|
@@ -39,21 +39,21 @@ default_ca = CA_default # The default ca section
|
|
|
####################################################################
|
|
|
[ CA_default ]
|
|
|
|
|
|
-dir = ./demoCA # Where everything is kept
|
|
|
+dir = ./ca/ # Where everything is kept
|
|
|
certs = $dir/certs # Where the issued certs are kept
|
|
|
crl_dir = $dir/crl # Where the issued crl are kept
|
|
|
-database = $dir/index.txt # database index file.
|
|
|
+database = $dir/database.txt # database index file.
|
|
|
#unique_subject = no # Set to 'no' to allow creation of
|
|
|
# several ctificates with same subject.
|
|
|
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
|
|
|
|
-certificate = $dir/cacert.pem # The CA certificate
|
|
|
+certificate = $dir/ca.crt # The CA certificate
|
|
|
serial = $dir/serial # The current serial number
|
|
|
crlnumber = $dir/crlnumber # the current crl number
|
|
|
# must be commented out to leave a V1 CRL
|
|
|
crl = $dir/crl.pem # The current CRL
|
|
|
-private_key = $dir/private/cakey.pem# The private key
|
|
|
-RANDFILE = $dir/private/.rand # private random number file
|
|
|
+private_key = $dir/ca.key # The private key
|
|
|
+RANDFILE = $dir/.rand # private random number file
|
|
|
|
|
|
x509_extensions = usr_cert # The extentions to add to the cert
|
|
|
|
|
@@ -68,7 +68,7 @@ cert_opt = ca_default # Certificate field options
|
|
|
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
|
|
# so this is commented out by default to leave a V1 CRL.
|
|
|
# crlnumber must also be commented out to leave a V1 CRL.
|
|
|
-# crl_extensions = crl_ext
|
|
|
+crl_extensions = crl_ext
|
|
|
|
|
|
default_days = 365 # how long to certify for
|
|
|
default_crl_days= 30 # how long before next CRL
|
|
@@ -212,7 +212,7 @@ authorityKeyIdentifier=keyid,issuer
|
|
|
#nsSslServerName
|
|
|
|
|
|
# This is required for TSA certificates.
|
|
|
-# extendedKeyUsage = critical,timeStamping
|
|
|
+extendedKeyUsage = critical,timeStamping
|
|
|
|
|
|
[ v3_req ]
|
|
|
|
|
@@ -243,13 +243,16 @@ authorityKeyIdentifier=keyid:always,issuer
|
|
|
# extensions.
|
|
|
#basicConstraints = critical,CA:true
|
|
|
# So we do this instead.
|
|
|
-basicConstraints = CA:true
|
|
|
+basicConstraints = CA:false
|
|
|
|
|
|
# Key usage: this is typical for a CA certificate. However since it will
|
|
|
# prevent it being used as an test self-signed certificate it is best
|
|
|
# left out by default.
|
|
|
# keyUsage = cRLSign, keyCertSign
|
|
|
|
|
|
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
+extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
|
|
|
+
|
|
|
# Some might want this also
|
|
|
# nsCertType = sslCA, emailCA
|
|
|
|
|
@@ -264,6 +267,8 @@ basicConstraints = CA:true
|
|
|
# You can even override a supported extension:
|
|
|
# basicConstraints= critical, DER:30:03:01:01:FF
|
|
|
|
|
|
+subjectAltName = @alt_names
|
|
|
+
|
|
|
[ crl_ext ]
|
|
|
|
|
|
# CRL extensions.
|