root-ca.conf
This file shows an example of a root ca configuration file which is used to create the root ca certificate.
1# Simple Root CA
2
3# The [default] section contains global constants that can be referred to from
4# the entire configuration file. It may also hold settings pertaining to more
5# than one openssl command.
6[ default ]
7ca = root-ca # CA name. Details in line 41
8dir = . # Top dir
9
10# The next part of the configuration file is used by the openssl req command.
11# It defines the CA's key pair, its DN, and the desired extensions for the CA
12# certificate.
13[ req ]
14default_bits = 2048 # RSA key size
15encrypt_key = yes # Protect private key
16default_md = sha1 # MD to use
17utf8 = yes # Input is UTF-8
18string_mask = utf8only # Emit UTF-8 strings
19prompt = no # Don't prompt for DN
20distinguished_name = ca_dn # DN section (given below)
21req_extensions = ca_reqext # Desired extensions section
22
23[ ca_dn ]
240.domainComponent = "org"
251.domainComponent = "simple"
26organizationName = "Simple Inc"
27organizationalUnitName = "Simple Root CA"
28commonName = "Simple Root CA"
29
30[ ca_reqext ]
31keyUsage = critical,keyCertSign,cRLSign
32basicConstraints = critical,CA:true
33subjectKeyIdentifier = hash
34
35# The remainder of the configuration file is used by the openssl ca command.
36# The CA section defines the locations of CA assets, as well as the policies
37# applying to the CA.
38[ ca ]
39default_ca = root_ca # The default CA section
40
41[ root_ca ]
42certificate = $dir/ca/$ca.crt # The CA cert
43private_key = $dir/ca/$ca/private/$ca.key # CA private key
44new_certs_dir = $dir/ca/$ca # Certificate archive
45serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
46crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
47database = $dir/ca/$ca/db/$ca.db # Index file
48unique_subject = no # Require unique subject
49default_days = 3652 # How long to certify for
50default_md = sha1 # MD to use
51policy = match_pol # Default naming policy
52email_in_dn = no # Add email to cert DN
53preserve = no # Keep passed DN ordering
54name_opt = ca_default # Subject DN display options
55cert_opt = ca_default # Certificate display options
56copy_extensions = none # Copy extensions from CSR
57x509_extensions = signing_ca_ext # Default cert extensions
58default_crl_days = 365 # How long before next CRL
59crl_extensions = crl_ext # CRL extensions
60
61# Naming policies control which parts of a DN end up in the certificate
62# and under what circumstances certification should be denied.
63
64[ match_pol ]
65domainComponent = match # Must match 'simple.org'
66organizationName = match # Must match 'Simple Inc'
67organizationalUnitName = optional # Included if present
68commonName = supplied # Must be present
69
70[ any_pol ]
71domainComponent = optional
72countryName = optional
73stateOrProvinceName = optional
74localityName = optional
75organizationName = optional
76organizationalUnitName = optional
77commonName = optional
78emailAddress = optional
79
80# Certificate extensions define what types of
81# certificates the CA is able to create.
82
83[ root_ca_ext ]
84keyUsage = critical,keyCertSign,cRLSign
85basicConstraints = critical,CA:true
86subjectKeyIdentifier = hash
87authorityKeyIdentifier = keyid:always
88
89[ signing_ca_ext ]
90keyUsage = critical,keyCertSign,cRLSign
91basicConstraints = critical,CA:true,pathlen:0
92subjectKeyIdentifier = hash
93authorityKeyIdentifier = keyid:always
94
95# CRL extensions exist solely to point to the CA certificate that has issued
96# the CRL.
97
98[ crl_ext ]
99authorityKeyIdentifier = keyid:always