Skip to content

Instantly share code, notes, and snippets.

@AfroThundr3007730
Last active December 5, 2022 23:47
Show Gist options
  • Save AfroThundr3007730/aa5fe9f0184640c4c054c9c2aedbabf8 to your computer and use it in GitHub Desktop.
Save AfroThundr3007730/aa5fe9f0184640c4c054c9c2aedbabf8 to your computer and use it in GitHub Desktop.
OpenSSL root and intermediate CA configurations
# OpenSSL root CA configuration file.
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = /etc/pki/CA/root-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/db/root-ca.index
serial = $dir/db/root-ca.serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/root-ca.key
certificate = $dir/certs/root-ca.crt
crlnumber = $dir/db/root-ca.crlnumber
crl = $dir/crl/root-ca.crl
crl_extensions = crl_ext
default_crl_days = 180
default_md = sha384
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 3072
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha384
x509_extensions = int_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = US
stateOrProvinceName_default = MD
localityName_default =
0.organizationName_default = LAB
organizationalUnitName_default =
emailAddress_default =
[ root_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ int_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints = URI:http://pki.lab.local/root-ca.crl
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/root-ca.crt
[ crl_ext ]
authorityKeyIdentifier=keyid:always
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/root-ca.crt
# OpenSSL intermediate CA configuration file.
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = /etc/pki/CA/int-ca
cdp_url = http://pki.lab.local/int-ca.crl
aia_url = http://pki.lab.local/int-ca.crt
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/db/int-ca.index
serial = $dir/db/int-ca.serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/int-ca.key
certificate = $dir/certs/int-ca.crt
crlnumber = $dir/db/int-ca.crlnumber
crl = $dir/crl/int-ca.crl
crl_extensions = crl_ext
default_crl_days = 60
default_md = sha384
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 3072
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha384
x509_extensions = server_cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = US
stateOrProvinceName_default = MD
localityName_default =
0.organizationName_default = LAB
organizationalUnitName_default =
emailAddress_default =
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
crlDistributionPoints = URI:http://pki.lab.local/int-ca.crl
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/int-ca.crt
[ server_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://pki.lab.local/int-ca.crl
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/int-ca.crt
[ ipsec_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature
crlDistributionPoints = URI:http://pki.lab.local/int-ca.crl
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/int-ca.crt
[ crl_ext ]
authorityKeyIdentifier=keyid:always
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/int-ca.crt
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
crlDistributionPoints = URI:http://pki.lab.local/int-ca.crl
authorityInfoAccess = caIssuers;URI:http://pki.lab.local/int-ca.crt
@iamgianghip
Copy link

nice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment