|
- # Example root CA configuration
- # this CA should only be used to sign sub CAs
- #
- # Author: Jan Dittberner <jan@dittberner.info>
- # Date: 2015-02-03
-
- RANDFILE = $ENV::HOME/rootca/.rnd
-
- extensions = v3_ext
-
- [ ca ]
- default_ca = EXAMPLEROOT # name of the default CA section
-
- [ EXAMPLEROOT ]
- dir = $ENV::HOME/rootca
- certs = $dir/certs
- crl_dir = $dir/crl
- database = $dir/index.txt
- new_certs_dir = $dir/newcerts
-
- certificate = $dir/ca.crt.pem
- serial = $dir/serial
- crl = $dir/crl.pem
- private_key = $dir/private/ca.key.pem
- RANDFILE = $dir/private/.rand
- unique_subject = no
-
- email_in_dn = no
- policy = policy_exampleroot
- x509_extensions = subca_cert
-
- # certificates are valid for 5 years
- default_days = 1825
- default_crl_days= 30
- default_md = sha256
-
- copy_extensions = copy
-
- [ policy_exampleroot ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = supplied
- commonName = supplied
- emailAddress = optional
-
- [ subca_cert ]
- basicConstraints = critical, CA:true, pathlen:0
- keyUsage = critical, keyCertSign,cRLSign
- nsComment = "Example Root CA signed Sub CA certificate"
-
- # PKIX recommendations harmless if included in all certificates.
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer:always
-
- # Include email address in subject alt name: another PKIX recommendation
- subjectAltName = email:copy
- issuerAltName = issuer:copy
-
- [ crl_ext ]
- # CRL extensions.
- # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
- # issuerAltName=issuer:copy
- authorityKeyIdentifier = keyid:always,issuer:always
|