-
Notifications
You must be signed in to change notification settings - Fork 102
/
openssl.cnf
89 lines (73 loc) · 2.28 KB
/
openssl.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Copied over from the Basic profile
# Note: LibreSSL 2.2.7 does not correctly support environment variables
# here and that is the version that ships with OS X High Sierra. So, we
# replace text using Python and generate a temporary cnf file
common_name = @COMMON_NAME@
client_alt_name = @CLIENT_ALT_NAME@
server_alt_name = @SERVER_ALT_NAME@
[ ca ]
default_ca = test_root_ca
[ test_root_ca ]
root_ca_dir = testca
certificate = $root_ca_dir/cacert.pem
database = $root_ca_dir/index.txt
new_certs_dir = $root_ca_dir/certs
private_key = $root_ca_dir/private/cakey.pem
serial = $root_ca_dir/serial
default_crl_days = 7
default_days = 1825
default_md = sha256
policy = test_root_ca_policy
x509_extensions = certificate_extensions
[ test_root_ca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 4096
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
[ ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @client_alt_names
[ server_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @server_alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ client_alt_names ]
DNS.1 = $common_name
DNS.2 = $client_alt_name
DNS.3 = localhost
# examples of more Subject Alternative Names
# DNS.4 = guest
# email = [email protected]
# URI = amqps://123.client.warp10.local
# otherName = 1.3.6.1.4.1.54392.5.436;FORMAT:UTF8,UTF8String:other-username
[ server_alt_names ]
DNS.1 = $common_name
DNS.2 = $server_alt_name
DNS.3 = localhost