# Note: for this file to be working, an environment var CA_ROOT_DIR = directory # must be defined and pointing to the CA top-level directory. HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] #################################################################### [ req ] default_bits = 1024 # default_keyfile = privkey.pem string_mask = utf8only distinguished_name = req_distinguished_name attributes = req_attributes req_extensions = v3_req # overwrite with -reqexts x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo localityName = Locality Name (eg, city) localityName_default = Koganei 0.organizationName = Organization Name (eg, company) 0.organizationName_default = WIDE 1.organizationName = Second Organization Name (eg, company) 1.organizationName_default = NICT organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = AAA WG testbed [ req_attributes ] challengePassword = A challenge password challengePassword_min = 0 challengePassword_max = 20 unstructuredName = An optional company name [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_req_ca ] # Extensions to add to a certificate request for CA basicConstraints = CA:TRUE #################################################################### [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = $ENV::CA_ROOT_DIR # Where everything is kept certs = $dir/public # Where the issued certs are kept crl_dir = $dir/public # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/public # default place for new certs. certificate = $dir/public/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/public/local.pem # The current CRL private_key = $dir/private/cakey.pem # The private key x509_extensions = usr_cert # The extentions to add to the cert # overwrite with -extensions name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days= 365 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # We accept to sign anything, but a real deployment would limit to proper domain etc... policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ usr_cert ] basicConstraints=CA:FALSE # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ ca_cert ] # Extensions for a typical CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical,CA:true # Remove "critical," in case of problems keyUsage = cRLSign, keyCertSign # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always