This says that countryName's description is "Country Name (2 letter code)", it's default is "US" and that it's min and max is 2 letters. StateOrProvinceName = State or Province Name (full name)
Openssl config how to#
Again, this will define how to form the DN.ĬountryName = Country Name (2 letter code) We're now done with the req section and move onto req_distinguished_name, which as you'll recall is just value we assigned to the distinguished_name key in req. nombstr is basically non-UTF, printable strings. This defines what kind of strings to accept. Note there is a req_extensions where you can define a section that includes req extensions as well. We define the default size, the name of the keyfile, the section that defines how to form the DN, what attributes to put in the request, and the section that defines what x509 extensions to request.
![openssl config openssl config](https://www.itninja.com/uploads/images/80323/1D2WAF.png)
Here we define the section for the req command. We can refer to this with a -policy policy_anything.Īt this point, we officially leave the ca area, and move into req.ĭistinguished_name = req_distinguished_name Here we define a "policy_anything" policy where we accept anything, and only require a CN. Anything allowed must be listed! So this policy requires the same country, State, and Organization name as the CA for all certs it signs. All fields listed as "optional" are allowed, but not required to be there. All fields listed as "supplied" must be present. In the "policy_match" policy, all fields listed as "match" must contain the exact same contents as that field in the CA's DN. This is the default policy section to use if none is specified. However, if you want to let people determind the order of their DN, set this to "yes." Preserving the DN is a site-specific thing: if you want all your certs to have the same DN order, than so "no" here and openssl will re-order the attributes in the DNs of CSRs to make them consistent. The default digest algorithm - this can be left alone unless you know what you're doing - and whether or not to preserve the DN. The default life for a certificate and a CRL.
![openssl config openssl config](https://2.bp.blogspot.com/-z70SsJKW0pU/W1vfBFECaqI/AAAAAAAAEQU/H2Mp9Q8bf00liCuxf46NpGPPGYijV18sgCLcBGAs/s320/openssl-install-13.png)
These simply define the way that the name and certificate information are displayed to you for "confirmation" before signing a certificate and should be left as-is. Note that you do not want copyall here as it's a security risk and should only be used if you really know what you're doing. When acting as a CA, we want to honor the extensions that are requested. This defines the section in the file to find the x509v3 extensions to be added to signed certificates.
Openssl config serial#
crldir This isn't a config option to openssl, so it's just defining a variable like $dir crlnumber This is the serial number, but for CRLs crl The current CRL RANDFILE This is a random file to read/write random data to/from. You should not initialize this with a number! instead, use the -create_serial option, as mentioned in our Creating a CA page.
Openssl config serial number#
certificate CA certificate private_key CA private key serial The serial number which the CA is currently at. Openssl uses this internally to keep track of things. database This is the database of signed certificates. This is, as you might expect, where certs go after we sign them. "dir" is not a key that openssl recognizes, so it's just a varible.Ĭerts / new_certs_dir Depending on version, one or the other of these may be used, so we assign one a value and assign it to the other.
![openssl config openssl config](https://i.stack.imgur.com/WW8EH.png)
Here we start our CA_default section and defined a variable to hold our base directory. This "default" section to use can be overridden by passing -name to ca. However, the only thing that should be in the CA section is the name of the default CA's section. The "ca" section defines the way the CA acts when using the ca command to sign certificates. This means there is no finite list of possible sections that the parser understands. Sometimes a key's value is expected to be a section name. Anything within a section is a simple key=value pair. For starters, it's an INI-type file, which means sections begin with and run until the next section begins. Let's start with how the file is structured.
![openssl config openssl config](https://1.bp.blogspot.com/-qYy65X2bssw/X3DL_PoJcnI/AAAAAAAAAyM/4zugCU9vbuUkbjEjmQRGzAihbfraNFRrwCLcBGAsYHQ/s760/openssl-config%2Bmissing%2Bwarning%2Bmessage.png)
Openssl config full#
But most options are documented in in the man pages of the subcommands they relate to, and its hard to get a full picture of how the config file works. The man page for nf covers syntax, and in some cases specifics.