OpenSSL "req" - Good Sample openssl.conf

Q

Where can I get a good sample configuration file openssl.conf for OpenSSL "req" command?

✍: FYIcenter.com

A

Below is a good sample configuration file openssl.conf for OpenSSL "req" command with explanations:

C:\Users\fyicenter>type openssl.conf

# Unnamed section of generic options
# ...

# ------------------------------------------------------------------
# Default section for "req" command options
# ------------------------------------------------------------------
[req]

# SHA256 algorithm is recommended for signing CSR and certificate 
default_md         = sha256

# Random number seed and key length for generating new private keys
default_bits       = 2048
RANDFILE		   = /fyicenter/random.seed

# Password for reading in existing private key file
input_password     = fyicenter

# File name for writing out new private key
default_keyfile    = my_private.key

# Encrypt new private key with a default password
encrypt_key        = yes
output_password    = fyicenter

# Prompt for DN field values and CSR attributes in ASCII
prompt             = yes
utf8               = no

# Section pointer for DN field options
distinguished_name = my_req_dn_prompt

# Section pointer for CSR attribute options
attributes         = my_req_attributes

# Section pointer for x.509 v3 extensions to be included in CSR
req_extensions     = my_req_ext 

# Section pointer for x.509 v3 extensions to be included in self-signed certificate
x509_extensions    = my_req_x509_ext

# ------------------------------------------------------------------
# Section for prompting DN field values to create "subject"
# ------------------------------------------------------------------
[my_req_dn_prompt]

# Common name is optional
commonName         = Common Name
commonName_max     = 32
commonName_default = FYIcenter.com Root CA

# ISO2 country code is required with US as default
countryName         = Country Name
countryName_min     = 2
countryName_max     = 2
countryName_default = US

# State is optional, so no minimum limit
stateOrProvinceName         = State
stateOrProvinceName_max     = 32
stateOrProvinceName_default = NY

# City is required and has no default
localityName         = City
localityName_min     = 3
localityName_max     = 24
localityName_default = New York

# Organization is optional
organizationName         = Organization
organizationName_max     = 48
organizationName_default = FYIcenter.com

# Organization Unit is optional
organizationalUnitName         = Department
organizationalUnitName_max     = 48
organizationalUnitName_default = IT

# Email is optional
emailAddress         = Email
emailAddress_max     = 48
emailAddress_default = root_ca@fyicenter.com

# First name is optional
givenName         = First Name
givenName_max     = 24
givenName_default = John

# Last name is optional
surname         = Last Name
surname_max     = 24
surname_default = Smith

# Initials is optional
initials         = Initials
initials_max     = 8
initials_default = JS

# Full name is optional
name         = Full Name
name_max     = 32
name_default = John Smith

# DN qualifier is optional
dnQualifier         = DN Qualifier
dnQualifier_max     = 48
dnQualifier_default = fyicenter.com

# ------------------------------------------------------------------
# Section for prompting attributes to be included in CSR
# ------------------------------------------------------------------
[my_req_attributes]
challengePassword         = Challenge password for CSR
challengePassword_default = fyicenter
challengePassword_min     = 4
challengePassword_max     = 20

unstructuredName         = Other notes for CSR
unstructuredName_default = Urgently needed
unstructuredName_max     = 64

# ------------------------------------------------------------------
# Section for x.509 v3 extensions to be included in CSR
# ------------------------------------------------------------------
[my_req_ext]

# Most likely not requesting for signing a CA certificate
basicConstraints       = CA:false

# Take the hash value of the subject
subjectKeyIdentifier   = hash

# Most likely for digital signature, key encryption and data encryption
keyUsage               = digitalSignature, keyEncipherment, dataEncipherment

# Most likely for server authentification, client authentication, etc.
extendedKeyUsage       = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping

# Any additional subject to be certified, 
# like email addresses, IP addresses, domain names, etc
# subjectAltName         = email:john@fyicenter.com
# subjectAltName         = IP:192.168.7.1, IP:192.168.7.101
# subjectAltName         = DNSName:*.fyicenter.fr, DNSName:*.fyicenter.de

# ------------------------------------------------------------------
# Section for x.509 v3 extensions to be included in self-signed certificate
# ------------------------------------------------------------------
[my_req_x509_ext] 

# Most likely for self-signed CA certificates
basicConstraints       = critical, CA:true

# Take the hash value of the subject
subjectKeyIdentifier   = hash

# Copy from subject keyId and subject itself
authorityKeyIdentifier = keyid:always, issuer:always

# Most likely for signing other public key certificates
keyUsage               = keyCertSign

# Could be used for other purpose too
extendedKeyUsage       = codeSigning, timeStamping

# Not so useful a CA certificate
# subjectAltName         = email:root_ca@fyicenter.com

# Copy from subject alternative name
issuerAltName          = issuer:copy

Try it out, You may like it.

 

OpenSSL "ca" Command

OpenSSL "req -new" - CSR Attributes

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-09-23, 1980👍, 0💬