# OpenSSL config for CA signing only (not for CA cert generation) [ ca ] default_ca = CA [ CA ] # Where OpenSSL stores information dir = . # Where everything is kept certs = $dir # Where the issued certs are kept crldir = $dir # Where the issued crl are kept new_certs_dir = $certs database = $dir/index certificate = $certs/rootCA.pem private_key = $dir/rootCA.key crl = $crldir/crl.pem serial = $dir/serial.txt RANDFILE = $dir/.rand # How OpenSSL will display certificate after signing name_opt = ca_default cert_opt = ca_default # How long the certificate is valid for default_days = 365 # default_startdate = 180517000000Z # default_enddate = 181231235959Z # The message digest for signing the certificate # sha1 or sha256 for best compatability, although most # OpenSSL digest algorithm can be used. # md4,md5,mdc2,rmd160,sha1,sha256 default_md = sha256 # Subjects don't have to be unique in this CA's database unique_subject = no # What to do with CSR extensions copy_extensions = copy # Rules on mandatory or optional DN components policy = simple_policy # Extensions added while singing with the `openssl ca` command x509_extensions = x509_ext [ simple_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional domainComponent = optional emailAddress = optional name = optional surname = optional givenName = optional dnQualifier = optional [ x509_ext ] #Default extensions # These extensions are for an end-entity certificate # Extensions added when using the `openssl ca` command. # This section is pointed to by `x509_extensions` above. # These will override any requested extensions in the CSR: subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth