OpenSSL -- Root CA Configuration File
Zur Navigation springen
Zur Suche springen
Create the file using vi text editor. Here are the basics needed for this exercise (edit as needed):
/usr/local/etc/PKI/etc/root-ca.conf
# RZ-Amper Root CA [ default ] ca = root-ca # CA name dir = . # Top dir base_url = http://www.rz-amper.de/trust-center # CA base URL aia_url = $base_url/index.php?stage=dl_rootcer # CA certificate URL crl_url = $base_url/index.php?stage=dl_rootcrl # CRL distribution point name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters # CA certificate request [ req ] default_bits = 8192 # RSA key size encrypt_key = yes # Protect private key default_md = sha256 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] countryName = "DE" organizationName = "Rechenzentrum Amper" organizationalUnitName = "EDV-Programm Entwicklungs Abteilung" commonName = "Rechenzentrum Amper Root Certificate Authority" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash # CA operational settings [ ca ] default_ca = root_ca # The default CA section [ root_ca ] certificate = $dir/ca/$ca.crt # The CA cert private_key = $dir/ca/$ca/private/$ca.key # CA private key new_certs_dir = $dir/ca/$ca # Certificate archive serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file database = $dir/ca/$ca/db/$ca.db # Index file unique_subject = no # Require unique subject default_days = 3652 # How long to certify for default_md = sha256 # MD to use policy = match_pol # Default naming policy email_in_dn = no # Add email to cert DN preserve = no # Keep passed DN ordering name_opt = $name_opt # Subject DN display options cert_opt = ca_default # Certificate display options copy_extensions = none # Copy extensions from CSR x509_extensions = signing_ca_ext # Default cert extensions default_crl_days = 365 # How long before next CRL crl_extensions = crl_ext # CRL extensions [ match_pol ] countryName = optional # May match 'DE' stateOrProvinceName = optional # Included if present localityName = optional # Included if present organizationName = optional # May match 'Rechenzentrum Amper' organizationalUnitName = optional # Included if present commonName = supplied # Must be present [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional # Extensions [ root_ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ signing_ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info [ crl_ext ] authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info [ issuer_info ] caIssuers;URI.0 = $aia_url [ crl_info ] URI.0 = $crl_url
