| # Defaults in the event they're not set in the environment |
| CA_DIR = out |
| KEY_SIZE = 2048 |
| ALGO = sha256 |
| CERT_TYPE = root |
| CA_NAME = req_env_dn |
| CA_COMMON_NAME = Test Root CA |
| |
| [ca] |
| default_ca = CA_root |
| preserve = yes |
| |
| # The default test root, used to generate certificates and CRLs. |
| [CA_root] |
| dir = $ENV::CA_DIR |
| key_size = $ENV::KEY_SIZE |
| algo = $ENV::ALGO |
| cert_type = $ENV::CERT_TYPE |
| type = $key_size-$algo-$cert_type |
| database = $dir/$type-index.txt |
| new_certs_dir = $dir |
| serial = $dir/$type-serial |
| certificate = $dir/$type.pem |
| private_key = $dir/$type.key |
| RANDFILE = $dir/.rand |
| default_days = 3650 |
| default_crl_days = 30 |
| default_md = sha256 |
| policy = policy_anything |
| unique_subject = no |
| copy_extensions = copy |
| |
| [user_cert] |
| # Extensions to add when signing a request for an EE cert |
| basicConstraints = critical, CA:false |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| extendedKeyUsage = serverAuth,clientAuth |
| |
| [name_constraint_bad] |
| # A leaf cert that will violate the root's imposed name constraints |
| basicConstraints = critical, CA:false |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| extendedKeyUsage = serverAuth,clientAuth |
| subjectAltName = @san_name_constraint_bad |
| |
| [name_constraint_good] |
| # A leaf cert that will match the root's imposed name constraints |
| basicConstraints = critical, CA:false |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| extendedKeyUsage = serverAuth,clientAuth |
| subjectAltName = @san_name_constraint_good |
| |
| [san_name_constraint_bad] |
| DNS.1 = test.ExAmPlE.CoM |
| DNS.2 = test.ExAmPlE.OrG |
| |
| [san_name_constraint_good] |
| DNS.1 = test.ExAmPlE.CoM |
| DNS.2 = example.notarealtld |
| DNS.3 = *.test2.ExAmPlE.CoM |
| DNS.4 = *.example2.notarealtld |
| |
| [ca_cert] |
| # Extensions to add when signing a request for an intermediate/CA cert |
| basicConstraints = critical, CA:true |
| subjectKeyIdentifier = hash |
| #authorityKeyIdentifier = keyid:always |
| keyUsage = critical, keyCertSign, cRLSign |
| |
| [crl_extensions] |
| # Extensions to add when signing a CRL |
| authorityKeyIdentifier = keyid:always |
| |
| [policy_anything] |
| # Default signing policy |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = optional |
| emailAddress = optional |
| |
| [req] |
| # The request section used to generate the root CA certificate. This should |
| # not be used to generate end-entity certificates. For certificates other |
| # than the root CA, see README to find the appropriate configuration file |
| # (ie: openssl_cert.cnf). |
| default_bits = $ENV::KEY_SIZE |
| default_md = sha256 |
| string_mask = utf8only |
| prompt = no |
| encrypt_key = no |
| distinguished_name = $ENV::CA_NAME |
| x509_extensions = req_ca_exts |
| |
| [req_ca_dn] |
| C = US |
| ST = California |
| L = Mountain View |
| O = Test CA |
| CN = Test Root CA |
| |
| [req_intermediate_dn] |
| C = US |
| ST = California |
| L = Mountain View |
| O = Test CA |
| CN = Test Intermediate CA |
| |
| [req_env_dn] |
| CN = $ENV::CA_COMMON_NAME |
| |
| [req_ca_exts] |
| basicConstraints = critical, CA:true |
| keyUsage = critical, keyCertSign, cRLSign |
| subjectKeyIdentifier = hash |