| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # |
| # Configuration file for testing certificate authority. |
| # The environment variable, CA_HOME, must be set to point to the directory |
| # containing this file before running any openssl commands. |
| # |
| [ ca ] |
| # `man ca` |
| default_ca = CA_default |
| |
| [ CA_default ] |
| # Directory and file locations. |
| dir = . |
| certs = $dir/certs |
| crl_dir = $dir/crl |
| new_certs_dir = $dir/newcerts |
| database = $dir/index.txt |
| serial = $dir/serial |
| RANDFILE = $dir/private/.rand |
| |
| # The root key and root certificate. |
| private_key = $dir/private/ca.key.pem |
| certificate = $dir/certs/ca.cert.pem |
| |
| # For certificate revocation lists. |
| crlnumber = $dir/crlnumber |
| crl = $dir/crl/ca.crl.pem |
| crl_extensions = crl_ext |
| default_crl_days = 30 |
| |
| # SHA-1 is deprecated, so use SHA-2 instead. |
| default_md = sha256 |
| |
| name_opt = ca_default |
| cert_opt = ca_default |
| default_days = 375 |
| preserve = no |
| policy = policy_strict |
| |
| [ policy_strict ] |
| # The root CA should only sign intermediate certificates that match. |
| # See the POLICY FORMAT section of `man ca`. |
| commonName = supplied |
| |
| [ req ] |
| # Options for the `req` tool (`man req`). |
| default_bits = 2048 |
| distinguished_name = req_distinguished_name |
| string_mask = utf8only |
| |
| # SHA-1 is deprecated, so use SHA-2 instead. |
| default_md = sha256 |
| |
| # Extension to add when the -x509 option is used. |
| x509_extensions = v3_ca |
| |
| [ req_distinguished_name ] |
| # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. |
| commonName = Common Name |
| |
| [ v3_ca ] |
| # Extensions for a typical CA (`man x509v3_config`). |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer |
| basicConstraints = critical, CA:true |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
| |
| [ usr_cert ] |
| # Extensions for client certificates (`man x509v3_config`). |
| basicConstraints = CA:FALSE |
| nsCertType = client, email |
| nsComment = "OpenSSL Generated Client Certificate" |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer |
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment |
| extendedKeyUsage = clientAuth, emailProtection |
| |
| [ broker_cert ] |
| # Extensions for server certificates (`man x509v3_config`). |
| basicConstraints = CA:FALSE |
| nsCertType = server |
| nsComment = "OpenSSL Generated Server Certificate" |
| subjectKeyIdentifier = hash |
| # The unresolvable address is used for SNI testing |
| subjectAltName = DNS:localhost, DNS:unresolvable-broker-address, IP:127.0.0.1 |
| authorityKeyIdentifier = keyid,issuer:always |
| keyUsage = critical, digitalSignature, keyEncipherment |
| extendedKeyUsage = serverAuth |
| |
| [ proxy_cert ] |
| # Extensions for server certificates (`man x509v3_config`). |
| basicConstraints = CA:FALSE |
| nsCertType = server |
| nsComment = "OpenSSL Generated Server Certificate" |
| subjectKeyIdentifier = hash |
| subjectAltName = DNS:localhost, IP:127.0.0.1 |
| authorityKeyIdentifier = keyid,issuer:always |
| keyUsage = critical, digitalSignature, keyEncipherment |
| extendedKeyUsage = serverAuth |
| |
| [ crl_ext ] |
| # Extension for CRLs (`man x509v3_config`). |
| authorityKeyIdentifier=keyid:always |
| |
| [ ocsp ] |
| # Extension for OCSP signing certificates (`man ocsp`). |
| basicConstraints = CA:FALSE |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer |
| keyUsage = critical, digitalSignature |
| extendedKeyUsage = critical, OCSPSigning |