2 # OpenSSL example configuration file for automated certificate creation.
5 # This definition stops the following lines choking if HOME or CN
8 RANDFILE = $ENV::HOME/.rnd
12 ####################################################################
15 default_keyfile = privkey.pem
16 # Don't prompt for fields: use those in section directly
18 distinguished_name = req_distinguished_name
19 x509_extensions = v3_ca # The extensions to add to the self signed cert
20 string_mask = utf8only
22 # req_extensions = v3_req # The extensions to add to a certificate request
24 [ req_distinguished_name ]
27 organizationName = OpenSSL Group
28 # Take CN from environment so it can come from a script.
33 # These extensions are added when 'ca' signs a request for an end entity
36 basicConstraints=critical, CA:FALSE
37 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
39 # This will be displayed in Netscape's comment listbox.
40 nsComment = "OpenSSL Generated Certificate"
42 # PKIX recommendations harmless if included in all certificates.
43 subjectKeyIdentifier=hash
44 authorityKeyIdentifier=keyid
45 # OCSP responder certificate
48 basicConstraints=critical, CA:FALSE
49 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
51 # This will be displayed in Netscape's comment listbox.
52 nsComment = "OpenSSL Generated Certificate"
54 # PKIX recommendations harmless if included in all certificates.
55 subjectKeyIdentifier=hash
56 authorityKeyIdentifier=keyid
57 extendedKeyUsage=OCSPSigning
61 # These extensions are added when 'ca' signs a request for an end entity
64 basicConstraints=critical, CA:FALSE
65 keyUsage=critical, keyAgreement
67 # PKIX recommendations harmless if included in all certificates.
68 subjectKeyIdentifier=hash
69 authorityKeyIdentifier=keyid
74 # Extensions for a typical CA
76 # PKIX recommendation.
78 subjectKeyIdentifier=hash
79 authorityKeyIdentifier=keyid:always
80 basicConstraints = critical,CA:true
81 keyUsage = critical, cRLSign, keyCertSign
83 # Minimal CA entry to allow generation of CRLs.