2 # OpenSSL example configuration file for automated certificate creation.
5 # Comment out the next line to ignore configuration errors
8 # This definition stops the following lines choking if HOME or CN
14 ####################################################################
18 default_keyfile = privkey.pem
19 # Don't prompt for fields: use those in section directly
21 distinguished_name = req_distinguished_name
22 x509_extensions = v3_ca # The extensions to add to the self signed cert
23 string_mask = utf8only
25 # req_extensions = v3_req # The extensions to add to a certificate request
27 [ req_distinguished_name ]
30 organizationName = OpenSSL Group
31 # Take CN from environment so it can come from a script.
36 # These extensions are added when 'ca' signs a request for a normal end-entity
37 # certificate with key usage restrictions compatible with RSA keys
39 basicConstraints = CA:FALSE
40 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
42 # Following SKID and AKID settings are meanwhile by default in all certificates.
43 # See doc/man5/x509v3_config.pod for details.
45 # subjectKeyIdentifier = hash
46 # authorityKeyIdentifier = keyid, issuer
50 basicConstraints = CA:FALSE
51 keyUsage = critical, digitalSignature
55 # These extensions are added when 'ca' signs a request for an end-entity
56 # DH certificate, for which only key agreement makes sense
58 basicConstraints = CA:FALSE
59 keyUsage = critical, keyAgreement
63 # These extensions are added when 'ca' signs a request for a code-signing
64 # end-entity certificate compatible with RSA and ECC keys
66 basicConstraints = CA:FALSE
67 keyUsage = critical, digitalSignature
68 extendedKeyUsage = codeSigning
72 # Extensions for a typical CA as required by RFC 5280 etc.
73 # SKID and AKID are by default set according to PKIX recommendation.
75 basicConstraints = critical, CA:true
76 keyUsage = critical, cRLSign, keyCertSign