1# $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $ 2# For regression tests 3default_ca = CA_regress 4 5[ CA_regress ] 6# Directory and file locations. 7dir = . 8certs = $dir 9crl_dir = $dir 10database = $dir/root.txt 11serial = $dir/root.serial 12new_certs_dir = $dir 13 14# The root key and root certificate. 15private_key = $dir/root.key.pem 16certificate = $dir/root.cert.pem 17 18# For certificate revocation lists. 19crlnumber = $dir/crlnumber 20crl = $dir/ca.crl.pem 21crl_extensions = crl_ext 22default_crl_days = 30 23 24# SHA-1 is deprecated, so use SHA-2 instead. 25default_md = sha256 26 27name_opt = ca_default 28cert_opt = ca_default 29default_days = 375 30preserve = no 31policy = policy_strict 32 33[ policy_strict ] 34# The root CA should only sign intermediate certificates that match. 35# See the POLICY FORMAT section of `man ca`. 36countryName = match 37stateOrProvinceName = match 38organizationName = match 39organizationalUnitName = optional 40commonName = supplied 41emailAddress = optional 42 43[ policy_loose ] 44# Allow the intermediate CA to sign a more diverse range of certificates. 45# See the POLICY FORMAT section of the `ca` man page. 46countryName = optional 47stateOrProvinceName = optional 48localityName = optional 49organizationName = optional 50organizationalUnitName = optional 51commonName = supplied 52emailAddress = optional 53 54[ req ] 55# Options for the `req` tool (`man req`). 56default_bits = 2048 57distinguished_name = req_distinguished_name 58string_mask = utf8only 59 60# SHA-1 is deprecated, so use SHA-2 instead. 61default_md = sha256 62 63# Extension to add when the -x509 option is used. 64x509_extensions = v3_ca 65 66[ req_distinguished_name ] 67# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. 68countryName = Country Name (2 letter code) 69stateOrProvinceName = State or Province Name 70localityName = Locality Name 710.organizationName = Organization Name 72organizationalUnitName = Organizational Unit Name 73commonName = Common Name 74emailAddress = Email Address 75 76# Optionally, specify some defaults. 77countryName_default = CA 78stateOrProvinceName_default = Alberta 79localityName_default = Edmonton 800.organizationName_default = OpenBSD 81organizationalUnitName_default = So and Sos 82emailAddress_default = evilsoandsos@openbsd.org 83commonName_default = Regress Root CA 84 85[ v3_ca ] 86# Extensions for a typical CA (`man x509v3_config`). 87subjectKeyIdentifier = hash 88authorityKeyIdentifier = keyid:always,issuer 89basicConstraints = critical, CA:true 90keyUsage = critical, digitalSignature, cRLSign, keyCertSign 91 92[ v3_intermediate_ca ] 93# Extensions for a typical intermediate CA (`man x509v3_config`). 94subjectKeyIdentifier = hash 95authorityKeyIdentifier = keyid:always,issuer 96basicConstraints = critical, CA:true, pathlen:0 97keyUsage = critical, digitalSignature, cRLSign, keyCertSign 98 99[ usr_cert ] 100# Extensions for client certificates (`man x509v3_config`). 101basicConstraints = CA:FALSE 102nsCertType = client, email 103nsComment = "OpenSSL Generated Client Certificate" 104subjectKeyIdentifier = hash 105authorityKeyIdentifier = keyid,issuer 106keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment 107extendedKeyUsage = clientAuth, emailProtection 108 109[ server_cert ] 110# Extensions for server certificates (`man x509v3_config`). 111basicConstraints = CA:FALSE 112nsCertType = server 113nsComment = "OpenSSL Generated Server Certificate" 114subjectKeyIdentifier = hash 115authorityKeyIdentifier = keyid,issuer:always 116keyUsage = critical, digitalSignature, keyEncipherment 117extendedKeyUsage = serverAuth 118 119[ crl_ext ] 120# Extension for CRLs (`man x509v3_config`). 121authorityKeyIdentifier=keyid:always 122 123[ ocsp ] 124# Extension for OCSP signing certificates (`man ocsp`). 125basicConstraints = CA:FALSE 126subjectKeyIdentifier = hash 127authorityKeyIdentifier = keyid,issuer 128keyUsage = critical, digitalSignature 129extendedKeyUsage = critical, OCSPSigning 130