osslconfexamples/subca.conf

81 řádky
2.3 KiB
Plaintext

# Example Sub CA configuration
# this CA should be used to sign client and server certificates
#
# Author: Jan Dittberner <jan@dittberner.info>
# Date: 2015-02-03
RANDFILE = $ENV::HOME/subca/.rnd
extensions = v3_ext
[ ca ]
default_ca = EXAMPLESUBCA # name of the default CA section
[ EXAMPLESUBCA ]
dir = $ENV::HOME/subca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/ca.crt.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = no
policy = policy_examplesub
x509_extensions = client_cert
# certificates are valid for 1 year
default_days = 365
default_crl_days= 1
default_md = sha256
copy_extensions = copy
[ policy_examplesub ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ client_cert ]
basicConstraints = critical, CA:false
keyUsage = keyEncipherment,digitalSignature
extendedKeyUsage = clientAuth
nsComment = "Example Sub CA signed client certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Include email address in subject alt name: another PKIX recommendation
subjectAltName = email:copy
issuerAltName = issuer:copy
[ server_cert ]
basicConstraints = critical, CA:false
keyUsage = keyEncipherment,digitalSignature
extendedKeyUsage = serverAuth
nsComment = "Example Sub CA signed server certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# Include email address in subject alt name: another PKIX recommendation
subjectAltName = email:copy
issuerAltName = issuer:copy
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always