osslconfexamples/rootca.conf

66 行
1.7 KiB
Plaintext

# Example root CA configuration
# this CA should only be used to sign sub CAs
#
# Author: Jan Dittberner <jan@dittberner.info>
# Date: 2015-02-03
RANDFILE = $ENV::HOME/rootca/.rnd
extensions = v3_ext
[ ca ]
default_ca = EXAMPLEROOT # name of the default CA section
[ EXAMPLEROOT ]
dir = $ENV::HOME/rootca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/ca.crt.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = no
policy = policy_exampleroot
x509_extensions = subca_cert
# certificates are valid for 5 years
default_days = 1825
default_crl_days= 30
default_md = sha256
copy_extensions = copy
[ policy_exampleroot ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ subca_cert ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign,cRLSign
nsComment = "Example Root CA signed Sub CA certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Include email address in subject alt name: another PKIX recommendation
subjectAltName = email:copy
issuerAltName = issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always