1 # OpenSSL configuration file for Hotspot 2.0 PKI (Root CA) 2 3 HOME = . 4 RANDFILE = $ENV::HOME/.rnd 5 oid_section = new_oids 6 7 [ new_oids ] 8 9 #logotypeoid=1.3.6.1.5.5.7.1.12 10 11 #################################################################### 12 [ ca ] 13 default_ca = CA_default # The default ca section 14 15 #################################################################### 16 [ CA_default ] 17 18 dir = ./rootCA # Where everything is kept 19 certs = $dir/certs # Where the issued certs are kept 20 crl_dir = $dir/crl # Where the issued crl are kept 21 database = $dir/index.txt # database index file. 22 #unique_subject = no # Set to 'no' to allow creation of 23 # several certificates with same subject 24 new_certs_dir = $dir/newcerts # default place for new certs. 25 26 certificate = $dir/cacert.pem # The CA certificate 27 serial = $dir/serial # The current serial number 28 crlnumber = $dir/crlnumber # the current crl number 29 # must be commented out to leave a V1 CRL 30 crl = $dir/crl.pem # The current CRL 31 private_key = $dir/private/cakey.pem# The private key 32 RANDFILE = $dir/private/.rand # private random number file 33 34 x509_extensions = usr_cert # The extentions to add to the cert 35 36 name_opt = ca_default # Subject Name options 37 cert_opt = ca_default # Certificate field options 38 39 default_days = 365 # how long to certify for 40 default_crl_days= 30 # how long before next CRL 41 default_md = default # use public key default MD 42 preserve = no # keep passed DN ordering 43 44 policy = policy_match 45 46 # For the CA policy 47 [ policy_match ] 48 countryName = match 49 stateOrProvinceName = optional 50 organizationName = match 51 organizationalUnitName = optional 52 commonName = supplied 53 emailAddress = optional 54 55 [ policy_anything ] 56 countryName = optional 57 stateOrProvinceName = optional 58 localityName = optional 59 organizationName = optional 60 organizationalUnitName = optional 61 commonName = supplied 62 emailAddress = optional 63 64 #################################################################### 65 [ req ] 66 default_bits = 2048 67 default_keyfile = privkey.pem 68 distinguished_name = req_distinguished_name 69 attributes = req_attributes 70 x509_extensions = v3_ca # The extentions to add to the self signed cert 71 72 input_password = whatever 73 output_password = whatever 74 75 string_mask = utf8only 76 77 [ req_distinguished_name ] 78 countryName = Country Name (2 letter code) 79 countryName_default = US 80 countryName_min = 2 81 countryName_max = 2 82 83 localityName = Locality Name (eg, city) 84 localityName_default = Tuusula 85 86 0.organizationName = Organization Name (eg, company) 87 0.organizationName_default = WFA Hotspot 2.0 88 89 ##organizationalUnitName = Organizational Unit Name (eg, section) 90 #organizationalUnitName_default = 91 #@OU@ 92 93 commonName = Common Name (e.g. server FQDN or YOUR name) 94 #@CN@ 95 commonName_max = 64 96 97 emailAddress = Email Address 98 emailAddress_max = 64 99 100 [ req_attributes ] 101 102 [ v3_req ] 103 104 # Extensions to add to a certificate request 105 basicConstraints = CA:FALSE 106 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 107 subjectAltName=DNS:example.com,DNS:another.example.com 108 109 [ v3_ca ] 110 111 # Hotspot 2.0 PKI requirements 112 subjectKeyIdentifier=hash 113 basicConstraints = critical,CA:true 114 keyUsage = critical, cRLSign, keyCertSign 115 116 [ crl_ext ] 117 118 # issuerAltName=issuer:copy 119 authorityKeyIdentifier=keyid:always 120 121 [ v3_OCSP ] 122 123 basicConstraints = CA:FALSE 124 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 125 extendedKeyUsage = OCSPSigning 126
