blob: 356662661a1c93178f6c366fae52e9822916c516 [file] [log] [blame]
# Defaults in the event they're not set in the environment
CA_DIR = out
KEY_SIZE = 2048
ALGO = sha256
CERT_TYPE = root
CA_NAME = req_env_dn
CA_COMMON_NAME = Test Root CA
[ca]
default_ca = CA_root
preserve = yes
# The default test root, used to generate certificates and CRLs.
[CA_root]
dir = $ENV::CA_DIR
key_size = $ENV::KEY_SIZE
algo = $ENV::ALGO
cert_type = $ENV::CERT_TYPE
type = $key_size-$algo-$cert_type
database = $dir/$type-index.txt
new_certs_dir = $dir
serial = $dir/$type-serial
certificate = $dir/$type.pem
private_key = $dir/$type.key
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days = 30
default_md = sha256
policy = policy_anything
unique_subject = no
copy_extensions = copy
[user_cert]
# Extensions to add when signing a request for an EE cert
basicConstraints = critical, CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
[name_constraint_bad]
# A leaf cert that will violate the root's imposed name constraints
basicConstraints = critical, CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @san_name_constraint_bad
[name_constraint_good]
# A leaf cert that will match the root's imposed name constraints
basicConstraints = critical, CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @san_name_constraint_good
[san_name_constraint_bad]
DNS.1 = test.ExAmPlE.CoM
DNS.2 = test.ExAmPlE.OrG
[san_name_constraint_good]
DNS.1 = test.ExAmPlE.CoM
DNS.2 = example.notarealtld
DNS.3 = *.test2.ExAmPlE.CoM
DNS.4 = *.example2.notarealtld
[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always
keyUsage = critical, keyCertSign, cRLSign
[crl_extensions]
# Extensions to add when signing a CRL
authorityKeyIdentifier = keyid:always
[policy_anything]
# Default signing policy
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[req]
# The request section used to generate the root CA certificate. This should
# not be used to generate end-entity certificates. For certificates other
# than the root CA, see README to find the appropriate configuration file
# (ie: openssl_cert.cnf).
default_bits = $ENV::KEY_SIZE
default_md = sha256
string_mask = utf8only
prompt = no
encrypt_key = no
distinguished_name = $ENV::CA_NAME
x509_extensions = req_ca_exts
[req_ca_dn]
C = US
ST = California
L = Mountain View
O = Test CA
CN = Test Root CA
[req_intermediate_dn]
C = US
ST = California
L = Mountain View
O = Test CA
CN = Test Intermediate CA
[req_env_dn]
CN = $ENV::CA_COMMON_NAME
[req_ca_exts]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash