-
-
Save BioBoost/b97d482ed7376e0c395db243bde3d1c1 to your computer and use it in GitHub Desktop.
OpenSSL configuration file that uses Alternate Names & Subject Alternate Names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ req ] | |
default_bits = 2048 | |
default_keyfile = server-key.pem | |
distinguished_name = subject | |
req_extensions = req_ext | |
x509_extensions = x509_ext | |
string_mask = utf8only | |
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). | |
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. | |
[ subject ] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
stateOrProvinceName = State or Province Name (full name) | |
stateOrProvinceName_default = FL | |
localityName = Locality Name (eg, city) | |
localityName_default = Florida | |
organizationName = Organization Name (eg, company) | |
organizationName_default = Andrew Connell Inc. | |
# Use a friendly name here because its presented to the user. The server's DNS | |
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated | |
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you | |
# must include the DNS name in the SAN too (otherwise, Chrome and others that | |
# strictly follow the CA/Browser Baseline Requirements will fail). | |
commonName = Common Name (e.g. server FQDN or YOUR name) | |
commonName_default = localhost | |
emailAddress = Email Address | |
emailAddress_default = brickwall@andrewconnell.com | |
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... | |
[ x509_ext ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
# You only need digitalSignature below. *If* you don't allow | |
# RSA Key transport (i.e., you use ephemeral cipher suites), then | |
# omit keyEncipherment because that's key transport. | |
basicConstraints = CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment | |
subjectAltName = @alternate_names | |
nsComment = "OpenSSL Generated Certificate" | |
# RFC 5280, Section 4.2.1.12 makes EKU optional | |
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused | |
# In either case, you probably only need serverAuth. | |
# extendedKeyUsage = serverAuth, clientAuth | |
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ... | |
[ req_ext ] | |
subjectKeyIdentifier = hash | |
basicConstraints = CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment | |
subjectAltName = @alternate_names | |
nsComment = "OpenSSL Generated Certificate" | |
# RFC 5280, Section 4.2.1.12 makes EKU optional | |
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused | |
# In either case, you probably only need serverAuth. | |
# extendedKeyUsage = serverAuth, clientAuth | |
[ alternate_names ] | |
DNS.1 = localhost | |
DNS.2 = localhost.localdomain | |
DNS.3 = 127.0.0.1 | |
# DNS.1 = example.com | |
# DNS.2 = www.example.com | |
# DNS.3 = mail.example.com | |
# DNS.4 = ftp.example.com | |
# Add these if you need them. But usually you don't want them or | |
# need them in production. You may need them for development. | |
# DNS.5 = localhost | |
# DNS.6 = localhost.localdomain | |
# DNS.7 = 127.0.0.1 | |
# IPv6 localhost | |
# DNS.8 = ::1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment