Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
 
 
 
 
 
 

138 righe
4.6 KiB

  1. [ ca ]
  2. # `man ca`
  3. default_ca = CA_default
  4. [ CA_default ]
  5. # Directory and file locations.
  6. dir = .
  7. certs = $dir/certs
  8. crl_dir = $dir/crl
  9. new_certs_dir = $dir/newcerts
  10. database = $dir/index.txt
  11. serial = $dir/serial
  12. RANDFILE = $dir/private/.rand
  13. # The root key and root certificate.
  14. private_key = $dir/root.key
  15. certificate = $dir/root.pem
  16. # For certificate revocation lists.
  17. crlnumber = $dir/crlnumber
  18. crl = $dir/crl/intermediate.crl.pem
  19. crl_extensions = crl_ext
  20. default_crl_days = 30
  21. # SHA-1 is deprecated, so use SHA-2 instead.
  22. default_md = sha256
  23. name_opt = ca_default
  24. cert_opt = ca_default
  25. default_days = 9999
  26. preserve = no
  27. policy = policy_loose
  28. [ policy_strict ]
  29. # The root CA should only sign intermediate certificates that match.
  30. # See the POLICY FORMAT section of `man ca`.
  31. countryName = match
  32. stateOrProvinceName = match
  33. organizationName = match
  34. organizationalUnitName = optional
  35. commonName = supplied
  36. emailAddress = optional
  37. [ policy_loose ]
  38. # Allow the intermediate CA to sign a more diverse range of certificates.
  39. # See the POLICY FORMAT section of the `ca` man page.
  40. countryName = optional
  41. stateOrProvinceName = optional
  42. localityName = optional
  43. organizationName = optional
  44. organizationalUnitName = optional
  45. commonName = supplied
  46. emailAddress = optional
  47. [ req ]
  48. # Options for the `req` tool (`man req`).
  49. default_bits = 4096
  50. distinguished_name = req_distinguished_name
  51. string_mask = utf8only
  52. [ req_distinguished_name ]
  53. countryName = Country Name (2 letter code)
  54. stateOrProvinceName = State or Province Name (full name)
  55. localityName = Locality Name (eg, city)
  56. organizationalUnitName = Organizational Unit Name (eg, section)
  57. commonName = Common Name
  58. stateOrProvinceName_default = City of London
  59. countryName_default = UK
  60. localityName_default = London
  61. organizationalUnitName_default = Among Bytes, Lab Testng
  62. commonName_default = www.pqsdk.com
  63. commonName_max = 64
  64. [ v3_ca ]
  65. # Extensions for a typical CA (`man x509v3_config`).
  66. subjectKeyIdentifier = hash
  67. authorityKeyIdentifier = keyid:always,issuer
  68. basicConstraints = critical, CA:true
  69. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  70. [ v3_intermediate_ca ]
  71. # Extensions for a typical intermediate CA (`man x509v3_config`).
  72. subjectKeyIdentifier = hash
  73. authorityKeyIdentifier = keyid:always,issuer
  74. basicConstraints = critical, CA:true
  75. keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  76. extendedKeyUsage = serverAuth, clientAuth
  77. [ usr_cert ]
  78. # Extensions for client certificates (`man x509v3_config`).
  79. basicConstraints = CA:FALSE
  80. nsCertType = client, email
  81. nsComment = 'Among Bytes, Lab Testng, Intermediate Cert'
  82. subjectKeyIdentifier = hash
  83. authorityKeyIdentifier = keyid,issuer
  84. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  85. extendedKeyUsage = clientAuth, emailProtection
  86. [ server_cert ]
  87. # Extensions for server certificates (`man x509v3_config`).
  88. basicConstraints = CA:FALSE
  89. nsCertType = server
  90. nsComment = 'Among Bytes, Lab Testng, TLS Server'
  91. subjectKeyIdentifier = hash
  92. authorityKeyIdentifier = keyid,issuer:always
  93. keyUsage = critical, digitalSignature, keyEncipherment
  94. extendedKeyUsage = serverAuth
  95. subjectAltName = @alt_names
  96. [ client_cert ]
  97. # Extensions for server certificates (`man x509v3_config`).
  98. basicConstraints = CA:FALSE
  99. nsCertType = client, email
  100. nsComment = 'Among Bytes, Lab Testng, TLS Client'
  101. subjectKeyIdentifier = hash
  102. authorityKeyIdentifier = keyid,issuer
  103. keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
  104. extendedKeyUsage = clientAuth, emailProtection
  105. [ crl_ext ]
  106. # Extension for CRLs (`man x509v3_config`).
  107. authorityKeyIdentifier = keyid:always
  108. [ ocsp ]
  109. # Extension for OCSP signing certificates (`man ocsp`).
  110. basicConstraints = CA:FALSE
  111. subjectKeyIdentifier = hash
  112. authorityKeyIdentifier = keyid,issuer
  113. keyUsage = critical, digitalSignature
  114. extendedKeyUsage = critical, OCSPSigning
  115. [alt_names]
  116. DNS.1 = www.pqsdk.com
  117. DNS.2 = iot.pqsdk.com
  118. DNS.3 = vpn.pqsdk.com
  119. DNS.4 = *.pqsdk.com