3 ### OpenSSL configuration for distorted.org.uk CA.
5 ###--------------------------------------------------------------------------
11 ###--------------------------------------------------------------------------
12 ### Certificate request configuration.
19 x509_extensions = ca-extensions
20 distinguished_name = req-dn
25 countryName = "Country name"
26 countryName_default = "GB"
30 stateOrProvinceName = "State, province, or county"
31 stateOrProvinceName_default = "Cambridgeshire"
32 stateOrProvinceName_max = 64
34 localityName = "Locality (e.g., city)"
35 localityName_default = "Cambridge"
38 organizationName = "Organization"
39 organizationName_default = "distorted.org.uk"
40 organizationName_max = 64
41 organizationalUnitName = "Organizational unit"
42 organizationalUnitName_max = 64
44 commonName = "Common name"
47 emailAddress = "Email address"
50 ###--------------------------------------------------------------------------
54 default_ca = distorted-ca
62 private_key = private/ca.key
64 database = state/db$ENV::db_suffix
66 crlnumber = state/crlnumber
67 default_crl_hours = 28
68 x509_extensions = tls-server-extensions
69 crl_extensions = crl-extensions
70 policy = distorted-policy
71 name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
72 cert_opt = no_header, ext_parse, no_pubkey
73 copy_extensions = copy
76 countryName = supplied
77 stateOrProvinceName = optional
78 localityName = optional
79 organizationName = supplied
80 organizationalUnitName = optional
82 emailAddress = optional
85 issuerAltName = email:ca@distorted.org.uk
86 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
89 basicConstraints = critical, CA:TRUE
90 keyUsage = critical, keyCertSign
91 subjectKeyIdentifier = hash
92 subjectAltName = email:ca@distorted.org.uk
93 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
95 [tls-server-extensions]
96 basicConstraints = critical, CA:FALSE
97 keyUsage = critical, digitalSignature, keyEncipherment
98 extendedKeyUsage = serverAuth
99 subjectKeyIdentifier = hash
100 authorityKeyIdentifier = keyid:always, issuer:always
101 issuerAltName = issuer:copy
102 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
104 [tls-client-extensions]
105 basicConstraints = critical, CA:FALSE
106 keyUsage = critical, digitalSignature, keyEncipherment
107 extendedKeyUsage = clientAuth
108 subjectKeyIdentifier = hash
109 authorityKeyIdentifier = keyid:always,issuer:always
110 issuerAltName = issuer:copy
111 subjectAltName = email:copy
112 crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
114 ###----- That's all, folks --------------------------------------------------