1HOME = . 2RANDFILE = $ENV::HOME/.rnd 3oid_section = new_oids 4 5[ new_oids ] 6 7[ ca ] 8default_ca = CA_default 9 10[ CA_default ] 11 12dir = ./test-ca 13certs = $dir/certs 14crl_dir = $dir/crl 15database = $dir/index.txt 16unique_subject = no 17new_certs_dir = $dir/newcerts 18certificate = $dir/cacert.pem 19serial = $dir/serial 20crlnumber = $dir/crlnumber 21crl = $dir/crl.pem 22private_key = $dir/private/cakey.pem 23RANDFILE = $dir/private/.rand 24 25x509_extensions = usr_cert 26 27name_opt = ca_default 28cert_opt = ca_default 29 30default_days = 365 31default_crl_days= 30 32default_md = default 33preserve = no 34 35policy = policy_match 36 37[ policy_match ] 38countryName = match 39stateOrProvinceName = optional 40organizationName = match 41organizationalUnitName = optional 42commonName = supplied 43emailAddress = optional 44 45[ policy_anything ] 46countryName = optional 47stateOrProvinceName = optional 48localityName = optional 49organizationName = optional 50organizationalUnitName = optional 51commonName = supplied 52emailAddress = optional 53 54[ req ] 55default_bits = 2048 56default_keyfile = privkey.pem 57distinguished_name = req_distinguished_name 58attributes = req_attributes 59x509_extensions = v3_ca 60 61string_mask = utf8only 62 63[ req_distinguished_name ] 64countryName = Country Name (2 letter code) 65countryName_default = FI 66countryName_min = 2 67countryName_max = 2 68 69localityName = Locality Name (eg, city) 70localityName_default = Tuusula 71 720.organizationName = Organization Name (eg, company) 730.organizationName_default = w1.fi 74 75commonName = Common Name (e.g. server FQDN or YOUR name) 76#@CN@ 77commonName_max = 64 78 79emailAddress = Email Address 80emailAddress_max = 64 81 82##0.subjectAltName = dNSName:server.w1.fi 83 84[ req_attributes ] 85 86[ usr_cert ] 87 88basicConstraints=CA:FALSE 89 90subjectKeyIdentifier=hash 91authorityKeyIdentifier=keyid,issuer 92 93authorityInfoAccess = OCSP;URI:http://server.w1.fi:8888/ 94 95[ v3_req ] 96 97basicConstraints = CA:FALSE 98keyUsage = nonRepudiation, digitalSignature, keyEncipherment 99subjectAltName=DNS:example.com,DNS:another.example.com 100 101[ v3_ca ] 102 103subjectKeyIdentifier=hash 104 105authorityKeyIdentifier=keyid:always,issuer 106 107basicConstraints = CA:true 108 109[ crl_ext ] 110 111authorityKeyIdentifier=keyid:always 112 113[ v3_OCSP ] 114basicConstraints = CA:FALSE 115keyUsage = nonRepudiation, digitalSignature, keyEncipherment 116extendedKeyUsage = OCSPSigning 117 118[ ext_client ] 119 120basicConstraints=CA:FALSE 121subjectKeyIdentifier=hash 122authorityKeyIdentifier=keyid,issuer 123authorityInfoAccess = OCSP;URI:http://server.w1.fi:8888/ 124#@ALTNAME@ 125 126extendedKeyUsage = clientAuth 127 128[ ext_server ] 129 130basicConstraints=CA:FALSE 131subjectKeyIdentifier=hash 132authorityKeyIdentifier=keyid,issuer 133authorityInfoAccess = OCSP;URI:http://server.w1.fi:8888/ 134#@ALTNAME@ 135#@CERTPOL@ 136 137extendedKeyUsage = serverAuth 138 139[ ext_client_server ] 140 141basicConstraints=CA:FALSE 142subjectKeyIdentifier=hash 143authorityKeyIdentifier=keyid,issuer 144authorityInfoAccess = OCSP;URI:http://server.w1.fi:8888/ 145#@ALTNAME@ 146 147extendedKeyUsage = clientAuth, serverAuth 148