openssl.cnf

# 引入其他文件
#.include filename

HOME			= .

# 默认选项提供
openssl_conf	= openssl_init

# 是否开启配置诊断
config_diagnostics = 1


[openssl_init]
providers = provider_sect

################## 待查找资料
######### OID信息？
# Extra OBJECT IDENTIFIER info:
# oid_file       = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
######### 硬件加速？
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf

[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1
##################

################################ CA ################################
[ ca ]
default_ca	= CA_default

[ CA_default ]
dir 			= . 				# 目录
certs			= $dir/certs		# 已颁发的证书
crl_dir         = $dir/crls 		# 已发布的吊销列表
database		= $dir/index.txt	# 数据库索引
unique_subject	= yes				# 不允许重复签名
new_certs_dir	= $dir/newcerts     # 新证书的默认路径
certificate		= $dir/certificate.crt     # CA证书文件
serial			= $dir/serial 		# 序列号文件
crlnumber		= $dir/crlnumber	# 当前吊销列表序列号
crl				= $dir/current.crl		# 当前吊销列表
private_key		= $dir/private.key	# 私钥

x509_extensions	= usr_cert			# 添加扩展

# 证书格式
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options


# 转换时是否复制扩展
copy_extensions = copy

# 吊销列表扩展
crl_extensions	= crl_ext

default_days	= 365000	# 证书默认有效期
default_crl_days= 30		# 默认吊销列表有效期
default_md		= sha512	# 默认摘要算法
preserve		= no		# IE兼容相关

# 证书匹配策略
# 请求被签发时需要与CA本身匹配规则
# match：相同
# supplied： 提供
# optional： 可选
policy		= policy_match

[ policy_match ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional


# 在CA签署请求时添加扩展
[ usr_cert ]

# 这违反了 PKIX 准则，但一些 CA 这样做并且一些软件要求这样做以避免将最终用户证书解释为 CA
# basicConstraints=CA:FALSE

# 一个客户端证书的典型keyUsage
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

authorityKeyIdentifier=keyid:always, issuer:always

# 导入邮箱信息
# subjectAltName=email:copy
# 生成根据 PKIX 未弃用的证书的替代方法。
# subjectAltName=email:move

# TSA证书需求
# extendedKeyUsage = critical,timeStamping

################################ REQ ################################

[ req ]
default_bits		= 4096					# 生成证书请求时使用的私钥长度
default_md			= sha512				# 证书请求签名的摘要算法
default_keyfile 	= private.key			# 默认自动创建私钥存放位置
distinguished_name	= req_distinguished_name# 可识别字段名
attributes			= req_attributes		# 证书请求属性
x509_extensions		= v3_ca					# 加入自签名证书的扩展项
# req_extensions		= v3_vpn_client			# 加入证书请求的扩展项
encrypt_key			= no					# 自动生成的私钥文件是否需要加密
prompt				= yes					# 是否提示输入DN

# 私钥文件密码，不给出会要求输入
# input_password = secret
# output_password = secret

# 字符串类型要求
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX 标准推荐(2004前))
# utf8only: only UTF8Strings (PKIX 标准推荐(2004后)).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only


[ req_distinguished_name ]
countryName				= 国家代码(双字母)
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= 省名称

localityName			= 市名称

0.organizationName		= 组织名称

# we can do this but it is not needed normally :-)
#1.organizationName		= 第二组织名称
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= 组织部门名称

commonName			= 名称
commonName_max			= 64

emailAddress			= 电子邮件地址
emailAddress_max		= 64

# SET-ex3			= SET extension number 3

# 默认设置
countryName_default               =  
stateOrProvinceName_default       = 
0.organizationName_default          = example
organizationalUnitName_default      = 
commonName_default                  = 
emailAddress_default                =  

# 特定需要
[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name


### 证书扩展 https://www.openssl.org/docs/manmaster/man5/x509v3_config.html - STANDARD EXTENSIONS
### critical： 将扩展标记为关键

## basicConstraints
# CA： 对于CA必须设置为true,对于终端证书必须标记为false或省略
# pathlen： 链中可以出现在该CA下方的CA的最大数量，如为0则无法签署任何子CA

## keyUsage
# id如顺序所示，从0开始
# digitalSignature: 数字签名（适合用于身份验证）
# nonRepudiation：数字签名（目标实体难以否认私钥进行的操作，适合用于文件认可）
# keyEncipherment：加密对称密钥进行传输
# dataEncipherment：加密实际应用数据
# keyAgreement：与目标协商对称密钥
# keyCertSign：验证证书上签名(仅CA)
# cRLSign: 签名吊销列表(仅CA)
# encipherOnly：密钥协商时公钥仅用于加密数据(需：keyAgreement)
# decipherOnly：密钥协商时公钥仅用于解密数据(需：keyAgreement)

## extendedKeyUsage
# 可以使用任何文本或OID，以下文本含义已知
# serverAuth：所有服务器应使用此证书签名(需：digitalSignature, keyEncipherment 或 keyAgreement)
# clientAuth：所有客户端必须使用此证书签名(需：digitalSignature 和/或 keyAgreement)
# codeSigning：对代码进行签名(需：digitalSignature, nonRepudiation, 和/或 keyEncipherment 或者 keyAgreement)
# emailProtection：通过S/MIME保护电子邮件(需：digitalSignature, keyEncipherment或者 keyAgreement)
# timeStamping：可信时间戳(需：)
# OCSPSigning：OCSP签名(需：)
# ipsecIKE：IPSec 因特网密钥交换(clientAuth对IPSec VPN客户端有效)(可能不应使用)
# msCodeInd：微软个人代码签名
# msCodeCom：微软商业代码签名
# msCTLSign：微软信任列表签名
# msEFS：微软加密文件系统签名

## subjectKeyIdentifier
# none： 不包括
# hash： 从公钥使用SHA-1产生
# <16进制字符串>： 直接使用值，强烈不建议

## authorityKeyIdentifier
# none： 不包括
# 可以包括keyid和issuer，用","分隔，可以在后面添加":always"
# keyid：尝试复制颁发者证书subjectKeyIdentifier，如果颁发者证书与当前证书相同则使用公钥哈希，如果无法取值且always存在则返回错误
# issuer：如果指定了always或keyid不存在则从颁发者证书复制DN和序列号，如果失败返回错误

## subjectAltName
# 支持多种标识符：email,URI,DNS,RID,ID,dirName,otherName
# email：含有2个特殊值：copy/move：自动从DN复制/移动email信息
# IP：支持v4和v6
# DNS：域名
# dirName： DN信息
# otherName：包含与OID关联的任何数据

## issuerAltName
# 支持subjectAltName大多数选项
# 不支持email:copy
# 支持issuer：copy(尝试从颁发者证书中复制subjectAltName)


# 自签名CA
[ v3_ca ]
basicConstraints		= critical, CA:true
keyUsage				= critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier	= hash
authorityKeyIdentifier=keyid:always, issuer:always

# # 中间CA
# [ v3_ica ]
# basicConstraints		= critical, CA:true, pathlen:1
# keyUsage				= critical, cRLSign, digitalSignature, keyCertSign
# subjectKeyIdentifier	= hash

# # 终端CA
# [ v3_ica_end ]
# basicConstraints		= critical, CA:true, pathlen:0
# keyUsage				= critical, cRLSign, digitalSignature, keyCertSign
# subjectKeyIdentifier	= hash


# # Web服务器
# [ v3_web_server ]
# basicConstraints        = critical, CA:FALSE
# keyUsage                = critical, digitalSignature, keyEncipherment
# extendedKeyUsage        = critical, serverAuth
# subjectKeyIdentifier    = hash
# subjectAltName          = @alt_web_server

# [ alt_web_server ]
# DNS.1   = www.example.com
# IP.1    = 11.4.5.14

# # VPN服务器
# [ v3_vpn_server ]
# basicConstraints        = critical, CA:FALSE
# keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
# extendedKeyUsage        = critical, serverAuth
# subjectKeyIdentifier    = hash
# subjectAltName          = @alt_vpn_server

# [ alt_vpn_server ]
# DNS.1   = www.example.com
# IP.1    = 11.4.5.14

# # 客户端
# [ v3_vpn_client ]
# basicConstraints        = critical, CA:FALSE
# keyUsage                = critical, digitalSignature, keyAgreement
# extendedKeyUsage        = critical, clientAuth
# subjectKeyIdentifier    = hash
# subjectAltName          = @alt_vpn_client

# [ alt_vpn_client ]
# DNS.1   = www.example.com
# IP.1    = 11.4.5.14

[ crl_ext ]

# 吊销列表扩展
# 只有 issuerAltName 和 authorityKeyIdentifier 能够在吊销列表中使用
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always, issuer:always

# 代理证书扩展(未使用，懒得找了，猜测是跟ca部分的那个类似用途)
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo