iOS13 compatible cert

1. [ req ]
2.  
3. default_bits = 2048
4.  
5. default_keyfile = server-selfsigned-CA.key
6.  
7. default_md = sha256
8.  
9. default_days = 825
10.  
11. encrypt_key = no
12.  
13. distinguished_name = subject
14.  
15. req_extensions = req_ext
16.  
17. x509_extensions = x509_ext
18.  
19. string_mask = utf8only
20.  
21. prompt = no
22.  
23.  
24. # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
25.  
26. # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
27.  
28. [ subject ]
29.  
30. OU = Selfhosted Inc.
31.  
32. countryName = CA
33.  
34. stateOrProvinceName = Ontario
35.  
36. localityName = Toronto
37.  
38. organizationName = Selfhosted Inc.
39.  
40. # Use a friendly name here because it's presented to the user. The server's DNS
41.  
42. # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
43.  
44. # by both IETF and CA/Browser Forums. If you place a DNS name here, then you
45.  
46. # must include the DNS name in the SAN too (otherwise, Chrome and others that
47.  
48. # strictly follow the CA/Browser Baseline Requirements will fail).
49.  
50. commonName = server.lan
51.  
52. emailAddress = [email protected]
53.  
54.  
55. # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
56.  
57. [ x509_ext ]
58.  
59. subjectKeyIdentifier = hash
60.  
61. #authorityKeyIdentifier = keyid,issuer
62.  
63. authorityKeyIdentifier = keyid:always,issuer
64.  
65.  
66. # You only need digitalSignature below. *If* you don't allow
67.  
68. # RSA Key transport (i.e., you use ephemeral cipher suites), then
69.  
70. # omit keyEncipherment because that's key transport.
71.  
72. basicConstraints = critical, CA:TRUE
73.  
74. keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
75.  
76. subjectAltName = DNS:server.lan, DNS:192.168.0.99
77.  
78. # nsComment = "OpenSSL Generated Certificate"
79.  
80. extendedKeyUsage = serverAuth
81.  
82.  
83. # RFC 5280, Section 4.2.1.12 makes EKU optional
84.  
85. # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
86.  
87. # In either case, you probably only need serverAuth.
88.  
89. # extendedKeyUsage = serverAuth, clientAuth
90.  
91. extendedKeyUsage = TLS Web Server Authentication
92.  
93.  
94. # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
95.  
96. [ req_ext ]
97.  
98.  
99. subjectKeyIdentifier = hash
100.  
101.  
102. basicConstraints = CA:FALSE
103.  
104. keyUsage = digitalSignature, keyEncipherment
105.  
106. subjectAltName = DNS:server.lan, DNS:192.168.0.99
107.  
108. nsComment = "OpenSSL Generated Certificate"
109.  
110.  
111. # RFC 5280, Section 4.2.1.12 makes EKU optional
112.  
113. # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
114.  
115. # In either case, you probably only need serverAuth.
116.  
117. # extendedKeyUsage = serverAuth, clientAuth
118.  
119.  
120. # [ alternate_names ]
121.  
122.  
123. # DNS.1 = example.com
124.  
125. # DNS.2 = www.example.com
126.  
127. # DNS.3 = mail.example.com
128.  
129. # DNS.4 = ftp.example.com
130.  
131.  
132. # Add these if you need them. But usually you don't want them or
133.  
134. # need them in production. You may need them for development.
135.  
136. # DNS.5 = localhost
137.  
138. # DNS.6 = localhost.localdomain
139.  
140. # DNS.7 = 127.0.0.1
141.  
142.  
143. # IPv6 localhost
144.  
145. # DNS.8 = ::1