1 CA_DIR = out 2 3 [ca] 4 default_ca = CA_root 5 preserve = yes 6 7 # The default test root, used to generate certificates and CRLs. 8 [CA_root] 9 dir = ${ENV::CA_DIR} 10 database = ${dir}/${ENV::CERTIFICATE}-index.txt 11 new_certs_dir = ${dir} 12 serial = ${dir}/${ENV::CERTIFICATE}-serial 13 certificate = ${dir}/${ENV::CERTIFICATE}.pem 14 private_key = ${dir}/${ENV::CERTIFICATE}.key 15 RANDFILE = ${dir}/rand 16 default_days = 3650 17 default_crl_days = 30 18 default_md = sha256 19 policy = policy_anything 20 unique_subject = no 21 22 [user_cert] 23 # Extensions to add when signing a request for an EE cert 24 basicConstraints = critical, CA:false 25 subjectKeyIdentifier = hash 26 authorityKeyIdentifier = keyid:always 27 extendedKeyUsage = serverAuth,clientAuth 28 29 [ca_cert] 30 # Extensions to add when signing a request for an intermediate/CA cert 31 basicConstraints = critical, CA:true 32 subjectKeyIdentifier = hash 33 #authorityKeyIdentifier = keyid:always 34 keyUsage = critical, keyCertSign, cRLSign 35 36 [crl_extensions] 37 # Extensions to add when signing a CRL 38 authorityKeyIdentifier = keyid:always 39 40 [policy_anything] 41 # Default signing policy 42 countryName = optional 43 stateOrProvinceName = optional 44 localityName = optional 45 organizationName = optional 46 organizationalUnitName = optional 47 commonName = optional 48 emailAddress = optional 49 50 [req] 51 # The request section used to generate certificate requests. 52 default_bits = 2048 53 default_md = sha256 54 string_mask = utf8only 55 prompt = no 56 encrypt_key = no 57 distinguished_name = req_env_dn 58 59 [req_env_dn] 60 CN = ${ENV::CA_COMMON_NAME} 61