1[ ca ]
2# `man ca`
3default_ca = CA_default
4
5[ CA_default ]
6# Directory and file locations relevant to where the script is executing
7dir               = .
8certs             = $dir/certs
9new_certs_dir     = $dir/certs
10database          = $dir/certs/ecc/index.txt
11serial            = $dir/certs/ecc/serial
12# This should come from the system disregard local pathing
13RANDFILE          = $dir/private/.rand
14
15# The root key and root certificate.
16private_key       = $dir/certs/ca-ecc-key.pem
17certificate       = $dir/certs/ca-ecc-cert.pem
18
19# For certificate revocation lists.
20crlnumber         = $dir/certs/ecc/crlnumber
21crl_extensions    = crl_ext
22default_crl_days  = 1000
23
24# SHA-1 is deprecated, so use SHA-2 instead.
25default_md        = sha256
26
27name_opt          = ca_default
28cert_opt          = ca_default
29default_days      = 3650
30preserve          = no
31policy            = policy_loose
32
33
34[ policy_strict ]
35# The root CA should only sign intermediate certificates that match.
36# See the POLICY FORMAT section of `man ca`.
37countryName             = match
38stateOrProvinceName     = match
39organizationName        = match
40organizationalUnitName  = optional
41commonName              = supplied
42emailAddress            = optional
43
44[ policy_loose ]
45# Allow the intermediate CA to sign a more diverse range of certificates.
46# See the POLICY FORMAT section of the `ca` man page.
47countryName             = optional
48stateOrProvinceName     = optional
49localityName            = optional
50organizationName        = optional
51organizationalUnitName  = optional
52commonName              = supplied
53emailAddress            = optional
54
55[ req ]
56# Options for the `req` tool (`man req`).
57default_bits        = 2048
58distinguished_name  = req_distinguished_name
59string_mask         = utf8only
60
61# SHA-1 is deprecated, so use SHA-2 instead.
62default_md          = sha256
63
64# Extension to add when the -x509 option is used.
65x509_extensions     = v3_ca
66
67[ req_distinguished_name ]
68countryName                     = US
69stateOrProvinceName             = Washington
70localityName                    = Seattle
710.organizationName              = wolfSSL
72organizationalUnitName          = Development
73commonName                      = www.wolfssl.com
74emailAddress                    = info@wolfssl.com
75
76[ v3_ca ]
77# Extensions for a typical CA (`man x509v3_config`).
78subjectKeyIdentifier = hash
79authorityKeyIdentifier = keyid:always,issuer
80basicConstraints = critical, CA:true
81keyUsage = critical, digitalSignature, cRLSign, keyCertSign
82
83[ v3_intermediate_ca ]
84# Extensions for a typical intermediate CA (`man x509v3_config`).
85subjectKeyIdentifier = hash
86authorityKeyIdentifier = keyid:always,issuer
87basicConstraints = critical, CA:true, pathlen:0
88keyUsage = critical, digitalSignature, cRLSign, keyCertSign
89
90[ usr_cert ]
91# Extensions for client certificates (`man x509v3_config`).
92basicConstraints = CA:FALSE
93nsCertType = client, email
94subjectKeyIdentifier = hash
95authorityKeyIdentifier = keyid,issuer
96keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
97extendedKeyUsage = clientAuth, emailProtection
98
99[ server_cert ]
100# Extensions for server certificates (`man x509v3_config`).
101basicConstraints = CA:FALSE
102nsCertType = server
103subjectKeyIdentifier = hash
104authorityKeyIdentifier = keyid,issuer:always
105keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
106extendedKeyUsage = serverAuth
107
108[ crl_ext ]
109# Extension for CRLs (`man x509v3_config`).
110authorityKeyIdentifier=keyid:always
111