Created
July 14, 2017 01:40
-
-
Save sturadnidge/67bc038f00db65690e8a61951f734c51 to your computer and use it in GitHub Desktop.
openssl config file for a root CA that will sign requests with subjectAltName(s)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # OpenSSL example configuration file. | |
| # This is mostly being used for generation of certificate requests. | |
| # | |
| # This definition stops the following lines choking if HOME isn't | |
| # defined. | |
| HOME = . | |
| RANDFILE = $ENV::HOME/.rnd | |
| # Extra OBJECT IDENTIFIER info: | |
| #oid_file = $ENV::HOME/.oid | |
| oid_section = new_oids | |
| [ new_oids ] | |
| # We can add new OIDs in here for use by 'ca' and 'req'. | |
| # Add a simple OID like this: | |
| # testoid1=1.2.3.4 | |
| # Or use config file substitution like this: | |
| # testoid2=${testoid1}.5.6 | |
| #################################################################### | |
| [ ca ] | |
| default_ca = CA_default # The default ca section | |
| #################################################################### | |
| [ CA_default ] | |
| dir = /usr/local/rootCA | |
| certs = $dir/certs | |
| crl_dir = $dir/crl | |
| database = $dir/index.txt | |
| unique_subject = no | |
| new_certs_dir = $dir/new_certs | |
| certificate = $dir/rootCA.cert | |
| serial = $dir/serial | |
| crlnumber = $dir/crlnumber | |
| crl = $dir/crl.pem | |
| private_key = $dir/rootCA.key | |
| RANDFILE = $dir/private/.rand | |
| x509_extensions = usr_cert | |
| name_opt = ca_default # Subject Name options | |
| cert_opt = ca_default # Certificate field options | |
| copy_extensions = copy | |
| default_days = 3650 | |
| default_crl_days = 365 | |
| default_md = sha256 | |
| preserve = no | |
| policy = policy_anything | |
| [ policy_anything ] | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| #################################################################### | |
| [ req ] | |
| default_bits = 2048 | |
| default_keyfile = rootCA.key | |
| distinguished_name = req_distinguished_name | |
| attributes = req_attributes | |
| x509_extensions = v3_ca # The extentions to add to the self signed cert | |
| encrypt_key = no | |
| string_mask = nombstr | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_default = AU | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| stateOrProvinceName_default = NSW | |
| localityName = Locality Name (eg, city) | |
| localityName_default = Sydney | |
| 0.organizationName = Organization Name (eg, company) | |
| 0.organizationName_default = Pivotal | |
| organizationalUnitName = Organizational Unit Name (eg, section) | |
| #organizationalUnitName_default = | |
| commonName = Common Name (e.g. server FQDN or YOUR name) | |
| commonName_max = 64 | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| [ req_attributes ] | |
| challengePassword = A challenge password | |
| challengePassword_min = 4 | |
| challengePassword_max = 20 | |
| unstructuredName = An optional company name | |
| [ usr_cert ] | |
| # These extensions are added when 'ca' signs a request. | |
| basicConstraints=CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid,issuer | |
| [ v3_req ] | |
| # Extensions to add to a certificate request | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| [ v3_ca ] | |
| # Extensions for a typical CA | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid:always,issuer:always | |
| basicConstraints = CA:true | |
| [ crl_ext ] | |
| # CRL extensions. | |
| # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. | |
| # issuerAltName=issuer:copy | |
| authorityKeyIdentifier=keyid:always,issuer:always | |
| [ proxy_cert_ext ] | |
| # These extensions should be added when creating a proxy certificate | |
| basicConstraints=CA:FALSE | |
| nsComment = "OpenSSL Generated Certificate" | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid,issuer:always | |
| proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
To issue a cert from a request (see https://gist.github.com/sturadnidge/c6351940d84896107608e41f5417f20a for how to generate certificate requests)
openssl ca -in A_CERT_REQUEST.csr -out A_CERT.cert -config /path/to/rootCA.cfg
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
generate a key and cert for the rootCA itself:
openssl req -new -x509 -keyout rootCA.key -out rootCA.cert -config rootCA.cfg -days 3650create starting files
mkdir new_certstouch index.txtopenssl rand -hex 16 > serialYou're now ready to issue certs.