# Example Sub CA configuration # this CA should be used to sign client and server certificates # # Author: Jan Dittberner # Date: 2015-02-03 RANDFILE = $ENV::HOME/subca/.rnd extensions = v3_ext [ ca ] default_ca = EXAMPLESUBCA # name of the default CA section [ EXAMPLESUBCA ] dir = $ENV::HOME/subca certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ca.crt.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ca.key.pem RANDFILE = $dir/private/.rand unique_subject = no email_in_dn = no policy = policy_examplesub x509_extensions = client_cert # certificates are valid for 1 year default_days = 365 default_crl_days= 1 default_md = sha256 copy_extensions = copy [ policy_examplesub ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress = optional [ client_cert ] basicConstraints = critical, CA:false keyUsage = keyEncipherment,digitalSignature extendedKeyUsage = clientAuth nsComment = "Example Sub CA signed client certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # Include email address in subject alt name: another PKIX recommendation subjectAltName = email:copy issuerAltName = issuer:copy [ server_cert ] basicConstraints = critical, CA:false keyUsage = keyEncipherment,digitalSignature extendedKeyUsage = serverAuth nsComment = "Example Sub CA signed server certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # Include email address in subject alt name: another PKIX recommendation subjectAltName = email:copy issuerAltName = issuer:copy [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier = keyid:always,issuer:always