Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # OpenSSL Server Default configuration file
- # Copy to /root/ca/intermediary/openssl_server.cnf
- # https://community.f5.com/t5/technical-articles/building-an-openssl-certificate-authority-creating-ecc/ta-p/279468
- # Missing openssl_server.cnf from the community.f5.com article about Building an OpenSSL Certificate Authority - Creating ECC Certificates
- [ ca ]
- default_ca = CA_default
- [ CA_default ]
- # Directory and file locations.
- dir = /root/ca/intermediate
- certs = $dir/certs
- crl_dir = $dir/crl
- new_certs_dir = $dir/certs
- database = $dir/index.txt
- serial = $dir/serial
- RANDFILE = $dir/private/.rand
- # The root key and root certificate.
- private_key = $dir/private/int.cheese.key.pem
- certificate = $dir/certs/int.cheese.crt.pem
- # For certificate revocation lists.
- crlnumber = $dir/crlnumber
- crl = $dir/crl/whomovedmycheese.crl
- crl_extensions = crl_ext
- default_crl_days = 180
- # SHA-1 is deprecated, so use SHA-2 or SHA-3 instead.
- default_md = sha384
- name_opt = ca_default
- cert_opt = ca_default
- default_days = 3000
- preserve = no
- policy = policy_loose
- [ policy_loose ]
- # Allow the intermediate CA to sign a more diverse range of certificates.
- # See the POLICY FORMAT section of the `ca` man page.
- countryName = optional
- stateOrProvinceName = optional
- localityName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ req ]
- # Options for the `req` tool (`man req`).
- default_bits = 2048
- distinguished_name = req_distinguished_name
- string_mask = utf8only
- # SHA-1 is deprecated, so use SHA-2 or SHA-3 instead.
- default_md = sha384
- # Extension to add when the -x509 option is used.
- x509_extensions = v3_ca
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
- stateOrProvinceName = State or Province Name
- localityName = Locality Name
- 0.organizationName = Organization Name
- organizationalUnitName = Organizational Unit Name
- commonName = Common Name
- emailAddress = Email Address
- # Optionally, specify some defaults.
- countryName_default = US
- stateOrProvinceName_default = WA
- localityName_default = Seattle
- 0.organizationName_default = Grilled Cheese Inc.
- organizationalUnitName_default = Grilled Cheese Intermediary CA
- emailAddress_default = grilledcheese@yummyinmytummy.us
- [ v3_ca ]
- # Extensions for a typical CA (`man x509v3_config`).
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer
- basicConstraints = critical, CA:true
- keyUsage = critical, digitalSignature, cRLSign, keyCertSign
- [ v3_intermediate_ca ]
- # Extensions for a typical intermediate CA (`man x509v3_config`).
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer
- basicConstraints = critical, CA:true, pathlen:0
- keyUsage = critical, digitalSignature, cRLSign, keyCertSign
- crlDistributionPoints = @crl_info
- authorityInfoAccess = @ocsp_info
- [ usr_cert ]
- # Extensions for client certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = client, email
- nsComment = "OpenSSL Generated Client Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = clientAuth, emailProtection
- [ server_cert ]
- # Extensions for server certificates (`man x509v3_config`).
- basicConstraints = CA:FALSE
- nsCertType = server
- nsComment = "Grilled Cheese Generated Server Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer:always
- keyUsage = critical, digitalSignature, keyEncipherment
- extendedKeyUsage = serverAuth
- crlDistributionPoints = @crl_info
- authorityInfoAccess = @ocsp_info
- subjectAltName = @alt_names
- [alt_names]
- DNS.0 = CN Name Here
- DNS.1 = Whatever else here
- [ crl_ext ]
- # Extension for CRLs (`man x509v3_config`).
- authorityKeyIdentifier=keyid:always
- [ ocsp ]
- # Extension for OCSP signing certificates (`man ocsp`).
- basicConstraints = CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- keyUsage = critical, digitalSignature
- extendedKeyUsage = critical, OCSPSigning
- [crl_info]
- URI.0 = http://crl.grilledcheese.us/whomovedmycheese.crl
- [ocsp_info]
- caIssuers;URI.0 = http://ocsp.grilledcheese.us/cheddarcheeseroot.crt
- OCSP;URI.0 = http://ocsp.grilledcheese.us/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement