rgherta/ca.cnf

## ca.cnf
# Creating a Private Certificate Authority
# https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
# Template https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf

# The first part of the configuration file contains some basic CA information, such as the name and the base URL, and the components of the CA’s distinguished name. Because the syntax is flexible, information needs to be provided only once:

[default]
name                    = ca
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "DE"
organizationName        = "MyOrganization"
commonName              = "Root Private CA"


#The second part directly controls the CA’s operation. For full information on each setting, consult the documentation for the ca command (man ca on the command line).  Most of the settings are self-explanatory; we mostly tell OpenSSL where we want to keep our files. Because this root CA is going to be used only for the issuance of subordinate CAs, I chose to have the certificates valid for 10 years. For the signature algorithm, the secure SHA256 is used by default.

#The default policy (policy_c_o_match) is configured so that all certificates issued from this CA have the countryName and organizationName fields that match that of the CA. This wouldn’t be normally done by a public CA, but it’s appropriate for a private CA:


[ca_default]
home                    = ./ca
database                = $home/certs.db
serial                  = $home/serial
#crlnumber               = $home/db/crlnumber
#certificate             = $home/$name.crt
#private_key             = $home/private/$name.key
private_key             = $home/ca.key
certificate             = $home/ca.crt
RANDFILE                = $home/random
new_certs_dir           = $home
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


#The third part contains the configuration for the req command, which is going to be used only once, during the creation of the self-signed root certificate. The most important parts are in the extensions: the basicConstraints extension indicates that the certificate is a CA, and keyUsage contains the appropriate settings for this scenario:


[req]
default_bits            = 4096
x509_extensions = my_extensions
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext

[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash


[ my_extensions ]
keyUsage=critical, digitalSignature, keyEncipherment, keyCertSign
basicConstraints=critical,CA:TRUE
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier = hash
	# Creating a Private Certificate Authority
	# https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
	# Template https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf

	# The first part of the configuration file contains some basic CA information, such as the name and the base URL, and the components of the CA’s distinguished name. Because the syntax is flexible, information needs to be provided only once:

	[default]
	name = ca
	default_ca = ca_default
	name_opt = utf8,esc_ctrl,multiline,lname,align

	[ca_dn]
	countryName = "DE"
	organizationName = "MyOrganization"
	commonName = "Root Private CA"


	#The second part directly controls the CA’s operation. For full information on each setting, consult the documentation for the ca command (man ca on the command line). Most of the settings are self-explanatory; we mostly tell OpenSSL where we want to keep our files. Because this root CA is going to be used only for the issuance of subordinate CAs, I chose to have the certificates valid for 10 years. For the signature algorithm, the secure SHA256 is used by default.

	#The default policy (policy_c_o_match) is configured so that all certificates issued from this CA have the countryName and organizationName fields that match that of the CA. This wouldn’t be normally done by a public CA, but it’s appropriate for a private CA:


	[ca_default]
	home = ./ca
	database = $home/certs.db
	serial = $home/serial
	#crlnumber = $home/db/crlnumber
	#certificate = $home/$name.crt
	#private_key = $home/private/$name.key
	private_key = $home/ca.key
	certificate = $home/ca.crt
	RANDFILE = $home/random
	new_certs_dir = $home
	unique_subject = no
	copy_extensions = none
	default_days = 3650
	default_crl_days = 365
	default_md = sha256
	policy = policy_c_o_match

	[policy_c_o_match]
	countryName = match
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional


	#The third part contains the configuration for the req command, which is going to be used only once, during the creation of the self-signed root certificate. The most important parts are in the extensions: the basicConstraints extension indicates that the certificate is a CA, and keyUsage contains the appropriate settings for this scenario:


	[req]
	default_bits = 4096
	x509_extensions = my_extensions
	encrypt_key = yes
	default_md = sha256
	utf8 = yes
	string_mask = utf8only
	prompt = no
	distinguished_name = ca_dn
	req_extensions = ca_ext

	[ca_ext]
	basicConstraints = critical,CA:true
	keyUsage = critical,keyCertSign,cRLSign
	subjectKeyIdentifier = hash


	[ my_extensions ]
	keyUsage=critical, digitalSignature, keyEncipherment, keyCertSign
	basicConstraints=critical,CA:TRUE
	extendedKeyUsage=critical,serverAuth
	subjectKeyIdentifier = hash