# pour
generer un certificat root CA
[ req ]
default_bits =
1024
default_keyfile =
private/ca.key
default_md =
md5
distinguished_name =
req_distinguished_name
x509_extensions =
rootca_cert
[ req_distinguished_name
]
countryName =
Pays
countryName_default =
FR
countryName_min =
2
countryName_max =
2
stateOrProvinceName =
Etat, province ou departement
stateOrProvinceName_default =
Essonne
localityName =
Ville
localityName_default = Evry
organizationName =
Organisation
organizationName_default =
INT
organizationalUnitName =
Unite organisationnelle
organizationalUnitName_default =
LOR
commonName =
Nom commun
commonName_default = INT LOR Root
CA
commonName_max =
64
emailAddress = Adresse
mail
emailAddress_max = 64
[ rootca_cert ]
# la
section ci-dessous decrit les extensions a inclure dans un certificat
rootCA
basicConstraints =
critical, CA:true
subjectKeyIdentifier =
hash
keyUsage =
critical, keyCertSign, cRLSign
authorityKeyIdentifier =
keyid:always,issuer:always
nsCertType =
sslCA, emailCA, objCA
nsComment =
"Certificat Racine. Genere par OpenSSL"
#
subjectAltName =
email:copy
# pour generer une requete de certificat
CA intermediaire
[ req ]
default_bits =
1024
default_keyfile =
private/subca.key
default_md =
md5
distinguished_name =
req_distinguished_name
x509_extensions =
subca_req
string_mask =
nombstr
[ req_distinguished_name ]
countryName =
Pays
countryName_default = FR
countryName_min =
2
countryName_max =
2
stateOrProvinceName =
Etat, province ou departement
stateOrProvinceName_default =
Essonne
localityName =
Ville
localityName_default = Evry
organizationName =
Organisation
organizationName_default =
INT
organizationalUnitName =
Unite organisationnelle
organizationalUnitName_default =
LOR
commonName =
Nom commun
commonName_default = INT LOR LDAP
CA
commonName_max =
64
emailAddress = Adresse
mail
emailAddress_max = 64
[ subca_req
]
basicConstraints =
critical, CA:true
subjectKeyIdentifier =
hash
authorityKeyIdentifier = keyid,
issuer:always
keyUsage =
critical, keyCertSign, cRLSign
# nsCertType =
sslCA, emailCA, objCA
# nsComment =
"Requete de signature de certificat"
#
subjectAltName =
email:copy
# pour generer une requete de certificat
serveur
[ req ]
default_bits =
1024
default_keyfile =
private/server.key
default_md =
md5
distinguished_name =
req_distinguished_name
x509_extension =
server_req
string_mask =
nombstr
[ req_distinguished_name ]
countryName =
Pays
countryName_default = FR
countryName_min =
2
countryName_max =
2
stateOrProvinceName =
Etat, province ou departement
stateOrProvinceName_default =
Essonne
localityName =
Ville
localityName_default = Evry
organizationName =
Organisation
organizationName_default =
INT
organizationalUnitName =
Unite organisationnelle
organizationalUnitName_default =
LOR
commonName = Nom commun (ex:
nom de la root CA)
commonName_max = 64
emailAddress =
Adresse mail
emailAddress_max = 64
[ server_req
]
basicConstraints = critical,
CA:false
subjectKeyIdentifier =
hash
keyUsage =
digitalSignature, keyEncipherment
extendedKeyUsage =
serverAuth, clientAuth
nsCertType =
server
# nsComment =
"Requete de signature de certificat"
#
subjectAltName = email:copy
# poour generer une requete de certificat
utilisateur
[ req ]
default_bits =
1024
default_keyfile =
private/user.key
default_md =
md5
distinguished_name =
req_distinguished_name
x509_extensions =
user_req
string_mask =
nombstr
[ req_distinguished_name ]
countryName =
Pays
countryName_min = 2
countryName_max
= 2
stateOrProvinceName =
Etat, province ou departement
localityName =
Ville
organizationName =
Organisation
organizationalUnitName = Unite
organisationnelle
commonName =
Nom commun
commonName_max =
64
emailAddress = Adresse
mail
emailAddress_max = 64
[ user_req
]
basicConstraints =
critical, CA:false
subjectKeyIdentifier =
hash
keyUsage =
digitalSignature, nonRepudiation,
keyEncipherment
extendedKeyUsage =
clientAuth, emailProtection
nsCertType =
client, email
# nsComment =
"Requete de signature de certificat"
subjectAltName =
email:copy
#issuerAltName =issuer:copy
#nsCaRevocationUrl =
http://www.domain.dom/ca-crl.pem
#nsBaseUrl
nsRevocationUrl =
ldap://mesange.int-evry.fr:9009/ou=PKI,o=INT,c=FR?certificateRevocationList?sub?(cn=CRL)
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# pour signer un certificat CA
intermediaire
[ ca ]
default_ca =
CA_default #
The default ca section
[ CA_default ]
dir =
/usr/local/ssl # Where
everything is kept
certs =
$dir/certs #
Where the issued certs are kept
crl_dir =
$dir/crl #
Where the issued crl are kept
database =
$dir/index.txt # database
index file.
new_certs_dir = $dir/newcerts #
default place for new certs.
Certificate =
$dir/ca.pem #
The CA certificate
serial =
$dir/serial #
The current serial number
crl =
$dir/ca.crl #
The current CRL
private_key =
$dir/private/ca.key # The private key
RANDFILE =
$dir/private/.rand # private random number
file
default_days =
4383 # how long to certify
for
default_crl_days = 30 #
how long before next CRL
default_md =
md5 # which md to
use.
Preserve =
no # keep passed DN
ordering
x509_extensions =
subca_cert
copy_extensions =
none
policy =
policy_match
[ subca_cert ]
basicConstraints =
critical, CA:true
authorityKeyIdentifier =
keyid:always, issuer:always
subjectKeyIdentifier =
hash
keyUsage =
critical, keyCertSign, cRLSign
# nsCertType =
sslCA, emailCA, objCA
nsComment =
"Genere par OpenSSL"
# subjectAltName =
email:copy
[ policy_match ]
countryName =
match
stateOrProvinceName =
optional
localityName =
optional
organizationName =
supplied
organizationalUnitName =
optional
commonName =
supplied
emailAddress =
optional
# pour signer un certificat serveur
[
ca ]
default_ca =
CA_default #
The default ca section
[ CA_default ]
dir =
/usr/local/ssl # Where
everything is kept
certs =
$dir/certs #
Where the issued certs are kept
crl_dir =
$dir/crl #
Where the issued crl are kept
database =
$dir/index.txt # database
index file.
new_certs_dir = $dir/newcerts #
default place for new certs.
Certificate =
$dir/ca.pem #
The CA certificate
serial =
$dir/serial #
The current serial number
crl =
$dir/ca.crl #
The current CRL
private_key =
$dir/private/ca.key # The private key
RANDFILE =
$dir/private/.rand # private random number
file
default_days = 730 #
how long to certify for
default_crl_days = 30 #
how long before next CRL
default_md =
md5 # which md to
use.
Preserve =
no # keep passed DN
ordering
x509_extensions =
server_cert
copy_extensions = none
policy =
policy_anything
[ server_cert ]
basicConstraints =
critical, CA:false
authorityKeyIdentifier =
keyid:always
subjectKeyIdentifier =
hash
keyUsage =
digitalSignature, nonRepudiation,
keyEncipherment
extendedKeyUsage =
serverAuth, clientAuth
nsCertType =
server, objsign
nsComment =
"Certificat serveur genere par OpenSSL pour
INT/LOR"
#subjectAltName = email:copy
#issuerAltName =
issuer:copy
#nsCaRevocationUrl =
http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[
policy_anything ]
countryName =
supplied
stateOrProvinceName =
optional
localityName =
optional
organizationName =
supplied
organizationalUnitName =
optional
commonName =
supplied
emailAddress =
optional
# pour signer un certificat utilsateur
[
ca ]
default_ca =
CA_default #
The default ca section
[ CA_default ]
dir =
/usr/local/ssl # Where
everything is kept
certs =
$dir/certs #
Where the issued certs are kept
crl_dir =
$dir/crl #
Where the issued crl are kept
database =
$dir/index.txt # database
index file.
new_certs_dir = $dir/newcerts #
default place for new certs.
Certificate =
$dir/ca.pem #
The CA certificate
serial =
$dir/serial #
The current serial number
crl =
$dir/ca.crl #
The current CRL
private_key =
$dir/private/ca.key # The private key
RANDFILE =
$dir/private/.rand # private random number
file
default_days = 365 #
how long to certify for
default_crl_days = 30 #
how long before next CRL
default_md =
md5 # which md to
use.
Preserve =
no # keep passed DN
ordering
x509_extensions =
user_cert
copy_extensions = none
policy =
policy_anything
[ user_cert ]
basicConstraints =
critical, CA:false
authorityKeyIdentifier =
keyid:always
subjectKeyIdentifier =
hash
keyUsage =
digitalSignature, nonRepudiation,
keyEncipherment
extendedKeyUsage =
clientAuth, emailProtection
nsCertType =
client, email, objsign
nsComment =
"Certificat utilisateur genere par OpenSSL pour
INT/LOR"
subjectAltName = email:copy
#issuerAltName =
issuer:copy
#nsCaRevocationUrl =
http://www.domain.dom/ca-crl.pem
#nsBaseUrl
nsRevocationUrl =
ldap://mesange.int-evry.fr:9009/ou=PKI,o=INT,c=FR?certificateRevocationList?sub?(cn=CRL)
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[
policy_anything ]
countryName =
optional
stateOrProvinceName =
optional
localityName =
optional
organizationName =
optional
organizationalUnitName =
optional
commonName =
supplied
emailAddress =
supplied