1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
[ ca ]
default_ca = CA
[ CA ]
# Database
dir = .
certs = $dir/certs/
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
# Although we use $ openssl ca -rand_serial, this seems necessary.
serial = $dir/serial
RANDFILE = $dir/.rand
private_key = $dir/ca.key
certificate = $dir/ca.crt
# CRL
crlnumber = $dir/crlnumber
crl = $dir/ca.crl
crl_extensions = crl_ext
# Root CA CRL: 1 year
default_crl_days = 365
# Cryptography
default_md = sha512
# Policy
name_opt = ca_default
cert_opt = ca_default
# Intermediate CA: 10 years
default_days = 3650
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_dn
string_mask = utf8only
# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
default_md = sha256
x509_extensions = extensions
[ req_dn ]
commonName = Common Name
countryName = Country Name (2 letter code)
# For simplicity
#stateOrProvinceName = State or Province Name
#localityName = Locality Name
#0.organizationName = Organization Name
# CAB Baseline (BR) v2.0.0
# OU name must not present
# Email address is not recommended (as per Jimmy)
#organizationalUnitName = Organizational Unit Name
#emailAddress = Email Address
commonName_default = Test Root CA
countryName_default = CA
#stateOrProvinceName_default = British Columbia
#localityName_default = Vancouver
#0.organizationName_default = Yuuta Home
#organizationalUnitName_default = IT
#emailAddress_default = yuuta@yuuta.moe
[ extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Seems like it is completely unnecessary to put CRL and AIA in RootCA
# because they point to the issuer's info.
# crlDistributionPoints = crldp
# Because I don't have a real OID
#certificatePolicies = @polset
# Seems like it is unnecessary.
#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
[ extensions_sub ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen: 0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints = crldp
authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt
#[ polset ]
#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1
#CPS.1 = "http://home.yuuta.moe/pki/policy"
#userNotice.1 = @polset_notice
#
#[ polset_notice ]
#explicitText = "This certificate authority is for internal use only."
[ crldp ]
fullname = URI:http://home.yuuta.moe/pki/rootca.crl
[ crl_ext ]
authorityKeyIdentifier = keyid:always
|