1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
#
# OpenSSL Certifying Authority (CA) configuration file for ACF
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = /etc/ssl
RANDFILE = /dev/urandom
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem # The private key
default_md = sha1 # which md to use.
#policy = policy_match
dir = /etc/ssl # Where everything is kept
crl_dir = $dir/crl # Where the issued crl are kept
certs = $dir/certs # Where the issued certs are kept
crl = $dir/crl.pem # The current CRL
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = ssl_client_cert
default_days = 365
default_crl_days= 365
preserve = no # keep passed DN ordering
#name_opt = ca_default_cert
#cert_opt = ca_default_cert
####################################################################
[ ca ]
default_ca = general_cert # The default ca section
####################################################################
#
# The "Certificate Type" dropdown in the web interface is built
# from any section in which all of the CA Mandatory Entries are
# Defined. The CA Mandadory Entries are:
# new_certs_dir, certificat, private_key, default_md, database,
# serial, and policy
#
# In this file, we will define all but the policy in the
# CA_default section, and then define the policy in each section
# that will be presented as a "Certificate Type"
#
# To add a new certificate type, just add a new section name,
# and make sure "policy" is defined there
#[ CA_default ]
# RANDFILE = $dir/private/.rand # private random number file
# preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = ssl_client_cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default =
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default =
organizationName = Organization Name (eg, company)
organizationName_default = Watchtower
organizationalUnitName = Organizational Unit Name (eg, division)
organizationalUnitName_default = OpenVPN
commonName = Common Name (eg, the certificate CN)
commonName_max = 64
commonName_default =
emailAddress = Email Address
emailAddress_max = 60
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
# Use -extensions "section_name" to load one of these sections
[ general_cert ]
# Non-specific
basicConstraints = CA:FALSE
#nsCertType =
#keyUsage =
#extendedKeyUsage =
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_anything
dir = /etc/ssl # Where everything is kept
[ ssl_server_cert ]
# SSL server
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_anything
[ ssl_client_cert ]
# SSL client
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_anything
[ v3_ca_cert ]
# SSL Certifying Authority
basicConstraints = critical, CA:true
nsCertType = sslCA
# Below is correct, but may prevent self-signed certs from working
keyUsage = cRLSign, keyCertSign
#extendedKeyUsage = serverAuth, clientAuth
extenedKeyUsage =
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
policy = policy_anything
[ crl_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
