path: root/openssl-ca-acf.cnf
diff options
Diffstat (limited to 'openssl-ca-acf.cnf')
1 files changed, 180 insertions, 0 deletions
diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
new file mode 100644
index 0000000..b7367e4
--- /dev/null
+++ b/openssl-ca-acf.cnf
@@ -0,0 +1,180 @@
+# OpenSSL Certifying Authority (CA) configuration file for ACF
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = /etc/ssl
+RANDFILE = /dev/urandom
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/certs # default place for new certs.
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem # The private key
+default_md = sha1 # which md to use.
+#policy = policy_match
+dir = /etc/ssl # Where everything is kept
+crl_dir = $dir/crl # Where the issued crl are kept
+certs = $dir/certs # Where the issued certs are kept
+crl = $dir/crl.pem # The current CRL
+RANDFILE = $dir/private/.rand # private random number file
+x509_extensions = ssl_client_cert
+default_days = 365
+default_crl_days= 365
+preserve = no # keep passed DN ordering
+#name_opt = ca_default_cert
+#cert_opt = ca_default_cert
+[ ca ]
+default_ca = general_cert # The default ca section
+# The "Certificate Type" dropdown in the web interface is built
+# from any section in which all of the CA Mandatory Entries are
+# Defined. The CA Mandadory Entries are:
+# new_certs_dir, certificat, private_key, default_md, database,
+# serial, and policy
+# In this file, we will define all but the policy in the
+# CA_default section, and then define the policy in each section
+# that will be presented as a "Certificate Type"
+# To add a new certificate type, just add a new section name,
+# and make sure "policy" is defined there
+#[ CA_default ]
+# RANDFILE = $dir/private/.rand # private random number file
+# preserve = no # keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = ssl_client_cert
+string_mask = nombstr
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default =
+countryName_min = 2
+countryName_max = 2
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default =
+localityName = Locality Name (eg, city)
+localityName_default =
+organizationName = Organization Name (eg, company)
+organizationName_default = Watchtower
+organizationalUnitName = Organizational Unit Name (eg, division)
+organizationalUnitName_default = OpenVPN
+commonName = Common Name (eg, the certificate CN)
+commonName_max = 64
+commonName_default =
+emailAddress = Email Address
+emailAddress_max = 60
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+# Use -extensions "section_name" to load one of these sections
+[ general_cert ]
+# Non-specific
+basicConstraints = CA:FALSE
+#nsCertType =
+#keyUsage =
+#extendedKeyUsage =
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+dir = /etc/ssl # Where everything is kept
+[ ssl_server_cert ]
+# SSL server
+basicConstraints = CA:FALSE
+nsCertType = server
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+[ ssl_client_cert ]
+# SSL client
+basicConstraints = CA:FALSE
+nsCertType = client
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+[ v3_ca_cert ]
+# SSL Certifying Authority
+basicConstraints = critical, CA:true
+nsCertType = sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage = cRLSign, keyCertSign
+#extendedKeyUsage = serverAuth, clientAuth
+extenedKeyUsage =
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+policy = policy_anything
+[ crl_ext ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment