1[ ca ] 2# `man ca` 3default_ca = CA_default 4 5[ CA_default ] 6# Directory and file locations relevant to where the script is executing 7dir = . 8certs = $dir/certs 9new_certs_dir = $dir/certs 10database = $dir/certs/ecc/index.txt 11serial = $dir/certs/ecc/serial 12# This should come from the system disregard local pathing 13RANDFILE = $dir/private/.rand 14 15# The root key and root certificate. 16private_key = $dir/certs/ca-ecc384-key.pem 17certificate = $dir/certs/ca-ecc384-cert.pem 18 19# For certificate revocation lists. 20crlnumber = $dir/certs/ecc/crlnumber 21crl_extensions = crl_ext 22default_crl_days = 1000 23 24# SHA-384 is default 25default_md = sha384 26 27name_opt = ca_default 28cert_opt = ca_default 29default_days = 3650 30preserve = no 31policy = policy_loose 32 33 34[ policy_strict ] 35# The root CA should only sign intermediate certificates that match. 36# See the POLICY FORMAT section of `man ca`. 37countryName = match 38stateOrProvinceName = match 39organizationName = match 40organizationalUnitName = optional 41commonName = supplied 42emailAddress = optional 43 44[ policy_loose ] 45# Allow the intermediate CA to sign a more diverse range of certificates. 46# See the POLICY FORMAT section of the `ca` man page. 47countryName = optional 48stateOrProvinceName = optional 49localityName = optional 50organizationName = optional 51organizationalUnitName = optional 52commonName = supplied 53emailAddress = optional 54 55[ req ] 56# Options for the `req` tool (`man req`). 57default_bits = 2048 58distinguished_name = req_distinguished_name 59string_mask = utf8only 60 61# SHA-384 is default 62default_md = sha384 63 64# Extension to add when the -x509 option is used. 65x509_extensions = v3_ca 66 67[ req_distinguished_name ] 68countryName = US 69stateOrProvinceName = Washington 70localityName = Seattle 710.organizationName = wolfSSL 72organizationalUnitName = Development 73commonName = www.wolfssl.com 74emailAddress = info@wolfssl.com 75 76[ v3_ca ] 77# Extensions for a typical CA (`man x509v3_config`). 78subjectKeyIdentifier = hash 79authorityKeyIdentifier = keyid:always,issuer 80basicConstraints = critical, CA:true 81keyUsage = critical, digitalSignature, cRLSign, keyCertSign 82 83[ v3_intermediate_ca ] 84# Extensions for a typical intermediate CA (`man x509v3_config`). 85subjectKeyIdentifier = hash 86authorityKeyIdentifier = keyid:always,issuer 87basicConstraints = critical, CA:true, pathlen:0 88keyUsage = critical, digitalSignature, cRLSign, keyCertSign 89 90[ usr_cert ] 91# Extensions for client certificates (`man x509v3_config`). 92basicConstraints = CA:FALSE 93nsCertType = client, email 94subjectKeyIdentifier = hash 95authorityKeyIdentifier = keyid,issuer 96keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment 97extendedKeyUsage = clientAuth, emailProtection 98 99[ server_cert ] 100# Extensions for server certificates (`man x509v3_config`). 101basicConstraints = CA:FALSE 102nsCertType = server 103subjectKeyIdentifier = hash 104authorityKeyIdentifier = keyid,issuer:always 105keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement 106extendedKeyUsage = serverAuth 107 108[ crl_ext ] 109# Extension for CRLs (`man x509v3_config`). 110authorityKeyIdentifier=keyid:always 111