foreverzmy · August 15, 2024 01:01
diff --git a/simple-root-ca.cnf b/simple-root-ca.cnf
 # OpenSSL root CA configuration file.
 # Copy to `./root/openssl.cnf`.

 [ ca ]
 # `man ca`
 default_ca = CA_default

 [ CA_default ]
 # Directory and file locations.
 dir               = ./root
 new_certs_dir     = $dir
 database          = $dir/index.txt
 serial            = $dir/serial


 # The root key and root certificate.
 private_key       = $dir/ca.key.pem
 certificate       = $dir/ca.cert.pem

 policy            = policy_strict

 [ policy_strict ]
 # The root CA should only sign intermediate certificates that match.
 # See the POLICY FORMAT section of `man ca`.
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 [ req ]
 # Options for the `req` tool (`man req`).
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only

 # Extension to add when the -x509 option is used.
 x509_extensions     = v3_ca

 [ req_distinguished_name ]
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 emailAddress                    = Email Address

 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

 [ v3_intermediate_ca ]
 # Extensions for a typical intermediate CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	# OpenSSL root CA configuration file.
	# Copy to `./root/openssl.cnf`.

	[ ca ]
	# `man ca`
	default_ca = CA_default

	[ CA_default ]
	# Directory and file locations.
	dir = ./root
	new_certs_dir = $dir
	database = $dir/index.txt
	serial = $dir/serial


	# The root key and root certificate.
	private_key = $dir/ca.key.pem
	certificate = $dir/ca.cert.pem

	policy = policy_strict

	[ policy_strict ]
	# The root CA should only sign intermediate certificates that match.
	# See the POLICY FORMAT section of `man ca`.
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	# Options for the `req` tool (`man req`).
	default_bits = 2048
	distinguished_name = req_distinguished_name
	string_mask = utf8only

	# Extension to add when the -x509 option is used.
	x509_extensions = v3_ca

	[ req_distinguished_name ]
	# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
	countryName = Country Name (2 letter code)
	stateOrProvinceName = State or Province Name
	localityName = Locality Name
	0.organizationName = Organization Name
	organizationalUnitName = Organizational Unit Name
	commonName = Common Name
	emailAddress = Email Address

	[ v3_ca ]
	# Extensions for a typical CA (`man x509v3_config`).
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ v3_intermediate_ca ]
	# Extensions for a typical intermediate CA (`man x509v3_config`).
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign