Create a gist now

Instantly share code, notes, and snippets.

@brian-ewell /openssl.cnf Secret
Last active Dec 20, 2016

What would you like to do?
Customized OpenSSL configuration
# OpenSSL Configuration file
[ ca ]
# Prefer to use ECDSA
default_ca = ecc
[ ecc ]
# File and directory locations
dir = /opt/local/etc/openssl/ecc
new_certs_dir = $dir/certs
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/.rand
private_key = $dir/private.key
certificate = $dir/public.crt
# Certificate revocation list
crlnumber = $dir/crlnumber
crl_extensions = v3ext_crl
default_crl_days = 30
# Miscellaneous defaults
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
unique_subject = no
policy = default_policy
[ rsa ]
# File and directory locations
dir = /opt/local/etc/openssl/rsa
new_certs_dir = $dir/certs
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/.rand
private_key = $dir/private.key
certificate = $dir/public.crt
# Certificate revocation list
crlnumber = $dir/crlnumber
crl_extensions = v3ext_crl
default_crl_days = 30
# Miscellaneous defaults
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
unique_subject = no
policy = default_policy
[ default_policy ]
# Our default policy is pretty liberal
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Configuration for when this branch produces it's own CSR
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
countryName_default = US
organizationName_default = Cospix LLC
SET-ex3 = SET extension number 3
[ v3ext_crl ]
authorityKeyIdentifier = issuer:always
[ v3ext_root ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3ext_branch ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3ext_user ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage = clientAuth, codeSigning, emailProtection, timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
[ v3ext_server ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth, timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment