3 ### OpenSSL configuration for distorted.org.uk CA.
5 ###--------------------------------------------------------------------------
8 RANDFILE = /dev/urandom
10 ###--------------------------------------------------------------------------
11 ### Certificate request configuration.
18 x509_extensions = ca-extensions
19 distinguished_name = req-dn
24 countryName = "Country name"
25 countryName_default = "GB"
29 stateOrProvinceName = "State, province, or county"
30 stateOrProvinceName_default = "Cambridgeshire"
31 stateOrProvinceName_max = 64
33 localityName = "Locality (e.g., city)"
34 localityName_default = "Cambridge"
37 organizationName = "Organization"
38 organizationName_default = "distorted.org.uk"
39 organizationName_max = 64
40 organizationalUnitName = "Organizational unit"
41 organizationalUnitName_max = 64
43 commonName = "Common name"
46 emailAddress = "Email address"
49 ###--------------------------------------------------------------------------
53 default_ca = distorted-ca
61 private_key = private/ca.key
65 crlnumber = state/crlnumber
68 x509_extensions = tls-server-extensions
69 crl_extensions = crl-extensions
70 policy = distorted-policy
71 name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
72 cert_opt = no_header, ext_parse, no_pubkey
73 copy_extensions = copy
76 countryName = supplied
77 stateOrProvinceName = optional
78 localityName = optional
79 organizationName = match
80 organizationalUnitName = optional
82 emailAddress = optional
85 issuerAltName = email:ca@distorted.org.uk
86 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
89 basicConstraints = critical, CA:TRUE
90 keyUsage = critical, keyCertSign
91 subjectKeyIdentifier = hash
92 subjectAltName = email:ca@distorted.org.uk
93 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
95 [tls-server-extensions]
96 basicConstraints = critical, CA:FALSE
97 keyUsage = critical, digitalSignature, keyEncipherment
98 extendedKeyUsage = serverAuth
99 subjectKeyIdentifier = hash
100 authorityKeyIdentifier = keyid:always, issuer:always
101 issuerAltName = issuer:copy
102 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
104 [tls-client-extensions]
105 basicConstraints = critical, CA:FALSE
106 keyUsage = critical, digitalSignature
107 extendedKeyUsage = clientAuth
108 subjectKeyIdentifier = hash
109 authorityKeyIdentifier = keyid:always,issuer:always
110 issuerAltName = issuer:copy
111 subjectAltName = email:copy
112 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
114 ###----- That's all, folks --------------------------------------------------