diff --git a/README b/README index 2133b0b..f03f259 100644 --- a/README +++ b/README @@ -1 +1,5 @@ This directory contains various OpenSSL configuration examples and scripts. + +Configuration files: + +- rootca.conf - Example root CA configuration diff --git a/rootca.conf b/rootca.conf new file mode 100644 index 0000000..f3b99b3 --- /dev/null +++ b/rootca.conf @@ -0,0 +1,65 @@ +# Example root CA configuration +# this CA should only be used to sign sub CAs +# +# Author: Jan Dittberner +# Date: 2011-05-03 + +RANDFILE = $ENV::HOME/rootca/.rnd + +extensions = v3_ext + +[ ca ] +default_ca = EXAMPLEROOT # name of the default CA section + +[ EXAMPLEROOT ] +dir = $ENV::HOME/rootca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir/newcerts + +certificate = $dir/ca.crt.pem +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/private/ca.key.pem +RANDFILE = $dir/private/.rand +unique_subject = no + +email_in_dn = no +policy = policy_exampleroot +x509_extensions = subca_cert + +# certificates are valid for 5 years +default_days = 1825 +default_crl_days= 30 +default_md = sha256 + +copy_extensions = copy + +[ policy_exampleroot ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ subca_cert ] +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, keyCertSign,cRLSign +nsComment = "Example Root CA signed Sub CA certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName = email:copy +issuerAltName = issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier = keyid:always,issuer:always