add example root ca configuration

This commit is contained in:
Jan Dittberner 2011-05-03 20:15:04 +02:00
parent 28925793fc
commit 4df618e834
2 changed files with 69 additions and 0 deletions

4
README
View file

@ -1 +1,5 @@
This directory contains various OpenSSL configuration examples and scripts.
Configuration files:
- rootca.conf - Example root CA configuration

65
rootca.conf Normal file
View file

@ -0,0 +1,65 @@
# Example root CA configuration
# this CA should only be used to sign sub CAs
#
# Author: Jan Dittberner <jan@dittberner.info>
# Date: 2011-05-03
RANDFILE = $ENV::HOME/rootca/.rnd
extensions = v3_ext
[ ca ]
default_ca = EXAMPLEROOT # name of the default CA section
[ EXAMPLEROOT ]
dir = $ENV::HOME/rootca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/ca.crt.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = no
policy = policy_exampleroot
x509_extensions = subca_cert
# certificates are valid for 5 years
default_days = 1825
default_crl_days= 30
default_md = sha256
copy_extensions = copy
[ policy_exampleroot ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ subca_cert ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign,cRLSign
nsComment = "Example Root CA signed Sub CA certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Include email address in subject alt name: another PKIX recommendation
subjectAltName = email:copy
issuerAltName = issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always