xref: /openssl/test/smime-certs/ca.cnf (revision b7cc2d2f) 
1#
2# OpenSSL example configuration file for automated certificate creation.
3#
4
5# Comment out the next line to ignore configuration errors
6config_diagnostics = 1
7
8# This definition stops the following lines choking if HOME or CN
9# is undefined.
10HOME			= .
11CN			= "Not Defined"
12default_ca		= ca
13
14####################################################################
15
16[ req ]
17default_bits		= 2048
18default_keyfile 	= privkey.pem
19# Don't prompt for fields: use those in section directly
20prompt			= no
21distinguished_name	= req_distinguished_name
22x509_extensions         = v3_ca # The extensions to add to the self signed cert
23string_mask             = utf8only
24
25# req_extensions = v3_req # The extensions to add to a certificate request
26
27[ req_distinguished_name ]
28countryName			= UK
29
30organizationName		= OpenSSL Group
31# Take CN from environment so it can come from a script.
32commonName			= $ENV::CN
33
34[ usr_rsa_cert ]
35
36# These extensions are added when 'ca' signs a request for a normal end-entity
37# certificate with key usage restrictions compatible with RSA keys
38
39basicConstraints = CA:FALSE
40keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
41
42# Following SKID and AKID settings are meanwhile by default in all certificates.
43# See doc/man5/x509v3_config.pod for details.
44
45# subjectKeyIdentifier   = hash
46# authorityKeyIdentifier = keyid, issuer
47
48[ signer_cert ]
49
50basicConstraints = CA:FALSE
51keyUsage = critical, digitalSignature
52
53[ dh_cert ]
54
55# These extensions are added when 'ca' signs a request for an end-entity
56# DH certificate, for which only key agreement makes sense
57
58basicConstraints = CA:FALSE
59keyUsage = critical, keyAgreement
60
61[ codesign_cert ]
62
63# These extensions are added when 'ca' signs a request for a code-signing
64# end-entity certificate compatible with RSA and ECC keys
65
66basicConstraints = CA:FALSE
67keyUsage = critical, digitalSignature
68extendedKeyUsage = codeSigning
69
70[ v3_ca ]
71
72# Extensions for a typical CA as required by RFC 5280 etc.
73# SKID and AKID are by default set according to PKIX recommendation.
74
75basicConstraints = critical, CA:true
76keyUsage = critical, cRLSign, keyCertSign
77