ndpar/openssl-ca.cnf

## openssl-ca.cnf
HOME             = .
RANDFILE         = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca       = CA_default    # The default ca section

[ CA_default ]

default_days     = 730           # how long to certify for
default_crl_days = 30            # how long before next CRL
default_md       = sha256        # use public key default MD
preserve         = no            # keep passed DN ordering

x509_extensions  = ca_extensions # The extensions to add to the cert

email_in_dn      = no            # Don't concat the email in the DN
copy_extensions  = copy          # Required to copy SANs from CSR to cert

base_dir         = .
certificate      = $base_dir/cacert.pem   # The CA certifcate
private_key      = $base_dir/cakey.pem    # The CA private key

new_certs_dir    = $base_dir/newcerts     # Location for new certs after signing
certs            = $base_dir/certs        # Where the issued certs are kept
crl_dir          = $base_dir/crl          # Where the issued crl are kept

database         = $base_dir/index.txt    # Database index file
serial           = $base_dir/serial.txt   # The current serial number

unique_subject   = no  # Set to 'no' to allow creation of
                       # several certificates with same subject.

####################################################################
[ req ]
default_bits       = 4096
default_keyfile    = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = CA

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Ontario

localityName                = Locality Name (eg, city)
localityName_default        = Toronto

organizationName            = Organization Name (eg, company)
organizationName_default    = NDPAR INC.

organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = IT

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = ndpar.org

emailAddress         = Email Address
emailAddress_default = ca@ndpar.org

####################################################################
[ ca_extensions ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign

####################################################################
[ signing_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

####################################################################
[ signing_req ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment

## openssl-server.cnf
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits       = 2048
default_keyfile    = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = CA

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Ontario

localityName         = Locality Name (eg, city)
localityName_default = Toronto

organizationName            = Organization Name (eg, company)
organizationName_default    = NDPAR INC.

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = ndpar.org

emailAddress         = Email Address
emailAddress_default = it@ndpar.org

####################################################################
[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

####################################################################
[ alternate_names ]

DNS.1  = ndpar.org
DNS.2  = www.ndpar.org
DNS.3  = *.ndpar.org
	HOME = .
	RANDFILE = $ENV::HOME/.rnd

	####################################################################
	[ ca ]
	default_ca = CA_default # The default ca section

	[ CA_default ]

	default_days = 730 # how long to certify for
	default_crl_days = 30 # how long before next CRL
	default_md = sha256 # use public key default MD
	preserve = no # keep passed DN ordering

	x509_extensions = ca_extensions # The extensions to add to the cert

	email_in_dn = no # Don't concat the email in the DN
	copy_extensions = copy # Required to copy SANs from CSR to cert

	base_dir = .
	certificate = $base_dir/cacert.pem # The CA certifcate
	private_key = $base_dir/cakey.pem # The CA private key

	new_certs_dir = $base_dir/newcerts # Location for new certs after signing
	certs = $base_dir/certs # Where the issued certs are kept
	crl_dir = $base_dir/crl # Where the issued crl are kept

	database = $base_dir/index.txt # Database index file
	serial = $base_dir/serial.txt # The current serial number

	unique_subject = no # Set to 'no' to allow creation of
	# several certificates with same subject.

	####################################################################
	[ req ]
	default_bits = 4096
	default_keyfile = cakey.pem
	distinguished_name = ca_distinguished_name
	x509_extensions = ca_extensions
	string_mask = utf8only

	####################################################################
	[ ca_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = CA

	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Ontario

	localityName = Locality Name (eg, city)
	localityName_default = Toronto

	organizationName = Organization Name (eg, company)
	organizationName_default = NDPAR INC.

	organizationalUnitName = Organizational Unit (eg, division)
	organizationalUnitName_default = IT

	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_default = ndpar.org

	emailAddress = Email Address
	emailAddress_default = ca@ndpar.org

	####################################################################
	[ ca_extensions ]

	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer
	basicConstraints = critical, CA:true
	keyUsage = keyCertSign, cRLSign

	####################################################################
	[ signing_policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	####################################################################
	[ signing_req ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment