1#
2# OpenSSL example configuration file for automated certificate creation.
3#
4
5# Comment out the next line to ignore configuration errors
6config_diagnostics = 1
7
8# This definition stops the following lines choking if HOME or CN
9# is undefined.
10HOME			= .
11CN			= "Not Defined"
12default_ca		= ca
13
14####################################################################
15
16[ req ]
17default_bits		= 2048
18default_keyfile 	= privkey.pem
19# Don't prompt for fields: use those in section directly
20prompt			= no
21distinguished_name	= req_distinguished_name
22x509_extensions         = v3_ca # The extensions to add to the self signed cert
23string_mask             = utf8only
24
25# req_extensions = v3_req # The extensions to add to a certificate request
26
27[ req_distinguished_name ]
28countryName			= UK
29
30organizationName		= OpenSSL Group
31# Take CN from environment so it can come from a script.
32commonName			= $ENV::CN
33
34[ usr_rsa_cert ]
35
36# These extensions are added when 'ca' signs a request for a normal end-entity
37# certificate with key usage restrictions compatible with RSA keys
38
39basicConstraints = CA:FALSE
40keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
41
42# Following SKID and AKID settings are meanwhile by default in all certificates.
43# See doc/man5/x509v3_config.pod for details.
44
45# subjectKeyIdentifier   = hash
46# authorityKeyIdentifier = keyid, issuer
47
48[ signer_cert ]
49
50basicConstraints = CA:FALSE
51keyUsage = critical, digitalSignature
52
53[ dh_cert ]
54
55# These extensions are added when 'ca' signs a request for an end-entity
56# DH certificate, for which only key agreement makes sense
57
58basicConstraints = CA:FALSE
59keyUsage = critical, keyAgreement
60
61[ kem_cert ]
62
63# These extensions are added when 'ca' signs a request for an end-entity
64# KEM certificate, for which only key encipherment makes sense
65
66basicConstraints = CA:FALSE
67keyUsage = critical, keyEncipherment
68
69[ codesign_cert ]
70
71# These extensions are added when 'ca' signs a request for a code-signing
72# end-entity certificate compatible with RSA and ECC keys
73
74basicConstraints = CA:FALSE
75keyUsage = critical, digitalSignature
76extendedKeyUsage = codeSigning
77
78[ v3_ca ]
79
80# Extensions for a typical CA as required by RFC 5280 etc.
81# SKID and AKID are by default set according to PKIX recommendation.
82
83basicConstraints = critical, CA:true
84keyUsage = critical, cRLSign, keyCertSign
85