add example root ca configuration
This commit is contained in:
parent
28925793fc
commit
4df618e834
2 changed files with 69 additions and 0 deletions
4
README
4
README
|
|
@ -1 +1,5 @@
|
||||||
This directory contains various OpenSSL configuration examples and scripts.
|
This directory contains various OpenSSL configuration examples and scripts.
|
||||||
|
|
||||||
|
Configuration files:
|
||||||
|
|
||||||
|
- rootca.conf - Example root CA configuration
|
||||||
|
|
|
||||||
65
rootca.conf
Normal file
65
rootca.conf
Normal file
|
|
@ -0,0 +1,65 @@
|
||||||
|
# Example root CA configuration
|
||||||
|
# this CA should only be used to sign sub CAs
|
||||||
|
#
|
||||||
|
# Author: Jan Dittberner <jan@dittberner.info>
|
||||||
|
# Date: 2011-05-03
|
||||||
|
|
||||||
|
RANDFILE = $ENV::HOME/rootca/.rnd
|
||||||
|
|
||||||
|
extensions = v3_ext
|
||||||
|
|
||||||
|
[ ca ]
|
||||||
|
default_ca = EXAMPLEROOT # name of the default CA section
|
||||||
|
|
||||||
|
[ EXAMPLEROOT ]
|
||||||
|
dir = $ENV::HOME/rootca
|
||||||
|
certs = $dir/certs
|
||||||
|
crl_dir = $dir/crl
|
||||||
|
database = $dir/index.txt
|
||||||
|
new_certs_dir = $dir/newcerts
|
||||||
|
|
||||||
|
certificate = $dir/ca.crt.pem
|
||||||
|
serial = $dir/serial
|
||||||
|
crl = $dir/crl.pem
|
||||||
|
private_key = $dir/private/ca.key.pem
|
||||||
|
RANDFILE = $dir/private/.rand
|
||||||
|
unique_subject = no
|
||||||
|
|
||||||
|
email_in_dn = no
|
||||||
|
policy = policy_exampleroot
|
||||||
|
x509_extensions = subca_cert
|
||||||
|
|
||||||
|
# certificates are valid for 5 years
|
||||||
|
default_days = 1825
|
||||||
|
default_crl_days= 30
|
||||||
|
default_md = sha256
|
||||||
|
|
||||||
|
copy_extensions = copy
|
||||||
|
|
||||||
|
[ policy_exampleroot ]
|
||||||
|
countryName = match
|
||||||
|
stateOrProvinceName = match
|
||||||
|
organizationName = match
|
||||||
|
organizationalUnitName = supplied
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ subca_cert ]
|
||||||
|
basicConstraints = critical, CA:true, pathlen:0
|
||||||
|
keyUsage = critical, keyCertSign,cRLSign
|
||||||
|
nsComment = "Example Root CA signed Sub CA certificate"
|
||||||
|
|
||||||
|
# PKIX recommendations harmless if included in all certificates.
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||||||
|
|
||||||
|
# Include email address in subject alt name: another PKIX recommendation
|
||||||
|
subjectAltName = email:copy
|
||||||
|
issuerAltName = issuer:copy
|
||||||
|
|
||||||
|
[ crl_ext ]
|
||||||
|
# CRL extensions.
|
||||||
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||||
|
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer:always
|
||||||
Loading…
Reference in a new issue