kaito834/root-ca_withAdditionalComments.conf

## root-ca_withAdditionalComments.conf
# Download https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf and
# Add additional comments to understand this OpenSSL configuration deeply
# Referred version of root-ca.conf: https://github.com/ivanr/bulletproof-tls/commit/5a8db5563afe86aa8a47dcee4dee8fb9d409961e
#
# You can find a document below for OpenSSL configuration format
# https://www.openssl.org/docs/manmaster/man5/config.html

# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
# "The first section of a configuration file is special and is referred to as the default section.
#  This section is usually unnamed and spans from the start of file until the first named section.
#  When a name is being looked up it is first looked up in a named section (if any) and then the default section."
[default]
name                    = root-ca
domain_suffix           = example.com
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
# "The value string undergoes variable expansion. This can be done by including the form $var or ${var}:
#  this will substitute the value of the named variable in the current section."
ocsp_url                = http://ocsp.$name.$domain_suffix:9080
# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
# "Otherwise the section to be used must be named in the default_ca option of the ca section of the configuration file
#  (or in the default section of the configuration file)."
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

# Referred from section: req below
[ca_dn]
countryName             = "GB"
organizationName        = "Example"
commonName              = "Root CA"

# This section is used by "openssl ca" command
# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
[ca_default]
home                    = .
database                = $home/db/index
serial                  = $home/db/serial
crlnumber               = $home/db/crlnumber
certificate             = $home/$name.crt
private_key             = $home/private/$name.key
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
# copy_extensions, https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
# https://www.openssl.org/docs/manmaster/man1/ca.html#WARNINGS
# "The copy_extensions option should be used with caution. If care is not taken then it can be a security risk.
#  For example if a certificate request contains a basicConstraints extension with CA:TRUE and
#  the copy_extensions value is set to copyall and the user does not spot this when the certificate is displayed
#  then this will hand the requester a valid CA certificate."
#
# "This situation can be avoided by setting copy_extensions to copy and including basicConstraints
#  with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored."
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256
# https://www.openssl.org/docs/manmaster/man1/ca.html#POLICY-FORMAT
# match   : must match the same field in the CA certificate
# supplied: must be present
# optional: may be present
# Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set but this can be regarded more of a quirk than intended behaviour.
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# This section is used by "openssl req" command
# https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
# "The configuration options are specified in the req section of the configuration file.
#  As with all configuration files if no value is specified in the specific section (i.e. req)
#  then the initial unnamed or default section is searched too."
[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
# distinguished_name, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
# "This specifies the section containing the distinguished name fields to prompt for
#  when generating a certificate or certificate request."
# https://www.openssl.org/docs/manmaster/man1/req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
distinguished_name      = ca_dn
# req_extensions, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
# "This specifies the configuration file section containing a list of extensions to add to the certificate request."
req_extensions          = ca_ext

# Referred from section: req above
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
[ca_ext]
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Basic-Constraints
# "This is a multi valued extension which indicates whether a certificate is a CA certificate."
basicConstraints        = critical,CA:true
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Key-Usage
# "Key usage is a multi valued extension consisting of a list of names of the permitted key usages."
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash

[sub_ca_ext]
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#DESCRIPTION
# "The long form allows the values to be placed in a separate section:
# basicConstraints=critical,@bs_section"
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
# "This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for,"
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,keyCertSign,cRLSign
nameConstraints         = @name_constraints
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[name_constraints]
permitted;DNS.0=example.com
permitted;DNS.1=example.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
noCheck                 = yes
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash
	# Download https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf and
	# Add additional comments to understand this OpenSSL configuration deeply
	# Referred version of root-ca.conf: https://github.com/ivanr/bulletproof-tls/commit/5a8db5563afe86aa8a47dcee4dee8fb9d409961e
	#
	# You can find a document below for OpenSSL configuration format
	# https://www.openssl.org/docs/manmaster/man5/config.html

	# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
	# "The first section of a configuration file is special and is referred to as the default section.
	# This section is usually unnamed and spans from the start of file until the first named section.
	# When a name is being looked up it is first looked up in a named section (if any) and then the default section."
	[default]
	name = root-ca
	domain_suffix = example.com
	aia_url = http://$name.$domain_suffix/$name.crt
	crl_url = http://$name.$domain_suffix/$name.crl
	# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
	# "The value string undergoes variable expansion. This can be done by including the form $var or ${var}:
	# this will substitute the value of the named variable in the current section."
	ocsp_url = http://ocsp.$name.$domain_suffix:9080
	# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	# "Otherwise the section to be used must be named in the default_ca option of the ca section of the configuration file
	# (or in the default section of the configuration file)."
	default_ca = ca_default
	name_opt = utf8,esc_ctrl,multiline,lname,align

	# Referred from section: req below
	[ca_dn]
	countryName = "GB"
	organizationName = "Example"
	commonName = "Root CA"

	# This section is used by "openssl ca" command
	# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	[ca_default]
	home = .
	database = $home/db/index
	serial = $home/db/serial
	crlnumber = $home/db/crlnumber
	certificate = $home/$name.crt
	private_key = $home/private/$name.key
	RANDFILE = $home/private/random
	new_certs_dir = $home/certs
	unique_subject = no
	# copy_extensions, https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	# https://www.openssl.org/docs/manmaster/man1/ca.html#WARNINGS
	# "The copy_extensions option should be used with caution. If care is not taken then it can be a security risk.
	# For example if a certificate request contains a basicConstraints extension with CA:TRUE and
	# the copy_extensions value is set to copyall and the user does not spot this when the certificate is displayed
	# then this will hand the requester a valid CA certificate."
	#
	# "This situation can be avoided by setting copy_extensions to copy and including basicConstraints
	# with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored."
	copy_extensions = none
	default_days = 3650
	default_crl_days = 365
	default_md = sha256
	# https://www.openssl.org/docs/manmaster/man1/ca.html#POLICY-FORMAT
	# match : must match the same field in the CA certificate
	# supplied: must be present
	# optional: may be present
	# Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set but this can be regarded more of a quirk than intended behaviour.
	policy = policy_c_o_match

	[policy_c_o_match]
	countryName = match
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	# This section is used by "openssl req" command
	# https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "The configuration options are specified in the req section of the configuration file.
	# As with all configuration files if no value is specified in the specific section (i.e. req)
	# then the initial unnamed or default section is searched too."
	[req]
	default_bits = 4096
	encrypt_key = yes
	default_md = sha256
	utf8 = yes
	string_mask = utf8only
	prompt = no
	# distinguished_name, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "This specifies the section containing the distinguished name fields to prompt for
	# when generating a certificate or certificate request."
	# https://www.openssl.org/docs/manmaster/man1/req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
	distinguished_name = ca_dn
	# req_extensions, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "This specifies the configuration file section containing a list of extensions to add to the certificate request."
	req_extensions = ca_ext

	# Referred from section: req above
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
	[ca_ext]
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Basic-Constraints
	# "This is a multi valued extension which indicates whether a certificate is a CA certificate."
	basicConstraints = critical,CA:true
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Key-Usage
	# "Key usage is a multi valued extension consisting of a list of names of the permitted key usages."
	keyUsage = critical,keyCertSign,cRLSign
	subjectKeyIdentifier = hash

	[sub_ca_ext]
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#DESCRIPTION
	# "The long form allows the values to be placed in a separate section:
	# basicConstraints=critical,@bs_section"
	authorityInfoAccess = @issuer_info
	authorityKeyIdentifier = keyid:always
	basicConstraints = critical,CA:true,pathlen:0
	crlDistributionPoints = @crl_info
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
	# "This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for,"
	extendedKeyUsage = clientAuth,serverAuth
	keyUsage = critical,keyCertSign,cRLSign
	nameConstraints = @name_constraints
	subjectKeyIdentifier = hash

	[crl_info]
	URI.0 = $crl_url

	[issuer_info]
	caIssuers;URI.0 = $aia_url
	OCSP;URI.0 = $ocsp_url

	[name_constraints]
	permitted;DNS.0=example.com
	permitted;DNS.1=example.org
	excluded;IP.0=0.0.0.0/0.0.0.0
	excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

	[ocsp_ext]
	authorityKeyIdentifier = keyid:always
	basicConstraints = critical,CA:false
	extendedKeyUsage = OCSPSigning
	noCheck = yes
	keyUsage = critical,digitalSignature
	subjectKeyIdentifier = hash