# OpenSSL intermediate CA configuration file. # Copy to `/root/ca/intermediate/openssl.cnf`. oid_section = new_oids [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /home/pkiadmin/ica # CHANGEME certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ica.key # CHANGEME certificate = $dir/certs/ica.crt # CHANGEME # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ica.crl # CHANGEME crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha512 name_opt = ca_default cert_opt = ca_default default_days = 2200 preserve = no policy = policy_loose unique_subject = no #Ensure that the extensione in the CSR make it to the signed certificate (like subjectAltNames) copy_extensions = copy [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only prompt = no # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha512 [ req_distinguished_name ] countryName = AU # CHANGEME localityName = Queensland # CHANGEME 0.organizationName = COMPANY NAME # CHANGEME commonName = COMPANY-NAME-CA # CHANGEME emailAddress = email@company.com # CHANGEME [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ usr_cert_smart ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ bitlocker_cert ] # Extensions for bitlocker encryption certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, keyEncipherment, dataEncipherment, keyAgreement extendedKeyUsage = critical, bitLocker, msEFS [ codesig_cert ] # Extensions for code signing certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature extendedKeyUsage = codeSigning, msCodeInd, msCodeCom [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning [ new_oids ] bitLocker = 1.3.6.1.4.1.311.67.1.1