# # OpenSSL example configuration file for automated certificate creation. # # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem # Don't prompt for fields: use those in section directly prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = UK organizationName = OpenSSL Group # Take CN from environment so it can come from a script. commonName = $ENV::CN [ usr_cert ] # These extensions are added when 'ca' signs a request for an end entity # certificate basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # OCSP responder certificate [ ocsp_cert ] basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid extendedKeyUsage=OCSPSigning [ dh_cert ] # These extensions are added when 'ca' signs a request for an end entity # DH certificate basicConstraints=critical, CA:FALSE keyUsage=critical, keyAgreement # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true keyUsage = critical, cRLSign, keyCertSign # Minimal CA entry to allow generation of CRLs. [ca] database=index.txt crlnumber=crlnum.txt