root-ca.sample.conf

# Simple OpenSSL configuration file used to create a self-signed Root CA certificate.
# This file is used by the openssl req command and the openssl x509 command.

# ##################################################################################################
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
# ##################################################################################################

[ default ]
local_pki_version=pki20190701
local_ca_name=root-ca # CA name
local_dir = /etc/ssl/$local_pki_version/$local_ca_name # Top dir where everything is kept
local_private_keys_directory=$local_dir/private

# ##################################################################################################
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA certificate.
# ##################################################################################################

[ req ]
default_bits = 4096 # RSA key size. The same as -newkey command line option.
default_keyfile = $local_private_keys_directory/$local_ca_name.key.pem # default filename to write a private key to -keyout
encrypt_key = no # Protect private key. The same as -nodes command line option.
default_md = sha512 # MD to use. The same as -digest command line option.
string_mask = utf8only # Emit UTF-8 strings
utf8 = yes # Input is UTF-8
distinguished_name = req_defined_distinguished_name # Specifies the section that defines the information needed to generate a self-signed certificate or certificate request. This field is required for both self-signed certificates and certificate requests.
attributes = req_attributes # section containing any request attributes
req_extensions = req_ext # Desired extensions to add to a certificate request.
prompt = no # Don't prompt for DN
subjectAltName = @alt_ca_main

[ req_defined_distinguished_name ]
O = "Organisation"
CN = "Common Name"

[ req_attributes ]
# empty

[ req_ext ]
# Extensions to use when generating the root CA certificate signing request
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, keyCertSign, cRLSign # digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly
subjectAltName = @alt_ca_main
subjectKeyIdentifier = hash # specifies how to identify the public key being certified.

# ##################################################################################################
# The remainder of the configuration file is used by the openssl x509 command.
# It defines section to add certificate extensions from.
# ##################################################################################################

[ root_ca_ext ]
# Extensions to use when self-signing the root CA
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, keyCertSign, cRLSign # digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly
subjectAltName = @alt_ca_main
subjectKeyIdentifier = hash # specifies how to identify the public key being certified.
authorityKeyIdentifier = keyid:always, issuer # specifies how to identify the public key being used to verify the signature on this certificate, and enables keys used by the same CA to be distinguished.
issuerAltName = issuer:copy

# ##################################################################################################
# Establish SubjectAltName (SAN) Profiles.
# ##################################################################################################

[ alt_ca_main ]
DNS.1 = Root Certification Authority
#EMAIL.1 = root@localhost
#IP.1=127.0.0.1

# ##################################################################################################
# Certificate extensions define what types of certificates the CA is able to create.
# ##################################################################################################
# keyUsage:
#
# keyCertSign
#   - Subject public key is used to verify signatures on certificates
#   - This extension must only be used for CA certificates
#
# cRLSign
#   - Subject public key is to verify signatures on revocation information, such as a CRL
#   - This extension must only be used for CA certificates
#
# digitalSignature
#   - Certificate may be used to apply a digital signature
#   - Digital signatures are often used for entity authentication & data origin authentication with integrity
#
# nonRepudiation
#   - Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
#   - This prevents the signing entity from falsely denying some action
#
# keyEncipherment
#   - Certificate may be used to encrypt a symmetric key which is then transferred to the target
#   - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities
#
# dataEncipherment
#   - Certificate may be used to encrypt & decrypt actual application data
#
# keyAgreement
#   - Certificate enables use of a key agreement protocol to establish a symmetric key with a target
#   - Symmetric key may then be used to encrypt & decrypt data sent between the entities
#
# encipherOnly
#   - Public key used only for enciphering data while performing key agreement
#   - Req. KU: keyAgreement
#
# decipherOnly
#   - Public key used only for deciphering data while performing key agreement
#   -Req. KU: keyAgreement
# ##################################################################################################