root-ca.conf

This file shows an example of a root ca configuration file which is used to create the root ca certificate.

 1# Simple Root CA
 2
 3# The [default] section contains global constants that can be referred to from
 4# the entire configuration file. It may also hold settings pertaining to more
 5# than one openssl command.
 6[ default ]
 7ca                      = root-ca               # CA name.  Details in line 41
 8dir                     = .                     # Top dir
 9
10# The next part of the configuration file is used by the openssl req command.
11# It defines the CA's key pair, its DN, and the desired extensions for the CA
12# certificate.
13[ req ]
14default_bits            = 2048                  # RSA key size
15encrypt_key             = yes                   # Protect private key
16default_md              = sha1                  # MD to use
17utf8                    = yes                   # Input is UTF-8
18string_mask             = utf8only              # Emit UTF-8 strings
19prompt                  = no                    # Don't prompt for DN
20distinguished_name      = ca_dn                 # DN section (given below)
21req_extensions          = ca_reqext             # Desired extensions section
22
23[ ca_dn ]
240.domainComponent       = "org"
251.domainComponent       = "simple"
26organizationName        = "Simple Inc"
27organizationalUnitName  = "Simple Root CA"
28commonName              = "Simple Root CA"
29
30[ ca_reqext ]
31keyUsage                = critical,keyCertSign,cRLSign
32basicConstraints        = critical,CA:true
33subjectKeyIdentifier    = hash
34
35# The remainder of the configuration file is used by the openssl ca command.
36# The CA section defines the locations of CA assets, as well as the policies
37# applying to the CA.
38[ ca ]
39default_ca              = root_ca               # The default CA section
40
41[ root_ca ]
42certificate             = $dir/ca/$ca.crt       # The CA cert
43private_key             = $dir/ca/$ca/private/$ca.key # CA private key
44new_certs_dir           = $dir/ca/$ca           # Certificate archive
45serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
46crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
47database                = $dir/ca/$ca/db/$ca.db # Index file
48unique_subject          = no                    # Require unique subject
49default_days            = 3652                  # How long to certify for
50default_md              = sha1                  # MD to use
51policy                  = match_pol             # Default naming policy
52email_in_dn             = no                    # Add email to cert DN
53preserve                = no                    # Keep passed DN ordering
54name_opt                = ca_default            # Subject DN display options
55cert_opt                = ca_default            # Certificate display options
56copy_extensions         = none                  # Copy extensions from CSR
57x509_extensions         = signing_ca_ext        # Default cert extensions
58default_crl_days        = 365                   # How long before next CRL
59crl_extensions          = crl_ext               # CRL extensions
60
61# Naming policies control which parts of a DN end up in the certificate
62# and under what circumstances certification should be denied.
63
64[ match_pol ]
65domainComponent         = match                 # Must match 'simple.org'
66organizationName        = match                 # Must match 'Simple Inc'
67organizationalUnitName  = optional              # Included if present
68commonName              = supplied              # Must be present
69
70[ any_pol ]
71domainComponent         = optional
72countryName             = optional
73stateOrProvinceName     = optional
74localityName            = optional
75organizationName        = optional
76organizationalUnitName  = optional
77commonName              = optional
78emailAddress            = optional
79
80# Certificate extensions define what types of
81# certificates the CA is able to create.
82
83[ root_ca_ext ]
84keyUsage                = critical,keyCertSign,cRLSign
85basicConstraints        = critical,CA:true
86subjectKeyIdentifier    = hash
87authorityKeyIdentifier  = keyid:always
88
89[ signing_ca_ext ]
90keyUsage                = critical,keyCertSign,cRLSign
91basicConstraints        = critical,CA:true,pathlen:0
92subjectKeyIdentifier    = hash
93authorityKeyIdentifier  = keyid:always
94
95# CRL extensions exist solely to point to the CA certificate that has issued
96# the CRL.
97
98[ crl_ext ]
99authorityKeyIdentifier  = keyid:always