openssl.cnf

# This config file is meant to provide sane values to OpenSSL
# to create a CA and sign certificates for typical webu usage
# (i.e. webserver, database connections, etc)
# It is possible to tweak verious configurations like
# extendedKeyUsage params.

HOME = .


[ ca ]
default_ca = CA_default


[ CA_default ]
dir              = .
serial           = $dir/serial
database         = $dir/index.txt
new_certs_dir    = $dir/newcerts
certificate      = $dir/CA/ca.crt
private_key      = $dir/CA/private/ca.key
default_days     = 730
default_md       = sha512
preserve         = no                     # whether keep DN ordering
email_in_dn      = no
nameopt          = default_ca
certopt          = default_ca
policy           = policy_match

crlnumber        = $dir/crlnumber         # the current crl number
crl              = $dir/crl/crl.pem       # The current CRL
default_crl_days = 30                     # how long before next CRL

RANDFILE         = $dir/CA/private/.rand  # private random number file
copy_extensions  = copy                   # Honor extensions requested of us


[ req ]
default_bits       = 2048                 # Size of keys
default_keyfile    = key.pem              # name of generated keys
default_md         = sha256               # message digest algorithm
string_mask        = utf8only             # permitted characters
distinguished_name = req_distinguished_name
req_extensions     = v3_req


[ req_distinguished_name ]
0.organizationName      = Organization Name (company)
#organizationalUnitName = Organizational Unit Name (department, division)
#emailAddress           = Email Address
#emailAddress_max       = 40
localityName            = Locality Name (city, district)
stateOrProvinceName     = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max          = 64

# Defaults:
#0.organizationName_default     = Default ON
#organizationalUnitName_default = Default UN
#localityName_default           = Default LN
#stateOrProvinceName_default    = Default PN
#countryName_default            = Default CN
#emailAddress_default           = Default EA
commonName_default              = ${ENV::SUBJECT_ALT_NAME}


[ v3_req ]
basicConstraints     = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage             = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage     = critical,serverAuth, clientAuth
subjectAltName       = critical,DNS:${ENV::SUBJECT_ALT_NAME},DNS:www.${ENV::SUBJECT_ALT_NAME},email:move


[ v3_ca ]
basicConstraints       = critical,CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = cRLSign, keyCertSign
issuerAltName          = issuer:copy
subjectAltName         = critical,DNS:${ENV::SUBJECT_ALT_NAME},email:move


[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional


[ crl_ext ]    # CRL extensions.
issuerAltName          = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always