API tools faq
paste
Advertisement
thantzinz

openssl.cnf

thantzinz
Sep 2nd, 2020 (edited)
126
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.68 KB | None | 0 0
raw download clone embed print report
  1. # OpenSSL intermediate CA configuration file.
  2. # Copy to `/root/ca/intermediate/intermediate-L2/openssl.cnf`.
  3.  
  4. [ ca ]
  5. # `man ca`
  6. default_ca = CA_default
  7.  
  8. [ CA_default ]
  9. # Directory and file locations.
  10. #dir = /root/ca/intermediate/intermediate-L2
  11. dir = ./intermediate/intermediate-L2
  12. certs = $dir/certs
  13. crl_dir = $dir/crl
  14. new_certs_dir = $dir/newcerts
  15. database = $dir/index.txt
  16. serial = $dir/serial
  17. RANDFILE = $dir/private/.rand
  18.  
  19. # The root key and root certificate.
  20. private_key = $dir/private/intermediate-L2.key.pem
  21. certificate = $dir/certs/intermediate-L2.cert.pem
  22.  
  23. # For certificate revocation lists.
  24. crlnumber = $dir/crlnumber
  25. crl = $dir/crl/intermediate.crl.pem
  26. crl_extensions = crl_ext
  27. default_crl_days = 30
  28.  
  29. # SHA-1 is deprecated, so use SHA-2 instead.
  30. default_md = sha256
  31.  
  32. name_opt = ca_default
  33. cert_opt = ca_default
  34. default_days = 375
  35. preserve = no
  36. policy = policy_loose
  37.  
  38. [ policy_strict ]
  39. # The root CA should only sign intermediate certificates that match.
  40. # See the POLICY FORMAT section of `man ca`.
  41. countryName = match
  42. stateOrProvinceName = match
  43. organizationName = match
  44. organizationalUnitName = optional
  45. commonName = supplied
  46. emailAddress = optional
  47.  
  48. [ policy_loose ]
  49. # Allow the intermediate CA to sign a more diverse range of certificates.
  50. # See the POLICY FORMAT section of the `ca` man page.
  51. countryName = optional
  52. stateOrProvinceName = optional
  53. localityName = optional
  54. organizationName = optional
  55. organizationalUnitName = optional
  56. commonName = supplied
  57. emailAddress = optional
  58.  
  59. [ req ]
  60. #req_extensions = req_ext
  61. # Options for the `req` tool (`man req`).
  62. default_bits = 2048
  63. distinguished_name = req_distinguished_name
  64. string_mask = utf8only
  65.  
  66. # SHA-1 is deprecated, so use SHA-2 instead.
  67. default_md = sha256
  68.  
  69. # Extension to add when the -x509 option is used.
  70. x509_extensions = v3_ca
  71.  
  72. #[ req_ext ]
  73. #subjectAltName = @alt_names
  74. #[alt_names]
  75. #DNS.1 = bestflare.com
  76. #DNS.2 = usefulread.com
  77. #DNS.3 = chandank.com
  78.  
  79. [ req_distinguished_name ]
  80. # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  81. countryName = Country Name (2 letter code)
  82. stateOrProvinceName = State or Province Name
  83. localityName = Locality Name
  84. 0.organizationName = Organization Name
  85. organizationalUnitName = Organizational Unit Name
  86. commonName = Common Name
  87. emailAddress = Email Address
  88.  
  89. # Optionally, specify some defaults.
  90. countryName_default = GB
  91. stateOrProvinceName_default = England
  92. localityName_default =
  93. 0.organizationName_default = Alice Ltd
  94. organizationalUnitName_default =
  95. emailAddress_default =
  96.  
  97. [ v3_ca ]
  98. # Extensions for a typical CA (`man x509v3_config`).
  99. subjectKeyIdentifier = hash
  100. authorityKeyIdentifier = keyid:always,issuer
  101. basicConstraints = critical, CA:true
  102. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  103.  
  104. [ v3_intermediate_ca ]
  105. # Extensions for a typical intermediate CA (`man x509v3_config`).
  106. subjectKeyIdentifier = hash
  107. authorityKeyIdentifier = keyid:always,issuer
  108. basicConstraints = critical, CA:true, pathlen:0
  109. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  110.  
  111. [ usr_cert ]
  112. # Extensions for client certificates (`man x509v3_config`).
  113. basicConstraints = CA:FALSE
  114. nsCertType = client, email
  115. nsComment = "OpenSSL Generated Client Certificate"
  116. subjectKeyIdentifier = hash
  117. authorityKeyIdentifier = keyid,issuer
  118. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  119. extendedKeyUsage = clientAuth, emailProtection
  120.  
  121. [ server_cert ]
  122. # Extensions for server certificates (`man x509v3_config`).
  123. basicConstraints = CA:FALSE
  124. nsCertType = server, client
  125. nsComment = "OpenSSL Generated Server Certificate"
  126. subjectKeyIdentifier = hash
  127. authorityKeyIdentifier = keyid,issuer:always
  128. keyUsage = critical, digitalSignature, keyEncipherment
  129. extendedKeyUsage = serverAuth, clientAuth
  130. subjectAltName = @alt_names
  131. [ alt_names ]
  132. DNS.1 = thantzin.com
  133. #DNS.2 = iemployee.nex4.net
  134. #DNS.3 = nex4.blog.com
  135.  
  136. [ crl_ext ]
  137. # Extension for CRLs (`man x509v3_config`).
  138. authorityKeyIdentifier=keyid:always
  139.  
  140. [ ocsp ]
  141. # Extension for OCSP signing certificates (`man ocsp`).
  142. basicConstraints = CA:FALSE
  143. subjectKeyIdentifier = hash
  144. authorityKeyIdentifier = keyid,issuer
  145. keyUsage = critical, digitalSignature
  146. extendedKeyUsage = critical, OCSPSigning
  147.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!