Created
October 30, 2023 16:08
-
-
Save jarz/e31ba1a7e3387ca424905ff53fb5899c to your computer and use it in GitHub Desktop.
OpenSSL certificate chain (based on https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] # The default CA section | |
default_ca = CA_default # The default CA name | |
[ CA_default ] # Default settings for the intermediate CA | |
dir = certificate-authorities/intermediate # Intermediate CA directory | |
certs = $dir/certs # Certificates directory | |
crl_dir = $dir/crl # CRL directory | |
new_certs_dir = $dir/newcerts # New certificates directory | |
database = $dir/index.txt # Certificate index file | |
serial = $dir/serial # Serial number file | |
RANDFILE = $dir/private/.rand # Random number file | |
private_key = $dir/private/intermediate.key.pem # Intermediate CA private key | |
certificate = $dir/certs/intermediate.cert.pem # Intermediate CA certificate | |
crl = $dir/crl/intermediate.crl.pem # Intermediate CA CRL | |
crlnumber = $dir/crlnumber # Intermediate CA CRL number | |
crl_extensions = crl_ext # CRL extensions | |
default_crl_days = 30 # Default CRL validity days | |
default_md = sha256 # Default message digest | |
preserve = no # Preserve existing extensions | |
email_in_dn = no # Exclude email from the DN | |
name_opt = ca_default # Formatting options for names | |
cert_opt = ca_default # Certificate output options | |
policy = policy_loose # Certificate policy | |
[ policy_loose ] # Policy for less strict validation | |
countryName = optional # Country is optional | |
stateOrProvinceName = optional # State or province is optional | |
localityName = optional # Locality is optional | |
organizationName = optional # Organization is optional | |
organizationalUnitName = optional # Organizational unit is optional | |
commonName = supplied # Must provide a common name | |
emailAddress = optional # Email address is optional | |
[ req ] # Request settings | |
default_bits = 2048 # Default key size | |
distinguished_name = req_distinguished_name # Default DN template | |
string_mask = utf8only # UTF-8 encoding | |
default_md = sha256 # Default message digest | |
x509_extensions = v3_intermediate_ca # Extensions for intermediate CA certificate | |
prompt = no | |
[ req_distinguished_name ] # Template for the DN in the CSR | |
countryName = FR | |
stateOrProvinceName = Ile-de-France | |
localityName = Paris | |
0.organizationName = Contoso Corporation | |
organizationalUnitName = IT Department | |
commonName = Contoso Corporation Intermediate CA | |
emailAddress = admin@contoso.com | |
[ v3_intermediate_ca ] # Intermediate CA certificate extensions | |
subjectKeyIdentifier = hash # Subject key identifier | |
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier | |
basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA | |
[ crl_ext ] # CRL extensions | |
authorityKeyIdentifier=keyid:always # Authority key identifier | |
[ server_cert ] # Server certificate extensions | |
basicConstraints = CA:FALSE # Not a CA certificate | |
nsCertType = server # Server certificate type | |
keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert | |
extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers). | |
authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] # The default CA section | |
default_ca = CA_default # The default CA name | |
[ CA_default ] # Default settings for the CA | |
dir = certificate-authorities/root # CA directory | |
certs = $dir/certs # Certificates directory | |
crl_dir = $dir/crl # CRL directory | |
new_certs_dir = $dir/newcerts # New certificates directory | |
database = $dir/index.txt # Certificate index file | |
serial = $dir/serial # Serial number file | |
RANDFILE = $dir/private/.rand # Random number file | |
private_key = $dir/private/ca.key.pem # Root CA private key | |
certificate = $dir/certs/ca.cert.pem # Root CA certificate | |
crl = $dir/crl/ca.crl.pem # Root CA CRL | |
crlnumber = $dir/crlnumber # Root CA CRL number | |
crl_extensions = crl_ext # CRL extensions | |
default_crl_days = 30 # Default CRL validity days | |
default_md = sha256 # Default message digest | |
preserve = no # Preserve existing extensions | |
email_in_dn = no # Exclude email from the DN | |
name_opt = ca_default # Formatting options for names | |
cert_opt = ca_default # Certificate output options | |
policy = policy_strict # Certificate policy | |
unique_subject = no # Allow multiple certs with the same DN | |
[ policy_strict ] # Policy for stricter validation | |
countryName = match # Must match the issuer's country | |
stateOrProvinceName = match # Must match the issuer's state | |
organizationName = match # Must match the issuer's organization | |
organizationalUnitName = optional # Organizational unit is optional | |
commonName = supplied # Must provide a common name | |
emailAddress = optional # Email address is optional | |
[ req ] # Request settings | |
default_bits = 2048 # Default key size | |
distinguished_name = req_distinguished_name # Default DN template | |
string_mask = utf8only # UTF-8 encoding | |
default_md = sha256 # Default message digest | |
prompt = no # Non-interactive mode | |
[ req_distinguished_name ] # Template for the DN in the CSR | |
countryName = FR | |
stateOrProvinceName = Ile-de-France | |
localityName = Paris | |
0.organizationName = Contoso Corporation | |
organizationalUnitName = IT Department | |
commonName = Contoso Corporation Root CA | |
emailAddress = admin@contoso.com | |
[ v3_ca ] # Root CA certificate extensions | |
subjectKeyIdentifier = hash # Subject key identifier | |
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier | |
basicConstraints = critical, CA:true # Basic constraints for a CA | |
keyUsage = critical, keyCertSign, cRLSign # Key usage for a CA | |
[ crl_ext ] # CRL extensions | |
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier | |
[ v3_intermediate_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment