1# 2# OpenSSL example configuration file for automated certificate creation. 3# 4 5# This definition stops the following lines choking if HOME or CN 6# is undefined. 7HOME = . 8RANDFILE = $ENV::HOME/.rnd 9CN = "Not Defined" 10default_ca = ca 11 12#################################################################### 13[ req ] 14default_bits = 2048 15default_keyfile = privkey.pem 16# Don't prompt for fields: use those in section directly 17prompt = no 18distinguished_name = req_distinguished_name 19x509_extensions = v3_ca # The extensions to add to the self signed cert 20string_mask = utf8only 21 22# req_extensions = v3_req # The extensions to add to a certificate request 23 24[ req_distinguished_name ] 25countryName = UK 26 27organizationName = OpenSSL Group 28# Take CN from environment so it can come from a script. 29commonName = $ENV::CN 30 31[ usr_cert ] 32 33# These extensions are added when 'ca' signs a request for an end entity 34# certificate 35 36basicConstraints=critical, CA:FALSE 37keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment 38 39# PKIX recommendations harmless if included in all certificates. 40subjectKeyIdentifier=hash 41authorityKeyIdentifier=keyid 42 43[ dh_cert ] 44 45# These extensions are added when 'ca' signs a request for an end entity 46# DH certificate 47 48basicConstraints=critical, CA:FALSE 49keyUsage=critical, keyAgreement 50 51# PKIX recommendations harmless if included in all certificates. 52subjectKeyIdentifier=hash 53authorityKeyIdentifier=keyid 54 55[ v3_ca ] 56 57 58# Extensions for a typical CA 59 60# PKIX recommendation. 61 62subjectKeyIdentifier=hash 63authorityKeyIdentifier=keyid:always 64basicConstraints = critical,CA:true 65keyUsage = critical, cRLSign, keyCertSign 66 67