OpenSSL configuration examples

You can use the following example files with the openssl command if you want to avoid entering the values for each parameter required when creating certificates.

Note: You must update the configuration files with the actual values for your environment. For more information, see Creating CA signed certificates.

The sample configuration file to generate the Root CA certificate

[ ca ]
default_ca = CA_LOC

[ CA_LOC ]
prompt            = no
dir               = /home/myuser/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
private_key       = $dir/private/myrootCA.key
certificate       = $dir/certs/myrootCA.crt
crlnumber         = $dir/crlnum
crl               = $dir/crl/mycrl.pem
default_crl_days  = 30
preserve          = no
policy            = policy
default_days      = 365

[ policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied

[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name

string_mask         = utf8only
default_md          = sha256
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = AB
stateOrProvinceName             = CD
localityName                    = EF_GH
organizationName              = myorg
organizationalUnitName          = myorgunit
commonName                      = mycn
emailAddress                    = myemail@example.com

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature

The sample configuration file to generate the CSR for a server certificate


[ req ]
prompt                 = no
days                   = 365
distinguished_name     = req_distinguished_name
req_extensions         = v3_req


[ req_distinguished_name ]
countryName            = AB
stateOrProvinceName    = CD
localityName           = EFG_HIJ
organizationName       = MyOrg
organizationalUnitName = MyOrgUnit
commonName             = mycommname.com
emailAddress           = emailaddress@myemail.com

[ v3_req ]
basicConstraints       = CA:false
extendedKeyUsage       = serverAuth
subjectAltName         = @sans

[ sans ]
DNS.0 = localhost
DNS.1 = myexampleserver.com

The sample configuration file to generate the CSR for a Client certificate


[ req ]
prompt                 = no
days                   = 365
distinguished_name     = req_distinguished_name
req_extensions         = v3_req


[ req_distinguished_name ]
countryName            = AB
stateOrProvinceName    = CD
localityName           = EFG_HIJ
organizationName       = MyOrg
organizationalUnitName = MyOrgUnit
commonName             = mycommname.com
emailAddress           = emailaddress@myemail.com

[ v3_req ]
basicConstraints       = CA:false
extendedKeyUsage       = clientAuth
subjectAltName         = @sans

[ sans ]
DNS.0 = localhost
DNS.1 = myexampleclient.com