1# 2# OpenSSL example configuration file for automated certificate creation. 3# 4 5# This definition stops the following lines choking if HOME or CN 6# is undefined. 7HOME = . 8RANDFILE = $ENV::HOME/.rnd 9CN = "Not Defined" 10default_ca = ca 11 12#################################################################### 13[ req ] 14default_bits = 1024 15default_keyfile = privkey.pem 16# Don't prompt for fields: use those in section directly 17prompt = no 18distinguished_name = req_distinguished_name 19x509_extensions = v3_ca # The extensions to add to the self signed cert 20string_mask = utf8only 21 22# req_extensions = v3_req # The extensions to add to a certificate request 23 24[ req_distinguished_name ] 25countryName = UK 26 27organizationName = OpenSSL Group 28# Take CN from environment so it can come from a script. 29commonName = $ENV::CN 30 31[ usr_cert ] 32 33# These extensions are added when 'ca' signs a request for an end entity 34# certificate 35 36basicConstraints=critical, CA:FALSE 37keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 38 39# This will be displayed in Netscape's comment listbox. 40nsComment = "OpenSSL Generated Certificate" 41 42# PKIX recommendations harmless if included in all certificates. 43subjectKeyIdentifier=hash 44authorityKeyIdentifier=keyid 45# OCSP responder certificate 46[ ocsp_cert ] 47 48basicConstraints=critical, CA:FALSE 49keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 50 51# This will be displayed in Netscape's comment listbox. 52nsComment = "OpenSSL Generated Certificate" 53 54# PKIX recommendations harmless if included in all certificates. 55subjectKeyIdentifier=hash 56authorityKeyIdentifier=keyid 57extendedKeyUsage=OCSPSigning 58 59[ dh_cert ] 60 61# These extensions are added when 'ca' signs a request for an end entity 62# DH certificate 63 64basicConstraints=critical, CA:FALSE 65keyUsage=critical, keyAgreement 66 67# PKIX recommendations harmless if included in all certificates. 68subjectKeyIdentifier=hash 69authorityKeyIdentifier=keyid 70 71[ v3_ca ] 72 73 74# Extensions for a typical CA 75 76# PKIX recommendation. 77 78subjectKeyIdentifier=hash 79authorityKeyIdentifier=keyid:always 80basicConstraints = critical,CA:true 81keyUsage = critical, cRLSign, keyCertSign 82 83# Minimal CA entry to allow generation of CRLs. 84[ca] 85database=index.txt 86crlnumber=crlnum.txt 87