1# OpenSSL root CA configuration file.
2# Copy to `/root/ca/openssl.cnf`.
3
4[ ca ]
5# `man ca`
6
7[ RootCA ]
8# Directory and file locations.
9dir               = ./rootca
10certs             = $dir/certs
11crl_dir           = $dir/crl
12new_certs_dir     = $dir/newcerts
13database          = $dir/index.txt
14serial            = $dir/serial
15RANDFILE          = $dir/private/.rand
16
17# The root key and root certificate.
18private_key       = $dir/private/ca.key.pem
19certificate       = $dir/certs/ca.cert.pem
20
21# For certificate revocation lists.
22crlnumber         = $dir/crlnumber
23crl               = $dir/crl/ca.crl.pem
24crl_extensions    = crl_ext
25default_crl_days  = 30
26
27# SHA-1 is deprecated, so use SHA-2 instead.
28default_md        = sha256
29
30name_opt          = ca_default
31cert_opt          = ca_default
32default_days      = 375
33preserve          = no
34policy            = policy_strict
35
36[ IntermediateCA ]
37# Directory and file locations.
38dir               = ./intermediate
39certs             = $dir/certs
40crl_dir           = $dir/crl
41new_certs_dir     = $dir/newcerts
42database          = $dir/index.txt
43serial            = $dir/serial
44RANDFILE          = $dir/private/.rand
45
46# The root key and root certificate.
47private_key       = $dir/private/intermediate.key.pem
48certificate       = $dir/certs/intermediate.cert.pem
49
50# For certificate revocation lists.
51crlnumber         = $dir/crlnumber
52crl               = $dir/crl/ca.crl.pem
53crl_extensions    = crl_ext
54default_crl_days  = 30
55
56# SHA-1 is deprecated, so use SHA-2 instead.
57default_md        = sha256
58
59name_opt          = ca_default
60cert_opt          = ca_default
61default_days      = 375
62preserve          = no
63policy            = policy_strict
64
65[ policy_strict ]
66# The root CA should only sign intermediate certificates that match.
67# See the POLICY FORMAT section of `man ca`.
68countryName             = match
69stateOrProvinceName     = match
70organizationName        = match
71organizationalUnitName  = optional
72commonName              = supplied
73emailAddress            = optional
74
75[ policy_loose ]
76# Allow the intermediate CA to sign a more diverse range of certificates.
77# See the POLICY FORMAT section of the `ca` man page.
78countryName             = optional
79stateOrProvinceName     = optional
80localityName            = optional
81organizationName        = optional
82organizationalUnitName  = optional
83commonName              = supplied
84emailAddress            = optional
85
86[ req ]
87# Options for the `req` tool (`man req`).
88default_bits        = 4096
89distinguished_name  = req_distinguished_name
90string_mask         = utf8only
91
92# SHA-1 is deprecated, so use SHA-2 instead.
93default_md          = sha256
94
95# Extension to add when the -x509 option is used.
96x509_extensions     = v3_ca
97
98[ req_distinguished_name ]
99# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
100countryName                     = Country Name (2 letter code)
101stateOrProvinceName             = State or Province Name
1020.organizationName              = Organization Name
103organizationalUnitName          = Organizational Unit Name
104commonName                      = Common Name
105
106# Optionally, specify some defaults.
107countryName_default             = GB
108stateOrProvinceName_default     = England
1090.organizationName_default      = Google UK
110organizationalUnitName_default  = AfW
111
112[ v3_ca ]
113# Extensions for a typical CA (`man x509v3_config`).
114subjectKeyIdentifier = hash
115authorityKeyIdentifier = keyid:always,issuer
116basicConstraints = critical, CA:true
117keyUsage = critical, digitalSignature, cRLSign, keyCertSign
118
119[ v3_intermediate_ca ]
120# Extensions for a typical intermediate CA (`man x509v3_config`).
121subjectKeyIdentifier = hash
122authorityKeyIdentifier = keyid:always,issuer
123basicConstraints = critical, CA:true, pathlen:0
124keyUsage = critical, digitalSignature, cRLSign, keyCertSign
125
126[ usr_cert ]
127# Extensions for client certificates (`man x509v3_config`).
128basicConstraints = CA:FALSE
129nsCertType = client, email
130nsComment = "OpenSSL Generated Client Certificate"
131subjectKeyIdentifier = hash
132authorityKeyIdentifier = keyid,issuer
133keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
134extendedKeyUsage = clientAuth, emailProtection
135
136[ server_cert ]
137# Extensions for server certificates (`man x509v3_config`).
138basicConstraints = CA:FALSE
139nsCertType = server
140nsComment = "OpenSSL Generated Server Certificate"
141subjectKeyIdentifier = hash
142authorityKeyIdentifier = keyid,issuer:always
143keyUsage = critical, digitalSignature, keyEncipherment
144extendedKeyUsage = serverAuth
145
146[ crl_ext ]
147# Extension for CRLs (`man x509v3_config`).
148authorityKeyIdentifier=keyid:always
149
150[ ocsp ]
151# Extension for OCSP signing certificates (`man ocsp`).
152basicConstraints = CA:FALSE
153subjectKeyIdentifier = hash
154authorityKeyIdentifier = keyid,issuer
155keyUsage = critical, digitalSignature
156extendedKeyUsage = critical, OCSPSigning
157