# # OpenSSL configuration for the Intermediate Certification Authority. # # # This definition doesn't work if HOME isn't defined. CA_HOME = . RANDFILE = $ENV::CA_HOME/private/.rnd oid_section = new_oids ALTNAME = # # XMPP address Support [ new_oids ] #xmppAddr = 1.3.6.1.5.5.7.8.5 #dnsSRV = 1.3.6.1.5.5.7.8.7 # # Default Certification Authority [ ca ] default_ca = intermed_ca # # Intermediate Certification Authority [ intermed_ca ] dir = $ENV::CA_HOME certs = $dir/certs serial = $dir/intermed-ca.serial database = $dir/intermed-ca.index new_certs_dir = $dir/newcerts certificate = $dir/intermed-ca.cert.pem private_key = $dir/private/intermed-ca.key.pem default_days = 730 # Two years crl = $dir/crl/intermed-ca.crl crl_dir = $dir/crl crlnumber = $dir/intermed-ca.crlnum name_opt = multiline, align cert_opt = no_pubkey copy_extensions = copy crl_extensions = crl_ext default_crl_days = 30 default_md = sha384 preserve = no email_in_dn = no policy = policy unique_subject = no # # Distinguished Name Policy [ policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied # # Distinguished Name Policy for Personal Certificates [ user_policy ] countryName = supplied stateOrProvinceName = optional localityName = supplied organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied #xmppAddr = optional # Added to SubjAltName by req # # Intermediate CA request options [ req ] default_bits = 3072 default_keyfile = private/intermed-ca.key.pem encrypt_key = yes default_md = sha384 string_mask = utf8only utf8 = yes prompt = no req_extensions = req_ext distinguished_name = distinguished_name subjectAltName = subject_alt_name # # Intermediate CA Request Extensions [ req_ext ] subjectKeyIdentifier = hash subjectAltName = @subject_alt_name # # Distinguished Name (DN) [ distinguished_name ] organizationName = example.net commonName = example.net Intermediate Certification Authority v1.1 # # Server Certificate Extensions [ server_ext ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # Server Certificate Extensions with Subject Alternative Name [ server_ext_san ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist subjectAltName = $ENV::ALTNAME # # Client Certificate Extensions [ client_ext ] keyUsage = critical, digitalSignature extendedKeyUsage = critical, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # User Certificate Extensions [ user_ext ] keyUsage = critical, digitalSignature extendedKeyUsage = critical, clientAuth, emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # CRL Certificate Extensions [ crl_ext ] authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy # # Certificate Authorities Alternative Names [ subject_alt_name ] URI = http://ca.example.net/ email = certmaster@example.net # # Certificate download addresses for the intermediate CA [ auth_info_access ] caIssuers;URI = http://ca.example.net/certs/example.net_Intermediate_Certification_Authority_v1.1.cert.pem # # CRL Download address for the intermediate CA [ crl_dist ] fullname = URI:http://ca.example.net/crl/example.net_Intermediate_Certification_Authority_v1.1.crl # EOF