OpenSSL configuration examples
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465
  1. # Example root CA configuration
  2. # this CA should only be used to sign sub CAs
  3. #
  4. # Author: Jan Dittberner <jan@dittberner.info>
  5. # Date: 2015-02-03
  6. RANDFILE = $ENV::HOME/rootca/.rnd
  7. extensions = v3_ext
  8. [ ca ]
  9. default_ca = EXAMPLEROOT # name of the default CA section
  10. [ EXAMPLEROOT ]
  11. dir = $ENV::HOME/rootca
  12. certs = $dir/certs
  13. crl_dir = $dir/crl
  14. database = $dir/index.txt
  15. new_certs_dir = $dir/newcerts
  16. certificate = $dir/ca.crt.pem
  17. serial = $dir/serial
  18. crl = $dir/crl.pem
  19. private_key = $dir/private/ca.key.pem
  20. RANDFILE = $dir/private/.rand
  21. unique_subject = no
  22. email_in_dn = no
  23. policy = policy_exampleroot
  24. x509_extensions = subca_cert
  25. # certificates are valid for 5 years
  26. default_days = 1825
  27. default_crl_days= 30
  28. default_md = sha256
  29. copy_extensions = copy
  30. [ policy_exampleroot ]
  31. countryName = match
  32. stateOrProvinceName = match
  33. organizationName = match
  34. organizationalUnitName = supplied
  35. commonName = supplied
  36. emailAddress = optional
  37. [ subca_cert ]
  38. basicConstraints = critical, CA:true, pathlen:0
  39. keyUsage = critical, keyCertSign,cRLSign
  40. nsComment = "Example Root CA signed Sub CA certificate"
  41. # PKIX recommendations harmless if included in all certificates.
  42. subjectKeyIdentifier = hash
  43. authorityKeyIdentifier = keyid:always,issuer:always
  44. # Include email address in subject alt name: another PKIX recommendation
  45. subjectAltName = email:copy
  46. issuerAltName = issuer:copy
  47. [ crl_ext ]
  48. # CRL extensions.
  49. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  50. # issuerAltName=issuer:copy
  51. authorityKeyIdentifier = keyid:always,issuer:always