Collections:
Other Resources:
OpenSSL "req" - Good Sample openssl.conf
Where can I get a good sample configuration file openssl.conf for OpenSSL "req" command?
✍: FYIcenter.com
Below is a good sample configuration file openssl.conf for OpenSSL "req" command with explanations:
C:\Users\fyicenter>type openssl.conf # Unnamed section of generic options # ... # ------------------------------------------------------------------ # Default section for "req" command options # ------------------------------------------------------------------ [req] # SHA256 algorithm is recommended for signing CSR and certificate default_md = sha256 # Random number seed and key length for generating new private keys default_bits = 2048 RANDFILE = /fyicenter/random.seed # Password for reading in existing private key file input_password = fyicenter # File name for writing out new private key default_keyfile = my_private.key # Encrypt new private key with a default password encrypt_key = yes output_password = fyicenter # Prompt for DN field values and CSR attributes in ASCII prompt = yes utf8 = no # Section pointer for DN field options distinguished_name = my_req_dn_prompt # Section pointer for CSR attribute options attributes = my_req_attributes # Section pointer for x.509 v3 extensions to be included in CSR req_extensions = my_req_ext # Section pointer for x.509 v3 extensions to be included in self-signed certificate x509_extensions = my_req_x509_ext # ------------------------------------------------------------------ # Section for prompting DN field values to create "subject" # ------------------------------------------------------------------ [my_req_dn_prompt] # Common name is optional commonName = Common Name commonName_max = 32 commonName_default = FYIcenter.com Root CA # ISO2 country code is required with US as default countryName = Country Name countryName_min = 2 countryName_max = 2 countryName_default = US # State is optional, so no minimum limit stateOrProvinceName = State stateOrProvinceName_max = 32 stateOrProvinceName_default = NY # City is required and has no default localityName = City localityName_min = 3 localityName_max = 24 localityName_default = New York # Organization is optional organizationName = Organization organizationName_max = 48 organizationName_default = FYIcenter.com # Organization Unit is optional organizationalUnitName = Department organizationalUnitName_max = 48 organizationalUnitName_default = IT # Email is optional emailAddress = Email emailAddress_max = 48 emailAddress_default = root_ca@fyicenter.com # First name is optional givenName = First Name givenName_max = 24 givenName_default = John # Last name is optional surname = Last Name surname_max = 24 surname_default = Smith # Initials is optional initials = Initials initials_max = 8 initials_default = JS # Full name is optional name = Full Name name_max = 32 name_default = John Smith # DN qualifier is optional dnQualifier = DN Qualifier dnQualifier_max = 48 dnQualifier_default = fyicenter.com # ------------------------------------------------------------------ # Section for prompting attributes to be included in CSR # ------------------------------------------------------------------ [my_req_attributes] challengePassword = Challenge password for CSR challengePassword_default = fyicenter challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_default = Urgently needed unstructuredName_max = 64 # ------------------------------------------------------------------ # Section for x.509 v3 extensions to be included in CSR # ------------------------------------------------------------------ [my_req_ext] # Most likely not requesting for signing a CA certificate basicConstraints = CA:false # Take the hash value of the subject subjectKeyIdentifier = hash # Most likely for digital signature, key encryption and data encryption keyUsage = digitalSignature, keyEncipherment, dataEncipherment # Most likely for server authentification, client authentication, etc. extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping # Any additional subject to be certified, # like email addresses, IP addresses, domain names, etc # subjectAltName = email:john@fyicenter.com # subjectAltName = IP:192.168.7.1, IP:192.168.7.101 # subjectAltName = DNSName:*.fyicenter.fr, DNSName:*.fyicenter.de # ------------------------------------------------------------------ # Section for x.509 v3 extensions to be included in self-signed certificate # ------------------------------------------------------------------ [my_req_x509_ext] # Most likely for self-signed CA certificates basicConstraints = critical, CA:true # Take the hash value of the subject subjectKeyIdentifier = hash # Copy from subject keyId and subject itself authorityKeyIdentifier = keyid:always, issuer:always # Most likely for signing other public key certificates keyUsage = keyCertSign # Could be used for other purpose too extendedKeyUsage = codeSigning, timeStamping # Not so useful a CA certificate # subjectAltName = email:root_ca@fyicenter.com # Copy from subject alternative name issuerAltName = issuer:copy
Try it out, You may like it.
2016-09-23, 6825🔥, 0💬
Popular Posts:
Certificate summary - Owner: *.blogger.com, Google Inc, L=Mountain View, ST=California, US Issuer: G...
Certificate summary - Owner: GlobalSign Domain Validation CA - G2, GlobalSign nv-sa, BE Issuer: Glob...
Certificate Summary: Subject: api.telegram.org Issuer: Go Daddy Secure Certificate Authority - G2 Ex...
What are the ways to use certificate for authentication? Can certificates be used to secure Web site...
This topic describes the procedures and applications used to configure the certificate enrollment po...