Created
June 10, 2021 17:06
-
-
Save Charlweed/0c8decaf11733a1ae7f98b61afb06cdf to your computer and use it in GitHub Desktop.
Example ca-root and ca-sub openssl configuration files. There are very possibly errors.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HOME = . | |
# This is our Root CA. I will also use a sub-CA | |
#################################################################### | |
[ default ] | |
ca = ca-root.mydomain.org # CA name | |
base_url = http://ca-root.mydomain.org # CA base URL | |
aia_url = $base_url/$ca.cer # CA certificate URL | |
crl_url = $base_url/$ca.crl # Certificate Revocation List distribution point | |
ocsp_url = http://ocsp-signer.mydomain.org # OCSP responder URL | |
dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA # The root dir of the CA configuration | |
name_opt = multiline, -esc_msb, utf8 # Display UTF-8 characters | |
#################################################################### | |
[ req ] | |
default_bits = 4096 # RSA key size | |
default_keyfile = ca-root.mydomain.org_key_certificate-authority-root_authenticate.key | |
distinguished_name = ca_distinguished_name | |
string_mask = utf8only | |
x509_extensions = ca_extensions | |
#################################################################### | |
[ ca ] | |
default_ca = ca_default | |
#################################################################### | |
[ ca_default ] | |
certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA/certs/ca-root.mydomain.org_certificate-authority-root_authenticate.crt # The Root CA cert | |
copy_extensions = none # Copy extensions from CSR | |
crl_extensions = crl_ext # CRL extensions | |
database = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.index# The certificiate database a.k.a. index file | |
default_crl_days= 365 # how long before next certificate revocation list (CRL) | |
default_days = 3653 # how long to certify for, 10 years | |
default_md = sha256 # use public key default MD | |
email_in_dn = no # Don't concat the email in the DN | |
name_opt = $name_opt # Subject DN display options | |
new_certs_dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.certs# Certificate archive | |
preserve = no # keep passed DN ordering | |
name_opt = $name_opt # Subject DN display optionsname_opt = $name_opt # Subject DN display options | |
private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA/private/ca-root.mydomain.org_key_certificate-authority-root_authenticate.key | |
RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.rand | |
serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA/ca.db.serial # This is also use by ocsp | |
unique_subject = no # Set to 'no' to allow creation of several certificates with same subject. | |
x509_extensions = ca_extensions # The extensions to add to the cert | |
#################################################################### | |
[ generic_policy ] | |
countryName = US | |
stateOrProvinceName = California | |
localityName = Pacifica | |
organizationName = Mydomain | |
organizationalUnitName = domestic | |
commonName = supplied | |
emailAddress = deft@mydomain.name | |
#################################################################### | |
[ ca_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
stateOrProvinceName = State or Province Name (full name) | |
stateOrProvinceName_default = California | |
localityName = Locality Name (eg, city) | |
localityName_default = Pacifica | |
organizationName = Organization Name (eg, company) | |
organizationName_default= Mydomain | |
commonName = Common Name (e.g. server FQDN or YOUR name) | |
commonName_default = ca-root.mydomain.org | |
emailAddress = Email Address | |
emailAddress_default = deft@mydomain.name | |
#################################################################### | |
[ ca_extensions ] | |
basicConstraints = critical, CA:true | |
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer | |
extendedKeyUsage = serverAuth | |
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem | |
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083 | |
#################################################################### | |
[ signing_policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
#################################################################### | |
[ signing_req ] | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid,issuer | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
#################################################################### | |
[ crl_ext ] | |
authorityInfoAccess = @issuer_info | |
authorityKeyIdentifier = keyid:always | |
issuerAltName = issuer:copy | |
#################################################################### | |
[ issuer_info ] | |
caIssuers;URI.0 = $aia_url | |
#################################################################### | |
[ crl_info ] | |
URI.0 = $crl_url |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HOME = . | |
# This is our sub-CA | |
#################################################################### | |
[ default ] | |
ca = ca-sub-toblerone.mydomain.org # CA name | |
base_url = http://toblerone.mydomain.org # CA base URL | |
aia_url = $base_url/$ca.cer # CA certificate URL | |
crl_url = $base_url/$ca.crl # Certificate Revocation List distribution point | |
ocsp_url = http://ocsp-signer.mydomain.org # OCSP responder URL | |
dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub # The root dir of the CA configuration | |
name_opt = multiline, -esc_msb, utf8 # Display UTF-8 characters | |
#################################################################### | |
[ req ] | |
default_bits = 4096 # RSA key size | |
default_md = sha256 # use public key default MD | |
distinguished_name = ca_distinguished_name # DN template | |
encrypt_key = no # Protect private key | |
prompt = no # Prompt for DN | |
req_extensions = ca_reqext # Desired extensions | |
string_mask = utf8only # Emit UTF-8 strings | |
utf8 = yes # Input is UTF-8 | |
#################################################################### | |
[ ca ] | |
default_ca = ca_sub | |
#################################################################### | |
[ ca_sub ] | |
certificate = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/certs/toblerone.mydomain.org_certificate-authority-sub_authenticate.crt # The Subordinate CA cert | |
copy_extensions = copy # Required to copy SANs from CSR to cert | |
crl_extensions = crl_ext # CRL extensions | |
database = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.index# The certificiate database a.k.a. index file | |
default_crl_days= 365 # how long before next certificate revocation list (CRL) | |
default_days = 3653 # how long to certify for, 10 years | |
default_md = sha256 # use public key default MD | |
email_in_dn = no # Don't concat the email in the DN | |
name_opt = $name_opt # Subject DN display options | |
new_certs_dir = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.certs# Certificate archive | |
policy = match_pol # Default naming policy | |
preserve = no # keep passed DN ordering | |
name_opt = $name_opt # Subject DN display options | |
private_key = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/private/toblerone.mydomain.org_key_certificate-authority-sub_authenticate.key | |
RANDFILE = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.rand | |
serial = /opt/public_key_infrastructure_plant/alt_local/pki/CA-sub/ca.db.serial # This is also use by ocsp | |
unique_subject = no # Set to 'no' to allow creation of several certificates with same subject. | |
x509_extensions = ca_extensions # The extensions to add to the cert | |
#################################################################### | |
[ match_pol ] | |
countryName = match | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
#################################################################### | |
[ generic_policy ] | |
countryName = US | |
stateOrProvinceName = California | |
localityName = Pacifica | |
organizationName = Mydomain | |
organizationalUnitName = domestic | |
commonName = supplied | |
emailAddress = deft@mydomain.name | |
#################################################################### | |
[ ca_distinguished_name ] | |
countryName = US | |
stateOrProvinceName = California | |
localityName = Pacifica | |
organizationName = Mydomain | |
commonName = ca-sub.mydomain.org | |
emailAddress = postmaster@mydomain.name | |
#################################################################### | |
[ ca_extensions ] | |
basicConstraints = critical, CA:true | |
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer | |
extendedKeyUsage = serverAuth | |
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem | |
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083 | |
#################################################################### | |
[ signing_policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
#################################################################### | |
[ signing_req ] | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid,issuer | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
subjectAltName = @alternate_names | |
#################################################################### | |
[ ca_reqext ] | |
subjectKeyIdentifier = hash | |
keyUsage = critical, nonRepudiation, digitalSignature | |
subjectAltName = @alternate_names | |
#################################################################### | |
[ crl_ext ] | |
authorityInfoAccess = @issuer_info | |
authorityKeyIdentifier = keyid:always | |
issuerAltName = issuer:copy | |
#################################################################### | |
[ issuer_info ] | |
caIssuers;URI.0 = $aia_url | |
#################################################################### | |
[ crl_info ] | |
URI.0 = $crl_url | |
#################################################################### | |
[ alternate_names ] | |
IP = 192.168.0.8 | |
DNS.1 = ca-sub.mydomain.org | |
DNS.2 = toblerone.mydomain.org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment