OpenSSL configuration examples
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

subca.conf 2.3KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980
  1. # Example Sub CA configuration
  2. # this CA should be used to sign client and server certificates
  3. #
  4. # Author: Jan Dittberner <jan@dittberner.info>
  5. # Date: 2015-02-03
  6. RANDFILE = $ENV::HOME/subca/.rnd
  7. extensions = v3_ext
  8. [ ca ]
  9. default_ca = EXAMPLESUBCA # name of the default CA section
  10. [ EXAMPLESUBCA ]
  11. dir = $ENV::HOME/subca
  12. certs = $dir/certs
  13. crl_dir = $dir/crl
  14. database = $dir/index.txt
  15. new_certs_dir = $dir/newcerts
  16. certificate = $dir/ca.crt.pem
  17. serial = $dir/serial
  18. crl = $dir/crl.pem
  19. private_key = $dir/private/ca.key.pem
  20. RANDFILE = $dir/private/.rand
  21. unique_subject = no
  22. email_in_dn = no
  23. policy = policy_examplesub
  24. x509_extensions = client_cert
  25. # certificates are valid for 1 year
  26. default_days = 365
  27. default_crl_days= 1
  28. default_md = sha256
  29. copy_extensions = copy
  30. [ policy_examplesub ]
  31. countryName = match
  32. stateOrProvinceName = match
  33. organizationName = match
  34. organizationalUnitName = supplied
  35. commonName = supplied
  36. emailAddress = optional
  37. [ client_cert ]
  38. basicConstraints = critical, CA:false
  39. keyUsage = keyEncipherment,digitalSignature
  40. extendedKeyUsage = clientAuth
  41. nsComment = "Example Sub CA signed client certificate"
  42. # PKIX recommendations harmless if included in all certificates.
  43. subjectKeyIdentifier = hash
  44. authorityKeyIdentifier = keyid:always,issuer:always
  45. # Include email address in subject alt name: another PKIX recommendation
  46. subjectAltName = email:copy
  47. issuerAltName = issuer:copy
  48. [ server_cert ]
  49. basicConstraints = critical, CA:false
  50. keyUsage = keyEncipherment,digitalSignature
  51. extendedKeyUsage = serverAuth
  52. nsComment = "Example Sub CA signed server certificate"
  53. # PKIX recommendations harmless if included in all certificates.
  54. subjectKeyIdentifier = hash
  55. authorityKeyIdentifier = keyid:always,issuer:always
  56. # Include email address in subject alt name: another PKIX recommendation
  57. subjectAltName = email:copy
  58. issuerAltName = issuer:copy
  59. [ crl_ext ]
  60. # CRL extensions.
  61. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  62. # issuerAltName=issuer:copy
  63. authorityKeyIdentifier = keyid:always,issuer:always