ca.cnf revision eb525c5499e34cc9c4b825d6d9e75bb07cc06ace 
1# Defaults in the event they're not set in the environment
2CA_DIR    = out
3KEY_SIZE  = 2048
4ALGO      = sha1
5CERT_TYPE = root
6CA_NAME   = req_env_dn
7
8[ca]
9default_ca = CA_root
10preserve   = yes
11
12# The default test root, used to generate certificates and CRLs.
13[CA_root]
14dir           = $ENV::CA_DIR
15key_size      = $ENV::KEY_SIZE
16algo          = $ENV::ALGO
17cert_type     = $ENV::CERT_TYPE
18type          = $key_size-$algo-$cert_type
19database      = $dir/$type-index.txt
20new_certs_dir = $dir
21serial        = $dir/$type-serial
22certificate   = $dir/$type.pem
23private_key   = $dir/$type.key
24RANDFILE      = $dir/.rand
25default_days     = 3650
26default_crl_days = 30
27default_md       = sha1
28policy           = policy_anything
29unique_subject   = no
30copy_extensions  = copy
31
32[user_cert]
33# Extensions to add when signing a request for an EE cert
34basicConstraints       = critical, CA:false
35subjectKeyIdentifier   = hash
36authorityKeyIdentifier = keyid:always
37extendedKeyUsage       = serverAuth,clientAuth
38
39[ca_cert]
40# Extensions to add when signing a request for an intermediate/CA cert
41basicConstraints       = critical, CA:true
42subjectKeyIdentifier   = hash
43#authorityKeyIdentifier = keyid:always
44keyUsage               = critical, keyCertSign, cRLSign
45
46[crl_extensions]
47# Extensions to add when signing a CRL
48authorityKeyIdentifier = keyid:always
49
50[policy_anything]
51# Default signing policy
52countryName            = optional
53stateOrProvinceName    = optional
54localityName           = optional
55organizationName       = optional
56organizationalUnitName = optional
57commonName             = optional
58emailAddress           = optional
59
60[req]
61# The request section used to generate the root CA certificate. This should
62# not be used to generate end-entity certificates. For certificates other
63# than the root CA, see README to find the appropriate configuration file
64# (ie: openssl_cert.cnf).
65default_bits       = $ENV::KEY_SIZE
66default_md         = sha1
67string_mask        = utf8only
68prompt             = no
69encrypt_key        = no
70distinguished_name = $ENV::CA_NAME
71x509_extensions    = req_ca_exts
72
73[req_ca_dn]
74C  = US
75ST = California
76L  = Mountain View
77O  = Test CA
78CN = Test Root CA
79
80[req_intermediate_dn]
81C  = US
82ST = California
83L  = Mountain View
84O  = Test CA
85CN = Test Intermediate CA
86
87[req_env_dn]
88CN = $ENV::CA_COMMON_NAME
89
90[req_ca_exts]
91basicConstraints       = critical, CA:true
92keyUsage               = critical, keyCertSign, cRLSign
93subjectKeyIdentifier   = hash
94