Collections:
Other Resources:
OpenSSL "req" - Good Sample openssl.conf
Where can I get a good sample configuration file openssl.conf for OpenSSL "req" command?
✍: FYIcenter.com
Below is a good sample configuration file openssl.conf for OpenSSL "req" command
with explanations:
C:\Users\fyicenter>type openssl.conf # Unnamed section of generic options # ... # ------------------------------------------------------------------ # Default section for "req" command options # ------------------------------------------------------------------ [req] # SHA256 algorithm is recommended for signing CSR and certificate default_md = sha256 # Random number seed and key length for generating new private keys default_bits = 2048 RANDFILE = /fyicenter/random.seed # Password for reading in existing private key file input_password = fyicenter # File name for writing out new private key default_keyfile = my_private.key # Encrypt new private key with a default password encrypt_key = yes output_password = fyicenter # Prompt for DN field values and CSR attributes in ASCII prompt = yes utf8 = no # Section pointer for DN field options distinguished_name = my_req_dn_prompt # Section pointer for CSR attribute options attributes = my_req_attributes # Section pointer for x.509 v3 extensions to be included in CSR req_extensions = my_req_ext # Section pointer for x.509 v3 extensions to be included in self-signed certificate x509_extensions = my_req_x509_ext # ------------------------------------------------------------------ # Section for prompting DN field values to create "subject" # ------------------------------------------------------------------ [my_req_dn_prompt] # Common name is optional commonName = Common Name commonName_max = 32 commonName_default = FYIcenter.com Root CA # ISO2 country code is required with US as default countryName = Country Name countryName_min = 2 countryName_max = 2 countryName_default = US # State is optional, so no minimum limit stateOrProvinceName = State stateOrProvinceName_max = 32 stateOrProvinceName_default = NY # City is required and has no default localityName = City localityName_min = 3 localityName_max = 24 localityName_default = New York # Organization is optional organizationName = Organization organizationName_max = 48 organizationName_default = FYIcenter.com # Organization Unit is optional organizationalUnitName = Department organizationalUnitName_max = 48 organizationalUnitName_default = IT # Email is optional emailAddress = Email emailAddress_max = 48 emailAddress_default = root_ca@fyicenter.com # First name is optional givenName = First Name givenName_max = 24 givenName_default = John # Last name is optional surname = Last Name surname_max = 24 surname_default = Smith # Initials is optional initials = Initials initials_max = 8 initials_default = JS # Full name is optional name = Full Name name_max = 32 name_default = John Smith # DN qualifier is optional dnQualifier = DN Qualifier dnQualifier_max = 48 dnQualifier_default = fyicenter.com # ------------------------------------------------------------------ # Section for prompting attributes to be included in CSR # ------------------------------------------------------------------ [my_req_attributes] challengePassword = Challenge password for CSR challengePassword_default = fyicenter challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_default = Urgently needed unstructuredName_max = 64 # ------------------------------------------------------------------ # Section for x.509 v3 extensions to be included in CSR # ------------------------------------------------------------------ [my_req_ext] # Most likely not requesting for signing a CA certificate basicConstraints = CA:false # Take the hash value of the subject subjectKeyIdentifier = hash # Most likely for digital signature, key encryption and data encryption keyUsage = digitalSignature, keyEncipherment, dataEncipherment # Most likely for server authentification, client authentication, etc. extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping # Any additional subject to be certified, # like email addresses, IP addresses, domain names, etc # subjectAltName = email:john@fyicenter.com # subjectAltName = IP:192.168.7.1, IP:192.168.7.101 # subjectAltName = DNSName:*.fyicenter.fr, DNSName:*.fyicenter.de # ------------------------------------------------------------------ # Section for x.509 v3 extensions to be included in self-signed certificate # ------------------------------------------------------------------ [my_req_x509_ext] # Most likely for self-signed CA certificates basicConstraints = critical, CA:true # Take the hash value of the subject subjectKeyIdentifier = hash # Copy from subject keyId and subject itself authorityKeyIdentifier = keyid:always, issuer:always # Most likely for signing other public key certificates keyUsage = keyCertSign # Could be used for other purpose too extendedKeyUsage = codeSigning, timeStamping # Not so useful a CA certificate # subjectAltName = email:root_ca@fyicenter.com # Copy from subject alternative name issuerAltName = issuer:copy
Try it out, You may like it.
2016-09-23, 7006🔥, 0💬
Popular Posts:
Certificate Summary: Subject: RapidSSL SHA256 CA - G3 Issuer: GeoTrust Global CA Expiration: 2022-05...
How to decode a CSR (Certificate Signing Request) and view its content? To help you to decode a CSR ...
Certificate summary - Owner: clkads.com, Domain Control Validated - RapidSSL(R), See www.rapidssl.co...
Certificate summary - Owner: Entrust Certification Authority - L1C, "(c) 2009 Entrust, Inc.", www.en...
Certificate summary - Owner: twitter.com, Twitter Security, "Twitter, Inc.", STREET="795 Folsom St, ...