1base_dir = . 2certificate = $base_dir/cacert.pem # The CA certifcate 3private_key = $base_dir/cakey.pem # The CA private key 4new_certs_dir = $base_dir # Location for new certs after signing 5database = $base_dir/index.txt # Database index file 6serial = $base_dir/serial.txt # The current serial number 7 8unique_subject = no # Set to 'no' to allow creation of 9 # several certificates with same subject. 10 11HOME = . 12RANDFILE = $ENV::HOME/.rnd 13 14#################################################################### 15[ ca ] 16default_ca = CA_default # The default ca section 17 18[ CA_default ] 19 20default_days = 10000 # How long to certify for 21default_crl_days = 30 # How long before next CRL 22default_md = sha256 # Use public key default MD 23preserve = no # Keep passed DN ordering 24 25x509_extensions = ca_extensions # The extensions to add to the cert 26 27email_in_dn = no # Don't concat the email in the DN 28copy_extensions = copy # Required to copy SANs from CSR to cert 29 30#################################################################### 31[ req ] 32default_bits = 4096 33default_keyfile = cakey.pem 34distinguished_name = ca_distinguished_name 35x509_extensions = ca_extensions 36string_mask = utf8only 37 38#################################################################### 39[ ca_distinguished_name ] 40countryName = Country Name (2 letter code) 41countryName_default = US 42 43stateOrProvinceName = State or Province Name (full name) 44stateOrProvinceName_default = Maryland 45 46localityName = Locality Name (eg, city) 47localityName_default = Baltimore 48 49organizationName = Organization Name (eg, company) 50organizationName_default = Test CA, Limited 51 52organizationalUnitName = Organizational Unit (eg, division) 53organizationalUnitName_default = Server Research Department 54 55commonName = Common Name (e.g. server FQDN or YOUR name) 56commonName_default = Test CA 57 58emailAddress = Email Address 59emailAddress_default = test@example.com 60 61#################################################################### 62[ ca_extensions ] 63 64subjectKeyIdentifier = hash 65authorityKeyIdentifier = keyid:always, issuer 66basicConstraints = critical, CA:true 67keyUsage = keyCertSign, cRLSign 68 69 70 71 72#################################################################### 73[ signing_policy ] 74countryName = optional 75stateOrProvinceName = optional 76localityName = optional 77organizationName = optional 78organizationalUnitName = optional 79commonName = supplied 80emailAddress = optional 81 82#################################################################### 83[ signing_req ] 84subjectKeyIdentifier = hash 85authorityKeyIdentifier = keyid,issuer 86basicConstraints = CA:FALSE 87keyUsage = digitalSignature, keyEncipherment 88