/rootca.conf
+++ b/rootca.conf
@ -0,0 +1,65 @@
+# Example root CA configuration
+# this CA should only be used to sign sub CAs
+#
+# Author: Jan Dittberner <jan@dittberner.info>
+# Date:   2011-05-03
+
+RANDFILE        = $ENV::HOME/rootca/.rnd
+
+extensions      = v3_ext 
+
+[ ca ]
+default_ca      = EXAMPLEROOT     # name of the default CA section
+
+[ EXAMPLEROOT ]
+dir             = $ENV::HOME/rootca
+certs           = $dir/certs
+crl_dir         = $dir/crl
+database        = $dir/index.txt
+new_certs_dir   = $dir/newcerts
+
+certificate     = $dir/ca.crt.pem
+serial          = $dir/serial
+crl             = $dir/crl.pem
+private_key     = $dir/private/ca.key.pem
+RANDFILE        = $dir/private/.rand
+unique_subject  = no
+
+email_in_dn     = no
+policy          = policy_exampleroot
+x509_extensions = subca_cert
+
+# certificates are valid for 5 years
+default_days    = 1825
+default_crl_days= 30
+default_md      = sha256
+
+copy_extensions = copy
+
+[ policy_exampleroot ]
+countryName            = match
+stateOrProvinceName    = match
+organizationName       = match
+organizationalUnitName = supplied
+commonName             = supplied
+emailAddress           = optional
+
+[ subca_cert ]
+basicConstraints       = critical, CA:true, pathlen:0
+keyUsage               = critical, keyCertSign,cRLSign
+nsComment              = "Example Root CA signed Sub CA certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName         = email:copy
+issuerAltName          = issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier = keyid:always,issuer:always