# OpenSSL intermediate CA configuration file [ default ] name = intermediateCA default_ca = CA_default crl_url = http://127.0.0.1:8080/$name [ CA_default ] # Directory and file locations dir = . certs = $dir/CA crl_dir = $dir/CA new_certs_dir = $dir/CA database = $dir/CA/index.txt serial = $dir/CA/serial rand_serial = yes private_key = $dir/CA/$name.key certificate = $dir/tmp/$name.pem crlnumber = $dir/CA/crlnumber crl_extensions = crl_ext default_md = sha256 preserve = no policy = policy_loose default_startdate = 180101000000Z default_enddate = 241231000000Z x509_extensions = v3_req email_in_dn = yes default_days = 2200 [ req ] # Options for the `req` tool encrypt_key = no default_bits = 2048 default_md = sha256 string_mask = utf8only distinguished_name = req_distinguished_name x509_extensions = usr_extensions [ crl_ext ] # Extension for CRLs authorityKeyIdentifier = keyid:always [ usr_extensions ] # Extension to add when the -x509 option is used basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer extendedKeyUsage = codeSigning [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer extendedKeyUsage = codeSigning crlDistributionPoints = @crl_info [ crl_info ] URI.0 = $crl_url [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address