API tools faq
paste
thantzinz

root-config.txt

thantzinz
Sep 28th, 2020 (edited)
115
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.24 KB | None | 0 0
raw download clone embed print report
  1. # OpenSSL root CA configuration file.
  2. # Copy to `/root/ca/openssl.cnf`.
  3.  
  4. [ ca ]
  5. # `man ca`
  6. default_ca = CA_default
  7.  
  8. [ CA_default ]
  9. # Directory and file locations.
  10. dir = ./ca
  11. certs = $dir/certs
  12. crl_dir = $dir/crl
  13. new_certs_dir = $dir/newcerts
  14. database = $dir/index.txt
  15. serial = $dir/serial
  16. RANDFILE = $dir/private/.rand
  17.  
  18. # The root key and root certificate.
  19. private_key = $dir/private/ca.key.pem
  20. certificate = $dir/certs/ca.cert.pem
  21.  
  22. # For certificate revocation lists.
  23. crlnumber = $dir/crlnumber
  24. crl = $dir/crl/ca.crl.pem
  25. crl_extensions = crl_ext
  26. default_crl_days = 30
  27.  
  28. # SHA-1 is deprecated, so use SHA-2 instead.
  29. default_md = sha256
  30.  
  31. name_opt = ca_default
  32. cert_opt = ca_default
  33. default_days = 375
  34. preserve = no
  35. policy = policy_strict
  36.  
  37. [ policy_strict ]
  38. # The root CA should only sign intermediate certificates that match.
  39. # See the POLICY FORMAT section of `man ca`.
  40. countryName = match
  41. stateOrProvinceName = match
  42. organizationName = match
  43. organizationalUnitName = optional
  44. commonName = supplied
  45. emailAddress = optional
  46.  
  47. [ policy_loose ]
  48. # Allow the intermediate CA to sign a more diverse range of certificates.
  49. # See the POLICY FORMAT section of the `ca` man page.
  50. countryName = optional
  51. stateOrProvinceName = optional
  52. localityName = optional
  53. organizationName = optional
  54. organizationalUnitName = optional
  55. commonName = supplied
  56. emailAddress = optional
  57.  
  58. [ req ]
  59. # Options for the `req` tool (`man req`).
  60. default_bits = 2048
  61. distinguished_name = req_distinguished_name
  62. string_mask = utf8only
  63.  
  64. # SHA-1 is deprecated, so use SHA-2 instead.
  65. default_md = sha256
  66.  
  67. # Extension to add when the -x509 option is used.
  68. x509_extensions = v3_ca
  69.  
  70. [ req_distinguished_name ]
  71. # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  72. countryName = Country Name (2 letter code)
  73. stateOrProvinceName = State or Province Name
  74. localityName = Locality Name
  75. 0.organizationName = Organization Name
  76. organizationalUnitName = Organizational Unit Name
  77. commonName = Common Name
  78. emailAddress = Email Address
  79.  
  80. # Optionally, specify some defaults.
  81. countryName_default = MM
  82. stateOrProvinceName_default = Yangon
  83. localityName_default =
  84. 0.organizationName_default = NEX4 Ltd
  85. organizationalUnitName_default =
  86. emailAddress_default = thantzin@nex4.net
  87.  
  88. [ v3_ca ]
  89. # Extensions for a typical CA (`man x509v3_config`).
  90. subjectKeyIdentifier = hash
  91. authorityKeyIdentifier = keyid:always,issuer
  92. basicConstraints = critical, CA:true
  93. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  94.  
  95. [ v3_intermediate_ca ]
  96. # Extensions for a typical intermediate CA (`man x509v3_config`).
  97. subjectKeyIdentifier = hash
  98. authorityKeyIdentifier = keyid:always,issuer
  99. basicConstraints = critical, CA:true, pathlen:0
  100. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  101.  
  102. [ usr_cert ]
  103. # Extensions for client certificates (`man x509v3_config`).
  104. basicConstraints = CA:FALSE
  105. nsCertType = client, email
  106. nsComment = "OpenSSL Generated Client Certificate"
  107. subjectKeyIdentifier = hash
  108. authorityKeyIdentifier = keyid,issuer
  109. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  110. extendedKeyUsage = clientAuth, emailProtection
  111.  
  112. [ server_cert ]
  113. # Extensions for server certificates (`man x509v3_config`).
  114. basicConstraints = CA:FALSE
  115. nsCertType = server
  116. nsComment = "OpenSSL Generated Server Certificate"
  117. subjectKeyIdentifier = hash
  118. authorityKeyIdentifier = keyid,issuer:always
  119. keyUsage = critical, digitalSignature, keyEncipherment
  120. extendedKeyUsage = serverAuth
  121.  
  122. [ crl_ext ]
  123. # Extension for CRLs (`man x509v3_config`).
  124. authorityKeyIdentifier=keyid:always
  125.  
  126. [ ocsp ]
  127. # Extension for OCSP signing certificates (`man ocsp`).
  128. basicConstraints = CA:FALSE
  129. subjectKeyIdentifier = hash
  130. authorityKeyIdentifier = keyid,issuer
  131. keyUsage = critical, digitalSignature
  132. extendedKeyUsage = critical, OCSPSigning
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!