1#
2# OpenSSL example configuration file for automated certificate creation.
3#
4
5# This definition stops the following lines choking if HOME or CN
6# is undefined.
7HOME			= .
8RANDFILE		= $ENV::HOME/.rnd
9CN			= "Not Defined"
10default_ca		= ca
11
12####################################################################
13[ req ]
14default_bits		= 1024
15default_keyfile 	= privkey.pem
16# Don't prompt for fields: use those in section directly
17prompt			= no
18distinguished_name	= req_distinguished_name
19x509_extensions	= v3_ca	# The extensions to add to the self signed cert
20string_mask = utf8only
21
22# req_extensions = v3_req # The extensions to add to a certificate request
23
24[ req_distinguished_name ]
25countryName			= UK
26
27organizationName		= OpenSSL Group
28# Take CN from environment so it can come from a script.
29commonName			= $ENV::CN
30
31[ usr_cert ]
32
33# These extensions are added when 'ca' signs a request for an end entity
34# certificate
35
36basicConstraints=critical, CA:FALSE
37keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
38
39# This will be displayed in Netscape's comment listbox.
40nsComment			= "OpenSSL Generated Certificate"
41
42# PKIX recommendations harmless if included in all certificates.
43subjectKeyIdentifier=hash
44authorityKeyIdentifier=keyid
45# OCSP responder certificate
46[ ocsp_cert ]
47
48basicConstraints=critical, CA:FALSE
49keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
50
51# This will be displayed in Netscape's comment listbox.
52nsComment			= "OpenSSL Generated Certificate"
53
54# PKIX recommendations harmless if included in all certificates.
55subjectKeyIdentifier=hash
56authorityKeyIdentifier=keyid
57extendedKeyUsage=OCSPSigning
58
59[ dh_cert ]
60
61# These extensions are added when 'ca' signs a request for an end entity
62# DH certificate
63
64basicConstraints=critical, CA:FALSE
65keyUsage=critical, keyAgreement
66
67# PKIX recommendations harmless if included in all certificates.
68subjectKeyIdentifier=hash
69authorityKeyIdentifier=keyid
70
71[ v3_ca ]
72
73
74# Extensions for a typical CA
75
76# PKIX recommendation.
77
78subjectKeyIdentifier=hash
79authorityKeyIdentifier=keyid:always
80basicConstraints = critical,CA:true
81keyUsage = critical, cRLSign, keyCertSign
82
83# Minimal CA entry to allow generation of CRLs.
84[ca]
85database=index.txt
86crlnumber=crlnum.txt
87