-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
root-ca-openssl.conf
111 lines (90 loc) · 3.76 KB
/
root-ca-openssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# mkdir -p {certreqs,certs,crl,newcerts,private}
# touch root-ca.index
# echo 00 > root-ca.crlnum
# openssl rand -hex 20 > root-ca.serial
# OPENSSL_CONF=./root-ca-openssl.conf openssl req -new -sha512 -nodes -out certreqs/root-ca.req.pem
# OPENSSL_CONF=./root-ca-openssl.conf openssl ca -selfsign -in certreqs/root-ca.req.pem -out certs/root-ca.cert.pem -extensions root-ca_ext
# OPENSSL_CONF=./root-ca-openssl.conf openssl req -new -sha512 -nodes -newkey rsa:2048 -keyout private/admin.key.pem -out certreqs/admin.req.pem -reqexts admin-cert_req_ext
# OPENSSL_CONF=./root-ca-openssl.conf openssl ca -days 7300 -in certreqs/admin.req.pem -out certs/admin.cert.pem -extensions admin-cert_ext
# openssl pkcs12 -export -out private/admin.p12 -inkey private/admin.key.pem -in certs/admin.cert.pem -name "czertainly-admin"
# password: 00000000
[ ca ]
default_ca = root_ca
[ root_ca ]
dir = .
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
serial = $dir/root-ca.serial
database = $dir/root-ca.index
keys = $dir/keys
certificate = $dir/certs/root-ca.cert.pem
private_key = $dir/private/root-ca.key.pem
crl = $dir/root-ca.crl
crlnumber = $dir/root-ca.crlnum
crl_extensions = crl_ext
default_crl_days = 180
default_days = 9125 # 25 years
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
default_md = sha512
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
[ policy ]
commonName = supplied
[ req ]
dir = .
default_bits = 4096
default_keyfile = $dir/private/root-ca.key.pem
encrypt_key = yes
default_md = sha512
string_mask = utf8only
utf8 = yes
req_extensions = root-ca_req_ext
distinguished_name = distinguished_name
[ root-ca_req_ext ]
subjectKeyIdentifier = hash
[ distinguished_name ]
commonName = Common Name (identification of the Root CA)
commonName_default = CZERTAINLY Dummy Root CA
[ root-ca_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
certificatePolicies = @root_policy
[ root_policy ]
policyIdentifier = 2.5.29.32.0
userNotice.1 = @root_policy_notice
[ root_policy_notice ]
explicitText = "UTF8:This is a dummy Root CA for testing purposes"
[ admin-cert_req ]
dir = .
default_bits = 2048
default_keyfile = $dir/private/admin.key.pem
encrypt_key = yes
default_md = sha512
string_mask = utf8only
utf8 = yes
req_extensions = admin-cert_req_ext
distinguished_name = admin-cert_distinguished_name
[ admin-cert_req_ext ]
subjectKeyIdentifier = hash
[ admin-cert_distinguished_name ]
commonName = Common Name (identification of the Root CA)
commonName_default = CZERTAINLY Administrator
[ admin-cert_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
certificatePolicies = @admin-cert_policy
[ admin-cert_policy ]
policyIdentifier = 2.5.29.32.0
userNotice.1 = @admin-cert_policy_notice
[ admin-cert_policy_notice ]
explicitText = "UTF8:This is a dummy administrator certificate for testing purposes"