openssl.cnf

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids

[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ ca ]
default_ca    = CA_default        # The default ca section

[ CA_default ]
dir              = ./demoCA        # Where everything is kept
certs            = $dir/certs        # Where the issued certs are kept
crl_dir          = $dir/crl        # Where the issued crl are kept
database         = $dir/index.txt    # database index file.
unique_subject   = no            # Set to 'no' to allow creation of
new_certs_dir    = $dir/newcerts        # default place for new certs.
certificate      = $dir/cacert.pem       # The CA certificate
serial           = $dir/serial           # The current serial number
crlnumber        = $dir/crlnumber    # the current crl number
crl              = $dir/crl.pem          # The current CRL
private_key      = $dir/private/cakey.pem# The private key
RANDFILE         = $dir/private/.rand    # private random number file
x509_extensions  = usr_cert        # The extensions to add to the cert
name_opt         = ca_default        # Subject Name options
cert_opt         = ca_default        # Certificate field options
copy_extensions  = copy
default_days     = 3650            # how long to certify for
default_crl_days = 30            # how long before next CRL
default_md       = sha256        # which md to use.
preserve         = no            # keep passed DN ordering
policy           = policy_match


[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=DNS:${ENV::SERVER}

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
[ tsa_config1 ]