# Defaults in the event they're not set in the environment CA_DIR = out KEY_SIZE = 2048 ALGO = sha256 CERT_TYPE = root CA_NAME = req_env_dn [ca] default_ca = CA_root preserve = yes # The default test root, used to generate certificates and CRLs. [CA_root] dir = $ENV::CA_DIR key_size = $ENV::KEY_SIZE algo = $ENV::ALGO cert_type = $ENV::CERT_TYPE type = $key_size-$algo-$cert_type database = $dir/$type-index.txt new_certs_dir = $dir serial = $dir/$type-serial certificate = $dir/$type.pem private_key = $dir/$type.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 30 default_md = sha256 policy = policy_anything unique_subject = no copy_extensions = copy [user_cert] # Extensions to add when signing a request for an EE cert basicConstraints = critical, CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always extendedKeyUsage = serverAuth,clientAuth [name_constraint_bad] # A leaf cert that will violate the root's imposed name constraints basicConstraints = critical, CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always extendedKeyUsage = serverAuth,clientAuth subjectAltName = @san_name_constraint_bad [name_constraint_good] # A leaf cert that will match the root's imposed name constraints basicConstraints = critical, CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always extendedKeyUsage = serverAuth,clientAuth subjectAltName = @san_name_constraint_good [san_name_constraint_bad] DNS.1 = test.ExAmPlE.CoM DNS.2 = test.ExAmPlE.OrG [san_name_constraint_good] DNS.1 = test.ExAmPlE.CoM DNS.2 = example.notarealtld [ca_cert] # Extensions to add when signing a request for an intermediate/CA cert basicConstraints = critical, CA:true subjectKeyIdentifier = hash #authorityKeyIdentifier = keyid:always keyUsage = critical, keyCertSign, cRLSign [crl_extensions] # Extensions to add when signing a CRL authorityKeyIdentifier = keyid:always [policy_anything] # Default signing policy countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [req] # The request section used to generate the root CA certificate. This should # not be used to generate end-entity certificates. For certificates other # than the root CA, see README to find the appropriate configuration file # (ie: openssl_cert.cnf). default_bits = $ENV::KEY_SIZE default_md = sha256 string_mask = utf8only prompt = no encrypt_key = no distinguished_name = $ENV::CA_NAME x509_extensions = req_ca_exts [req_ca_dn] C = US ST = California L = Mountain View O = Test CA CN = Test Root CA [req_intermediate_dn] C = US ST = California L = Mountain View O = Test CA CN = Test Intermediate CA [req_env_dn] CN = $ENV::CA_COMMON_NAME [req_ca_exts] basicConstraints = critical, CA:true keyUsage = critical, keyCertSign, cRLSign subjectKeyIdentifier = hash