Jump to content

/etc/ca/openssl.cnf (3)

From RaySoft
# ------------------------------------------------------------------------------
# openssl.cnf
# ===========
#
# Project   Mini CA
# Scope     Native
# Copyright (C) 2025 by RaySoft, Zurich, Switzerland
# License   GNU General Public License (GPL) 2.0
#           https://www.gnu.org/licenses/gpl2.txt
#
# ------------------------------------------------------------------------------

CA_CTRY=''
CA_LOC=''
CA_ORG=''

ca_path=''
cert_sans=''


[ ca ]
default_ca                = CA_default


[ CA_default ]
dir                       = ${ENV::ca_path}
certs                     = ${dir}/certs
new_certs_dir             = ${dir}/newcerts

statusdir                 = ${dir}/status
database                  = ${statusdir}/index
serial                    = ${statusdir}/serial
RANDFILE                  = ${statusdir}/rand

crldir                    = ${dir}/crl
crlnumber                 = ${crldir}/crlnumber
crl                       = ${crldir}/ca.crl.pem
default_crl_days          = 365

certificate               = ${dir}/certs/ca.cert.pem
private_key               = ${dir}/private/ca.key.pem

default_days              = 365
default_md                = sha256

copy_extensions           = copy

unique_subject            = yes
preserve                  = no
policy                    = policy

name_opt                  = ca_default
cert_opt                  = ca_default


[ policy ]
countryName               = match
stateOrProvinceName       = optional
localityName              = match
organizationName          = match
organizationalUnitName    = optional
commonName                = supplied
emailAddress              = optional


[ req ]
default_md                = sha256
encrypt_key               = yes

preserve                  = no

string_mask               = utf8only
utf8                      = yes

distinguished_name        = req_distinguished_name

copy_extensions           = copy


[ req_distinguished_name ]
countryName               = Country Name (2 letter code)
stateOrProvinceName       = State or Province Name
localityName              = Locality Name
organizationName          = Organization Name
organizationalUnitName    = Organizational Unit Name
commonName                = Common Name
emailAddress              = Email Address

countryName_default       = ${ENV::CA_CTRY}
localityName_default      = ${ENV::CA_LOC}
organizationName_default  = ${ENV::CA_ORG}


[ v3_ca ]
basicConstraints          = critical, CA:true
keyUsage                  = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always, issuer:always


[ server_cert ]
basicConstraints          = critical, CA:FALSE
keyUsage                  = critical, digitalSignature, keyEncipherment
extendedKeyUsage          = critical, serverAuth
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always, issuer:always
subjectAltName            = ${ENV::cert_sans}

# ------------------------------------------------------------------------------

Usage

See ca-tools.sh

Retrieved from "https://www.raysoft.ch/w/index.php?title=/etc/ca/openssl.cnf_(3)&oldid=45128"