# # CA OpenSSL configuration file # oid_section = new_oids [ new_oids ] #Assign Object Identiifiers for new field names. NewField1 = 1.2.3.4 NewField2 = 1.2.3.5 [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /home/chuck/myCA # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/signedcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir # the current crl number # must be commented out to leave a V1 CRL crl = $dir # The current CRL private_key = $dir/cakey.pem # The private key RANDFILE = $dir # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 365 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional NewField1 = optional NewField2 = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for input_password = chuck output_password = chuck string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = CO localityName = Locality Name (eg, city) localityName_default = CS organizationName = Organization Name (eg, company) organizationName_default = Certificate Authority organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = IT commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = ubuntuWS1 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = ubuntuws1@ubuntuws1.org [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 [ usr_cert ] basicConstraints=CA:FALSE nsComment= "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always