How to provide OpenSSL "ca" command options in the configuration file? I see examples of using the [ca] section.

Yes, you can use the [ca] section to help providing OpenSSL "ca" command options in the configuration file. But there are 4 ways to provide "ca" command options:

1. Using unnamed section - You can put all "ca" command options in the unnamed section of the configuration file. You need to set "default_ca=empty" and keep [empty] empty. For example:

# Unnamed section of generic options
...

# "ca" command options
default_ca    = empty
default_md    = md5
serial        = ./my_ca/certs.seq
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
...

# empty section
[empty]

2. Using named default section - You can put all "ca" command options in a named section, like "[my_ca_default]", in the configuration file. Then you can set "default_ca=my_ca_default" in the unnamed section. For example:

# Unnamed section of generic options
...
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
default_md    = md5
serial        = ./my_ca/certs.seq
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
...

3. Using named default section and [ca] section - You can put all "ca" command options in a named section, like "[my_ca_default]", in the configuration file. Then you can set "default_ca=my_ca_default" in the [ca] section. For example:

# Unnamed section of generic options
...

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]
default_md    = md5
serial        = ./my_ca/certs.seq
new_certs_dir = ./my_ca/certs
database      = ./my_ca/certs.db
...

4. Using named section used by the command line - You can put all "ca" command options in a named section, like "[my_ca_internal]", in the configuration file. Then you use "ca -name=my_ca_internal" command line to access them. For example:

# Unnamed section of generic options
...

# section for the "default_ca" option
[ca]
default_ca    = my_ca_default

# default section for "ca" command options
[my_ca_default]

# section for "ca" command options for internal certificates
[my_ca_internal]
default_md    = md5
serial        = ./my_ca_internal/certs.seq
new_certs_dir = ./my_ca_internal/certs
database      = ./my_ca_internal/certs.db
...

⇒ OpenSSL "ca" Error "lookup failed for ca::default_ca"

⇐ OpenSSL "ca -config" - Using Configuration File

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials