API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 5th, 2023
251
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 4.22 KB | Source Code | 0 0
raw download clone embed print report
  1. # OpenSSL intermediate CA configuration file.
  2. # Copy to `/root/ca/cert-archive/intermediate/openssl.cnf`.
  3.  
  4. [ ca ]
  5. # `man ca`
  6. default_ca = CA_default
  7.  
  8. [ CA_default ]
  9. # Directory and file locations.
  10. dir               = /root/certCA/ca/intermediate
  11. certs             = $dir/certs
  12. crl_dir           = $dir/crl
  13. new_certs_dir     = $dir/newcerts
  14. database          = $dir/index.txt
  15. serial            = $dir/serial
  16. RANDFILE          = $dir/private/.rand
  17.  
  18. # The root key and root certificate.
  19. private_key       = $dir/private/intermediate.key.pem
  20. certificate       = $dir/certs/intermediate.cert.pem
  21.  
  22. # For certificate revocation lists.
  23. crlnumber         = $dir/crlnumber
  24. crl               = $dir/crl/intermediate.crl.pem
  25. crl_extensions    = crl_ext
  26. default_crl_days  = 3652
  27.  
  28. # SHA-1 is deprecated, so use SHA-2 instead.
  29. default_md        = sha256
  30.  
  31. name_opt          = ca_default
  32. cert_opt          = ca_default
  33. default_days      = 7300
  34. preserve          = no
  35. policy            = policy_loose
  36.  
  37. [ policy_strict ]
  38. # The root CA should only sign intermediate certificates that match.
  39. # See the POLICY FORMAT section of `man ca`.
  40. countryName             = match
  41. stateOrProvinceName     = match
  42. organizationName        = match
  43. organizationalUnitName  = optional
  44. commonName              = supplied
  45. emailAddress            = optional
  46.  
  47. [ policy_loose ]
  48. # Allow the intermediate CA to sign a more diverse range of certificates.
  49. # See the POLICY FORMAT section of the `ca` man page.
  50. countryName             = optional
  51. stateOrProvinceName     = optional
  52. localityName            = optional
  53. organizationName        = optional
  54. organizationalUnitName  = optional
  55. commonName              = supplied
  56. emailAddress            = optional
  57. subjectAltName          = optional
  58.  
  59. [ req ]
  60. distinguished_name = req_distinguished_name
  61. x509_extensions     = server_cert
  62. req_extensions      = v3_req
  63.  
  64. [ v3_req ]
  65. # Extensions for a certificate request (`man x509v3_config`).
  66. subjectAltName = @alt_names
  67.  
  68. [ req_distinguished_name ]
  69. # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
  70. countryName                     = Country Name (2 letter code)
  71. stateOrProvinceName              = State or Province Name
  72. localityName                    = Locality Name
  73. 0.organizationName              = Organization Name
  74. organizationalUnitName          = Organizational Unit Name
  75. commonName                      = Common Name
  76. emailAddress                    = Email Address
  77.  
  78. # Optionally, specify some defaults.
  79. countryName_default             = US
  80. stateOrProvinceName_default     = NOTEXIST
  81. localityName_default            = SOMEWHERE
  82. 0.organizationName_default      = Example Co.
  83. organizationalUnitName_default  = IT
  84. emailAddress_default            = not@exist.us
  85.  
  86. [ v3_ca ]
  87. # Extensions for a typical CA (`man x509v3_config`).
  88. subjectKeyIdentifier = hash
  89. authorityKeyIdentifier = keyid:always,issuer
  90. basicConstraints = critical, CA:true, pathlen:4
  91. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  92. subjectAltName = @alt_names
  93.  
  94. [ v3_intermediate_ca ]
  95. # Extensions for a typical intermediate CA (`man x509v3_config`).
  96. subjectKeyIdentifier = hash
  97. authorityKeyIdentifier = keyid:always,issuer
  98. basicConstraints = critical, CA:true, pathlen:1
  99. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  100. subjectAltName = @alt_names
  101.  
  102. [ usr_cert ]
  103. # Extensions for client certificates (`man x509v3_config`).
  104. basicConstraints = CA:FALSE
  105. nsCertType = client
  106. nsComment = "OpenSSL Generated Client Certificate"
  107. subjectKeyIdentifier = hash
  108. authorityKeyIdentifier = keyid,issuer:always
  109. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  110. extendedKeyUsage = clientAuth
  111.  
  112. [ server_cert ]
  113. # Extensions for server certificates (`man x509v3_config`).
  114. basicConstraints = CA:FALSE
  115. nsCertType = server
  116. nsComment = "OpenSSL Generated Server Certificate"
  117. subjectKeyIdentifier = hash
  118. authorityKeyIdentifier = keyid,issuer:always
  119. keyUsage = critical, digitalSignature, keyEncipherment
  120. extendedKeyUsage = serverAuth
  121. subjectAltName = @alt_names
  122.  
  123. [ alt_names ]
  124. IP.1 = 10.10.60.1
  125. DNS.1 = appajava.server1.test.int.local
  126. DNS.2 = server1.test.int.local
  127.  
  128. [ crl_ext ]
  129. # Extension for CRLs (`man x509v3_config`).
  130. authorityKeyIdentifier=keyid:always
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!