# Simple Signing CA # The [default] section contains global constants that can be referred to from # the entire configuration file. It may also hold settings pertaining to more # than one openssl command. [ default ] dir = {{top_dir}} # Top dir # The next part of the configuration file is used by the openssl req command. # It defines the CA's key pair, its DN, and the desired extensions for the CA # certificate. [ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] 0.domainComponent = "io" 1.domainComponent = "openshift" organizationName = "OpenShift Origin" organizationalUnitName = "Logging Signing CA" commonName = "Logging Signing CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. [ ca ] default_ca = signing_ca # The default CA section [ signing_ca ] certificate = $dir/ca.crt # The CA cert private_key = $dir/ca.key # CA private key new_certs_dir = $dir/ # Certificate archive serial = $dir/ca.serial.txt # Serial number file crlnumber = $dir/ca.crl.srl # CRL number file database = $dir/ca.db # Index file unique_subject = no # Require unique subject default_days = 730 # How long to certify for default_md = sha1 # MD to use policy = any_pol # Default naming policy email_in_dn = no # Add email to cert DN preserve = no # Keep passed DN ordering name_opt = ca_default # Subject DN display options cert_opt = ca_default # Certificate display options copy_extensions = copy # Copy extensions from CSR x509_extensions = client_ext # Default cert extensions default_crl_days = 7 # How long before next CRL crl_extensions = crl_ext # CRL extensions # Naming policies control which parts of a DN end up in the certificate and # under what circumstances certification should be denied. [ match_pol ] domainComponent = match # Must match 'simple.org' organizationName = match # Must match 'Simple Inc' organizationalUnitName = optional # Included if present commonName = supplied # Must be present [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional # Certificate extensions define what types of certificates the CA is able to # create. [ client_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid [ server_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid # CRL extensions exist solely to point to the CA certificate that has issued # the CRL. [ crl_ext ] authorityKeyIdentifier = keyid