Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
An openssl.cnf template for version >= 1.x
[ ca ]
default_ca =CA_default
[ CA_default ]
dir =$ENV::ROOT
certs =$dir
crl_dir =$dir
database =$dir/index.txt
new_certs_dir =$dir
certificate =$dir/ca.crt
serial =$dir/serial
crl =$dir/crl.pem
private_key =$dir/ca.key
RANDFILE =$dir/.rand
x509_extensions =usr_cert
name_opt =ca_default
cert_opt =ca_default
default_days =3650
default_crl_days =30
default_md =default
preserve =no
policy =policy_match
[ policy_match ]
countryName =match
stateOrProvinceName =match
organizationName =match
organizationalUnitName =optional
commonName =supplied
emailAddress =optional
[ policy_anything ]
countryName =optional
stateOrProvinceName =optional
localityName =optional
organizationName =optional
organizationalUnitName =optional
commonName =supplied
emailAddress =optional
[ req ]
default_bits =2048
default_keyfile =privkey.pem
distinguished_name =req_distinguished_name
attributes =req_attributes
x509_extensions =v3_ca
req_extensions =v3_req
#input_password =secret
#output_password =secret
string_mask =utf8only
[ req_distinguished_name ]
countryName =Country Name (2 letter code)
countryName_min =2
countryName_max =2
stateOrProvinceName =State or Province Name (full name)
localityName =Locality Name (eg, city)
0.organizationName =Organization Name (eg, company)
organizationalUnitName =Organizational Unit Name (eg, section)
commonName =Common Name (e.g. server FQDN or YOUR name)
commonName_max =64
unique_subject =no
emailAddress =Email Address
emailAddress_max =64
# defaults
countryName_default =$ENV::COUNTRY
stateOrProvinceName_default =$ENV::STATE
0.organizationName_default =$ENV::ORG
organizationalUnitName_default =$ENV::UNIT
localityName_default =$ENV::CITY
commonName_default =*
emailAddress =$ENV::EMAIL
[ req_attributes ]
challengePassword =A challenge password
challengePassword_min =4
challengePassword_max =20
unstructuredName =An optional company name
[ usr_cert ]
basicConstraints =CA:FALSE
nsComment ="OpenSSL Generated Certificate"
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid,issuer:always
extendedKeyUsage =clientAuth
keyUsage =digitalSignature
subjectAltName =email:copy
issuerAltName =issuer:copy
[ server ]
basicConstraints =CA:FALSE
nsCertType =server
nsComment ="OpenSSL Generated Server Certificate"
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid,issuer:always
extendedKeyUsage =serverAuth
keyUsage =digitalSignature, keyEncipherment
subjectAltName =@alt_names
[ v3_req ]
basicConstraints =CA:FALSE
keyUsage =nonRepudiation, digitalSignature, keyEncipherment
subjectAltName =@alt_names
[ alt_names ]
[ v3_ca ]
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid:always,issuer
basicConstraints =CA:true
[ crl_ext ]
authorityKeyIdentifier =keyid:always
[ proxy_cert_ext ]
basicConstraints =CA:FALSE
nsComment ="OpenSSL Generated Certificate"
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid,issuer
proxyCertInfo =critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa =tsa_config1
[ tsa_config1 ]
dir =$ENV::ROOT
serial =$dir/tsaserial
crypto_device =builtin
signer_cert =$dir/tsacert.pem
certs =$dir/ca.crt
signer_key =$dir/private/tsakey.pem
default_policy =tsa_policy1
other_policies =tsa_policy2, tsa_policy3
digests =md5, sha1
accuracy =secs:1, millisecs:500, microsecs:100
clock_precision_digits =0
ordering =yes
tsa_name =yes
ess_cert_id_chain =no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment