# Defaults in the event they're not set in the environment CA_DIR = out KEY_SIZE = 2048 ALGO = sha256 CERT_TYPE = root CA_NAME = req_env_dn [ca] default_ca = CA_root preserve = yes # The default test root, used to generate certificates and CRLs. [CA_root] dir = $ENV::CA_DIR key_size = $ENV::KEY_SIZE algo = $ENV::ALGO cert_type = $ENV::CERT_TYPE type = $key_size-$algo-$cert_type database = $dir/$type-index.txt new_certs_dir = $dir serial = $dir/$type-serial certificate = $dir/$type.pem private_key = $dir/$type.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 30 default_md = sha256 policy = policy_anything unique_subject = no copy_extensions = copy [user_cert] # Extensions to add when signing a request for an EE cert basicConstraints = critical, CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always extendedKeyUsage = serverAuth,clientAuth [ca_cert] # Extensions to add when signing a request for an intermediate/CA cert basicConstraints = critical, CA:true subjectKeyIdentifier = hash keyUsage = critical, keyCertSign, cRLSign [crl_extensions] # Extensions to add when signing a CRL authorityKeyIdentifier = keyid:always [policy_anything] # Default signing policy countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [req] # The request section used to generate the root CA certificate. This should # not be used to generate end-entity certificates. For certificates other # than the root CA, see README to find the appropriate configuration file # (ie: openssl_cert.cnf). default_bits = $ENV::KEY_SIZE default_md = sha256 string_mask = utf8only prompt = no encrypt_key = no distinguished_name = $ENV::CA_NAME x509_extensions = req_ca_exts [req_env_dn] CN = QUIC Server Root CA [req_ca_exts] basicConstraints = critical, CA:true keyUsage = critical, keyCertSign, cRLSign subjectKeyIdentifier = hash