CA openssl.cnf.tpl
./scripts/openssl.cnf.tpl
# OpenSSL configuration file for certificates.
# 2007 by neobiker
#
# $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: openssl.cnf.tpl,v $
# Revision 1.1 2008/06/26 20:35:28 root
# Initial revision
#
[ new_oids]
####################################################################
[ ca ]
default_ca = Server_CA # The default ca section
####################################################################
[ Root_CA ]
dir = $path/RootCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/RCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/RCAkey.pem # The private key
default_days = 1825 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = RCA_cert # The extentions to add to the cert
preserve = no
policy = policy_match # default policy
[ Server_CA ]
dir = $path/ServerCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/SCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/SCAkey.pem # The private key
default_days = 1825 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = SCA_cert # The extentions to add to the cert
preserve = no
policy = policy_anything # default policy
[ User_CA ]
dir = $path/UserCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/UCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/UCAkey.pem # The private key
default_days = 730 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = UCA_cert # The extentions to add to the cert
preserve = no
policy = policy_match # default policy
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bayern
localityName = Locality Name (eg, city)
localityName_default = Nuernberg
0.organizationName = Organization Name (eg, company)
0.organizationName_default = OrganisationName
organizationalUnitName = Organizational Unit Name (eg, section or website)
organizationalUnitName_default = OrganisationUnit
commonName = Common Name (SERVER / USER name)
#commonName_default = server.company.de
commonName_max = 64
emailAddress = Email Address (eg, YOUR email)
emailAddress_default = webmaster@company.de
[ req_attributes ]
# Das Challenge Password dient dazu, sich bei Verlust des geheimen
# Schluessels gegenueber der Herausgeber-CA fuer einen
# Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der
# Zeritifikatsanforderung erfragt.
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = company.de
##################################################################
[ RCA_cert ]
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/RCA.crl
nsCertType = sslCA, emailCA, objCA
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de CA"
[ SCA_cert ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/SCA.crl
nsCertType = server
nsBaseUrl = https://company.de/
nsComment = "issued by company.de (Server CA)"
[ UCA_cert ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/UCA.crl
nsCertType = client, email
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de (User CA)"
#################################################################
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.de/RCA.crl
nsCertType = sslCA, emailCA, objCA
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de CA"
[ crl_ext ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always