What are policy options in the configuration file for the OpenSSL "ca" command?

Policy options in the configuration file are used by the OpenSSL "ca" command for 2 purposes:

• Defines validation rules for DN (Distinguished Name) fields.
• Defines the order of DN (Distinguished Name) fields in the certificate.

Policy options must provided in a named section, like [my_ca_policy], in the configuration file. Then you can:

• Use "policy=my_ca_policy" option in the configuration to point to that section.
• Use "-policy my_ca_policy" option in the command line to point to that section.

A policy option is defined with the DN field name and one of 3 possible values: "optional" - value not required for this DN field, "supplied" - value required for this DN field, "match" - value must match between subject and issuer.

Below is a good example of policy option section. It requires only the "commonName" field to have value. And "commonName" will be listed as the first field in the subject.

# section for DN field validation and order
[my_ca_policy]
commonName             = supplied
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
emailAddress           = optional

⇒ Simple Working Configuration File for OpenSSL "ca"

⇐ OpenSSL "ca" Error "cannot lookup how many days ..."

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials