mkdir /opt/openssl_ca
mkdir /opt/openssl_ca/certs
mkdir /opt/openssl_ca/crl
mkdir /opt/openssl_ca/private
echo 0100 > /opt/openssl_ca/serial
touch /opt/openssl_ca/index
The most critical file for the CA is the OpenSSL configuration file, typically located in the CA home directory (for example, /opt/openssl_ca) and named openssl.cnf.
Sample OpenSSL configuration file (openssl.cnf):
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/openssl_ca
crl_dir = $dir/crl
database = $dir/index
new_certs_dir = $dir/certs
serial = $dir/serial
certificate = $dir/issuer.crt
private_key = $dir/private/issuer.key
policy = policy_match
default_days = 365
default_crl_days = 7
default_md = sha1
default_bits = 2048
preserve = no
unique_subject = no
x509_extensions = v3_req
copy_extensions = copy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = optional
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province (spelled out)
localityName = City or Locality
organizationName = Organization
organizationalUnitName = Organizational Unit
commonName = Common Name (FQDN)
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
crlDistributionPoints = URI:http://pki.example/issuer.crl
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign,keyCertSign
If present in the OpenSSL configuration file, the value specified for the string_mask parameter must support printable strings. Supported values include default, pkix, and nombstr.
