summaryrefslogtreecommitdiff
path: root/scripts/key-pair.template
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/key-pair.template')
-rw-r--r--scripts/key-pair.template46
1 files changed, 43 insertions, 3 deletions
diff --git a/scripts/key-pair.template b/scripts/key-pair.template
index 5b5b2a6..bbf5eb9 100644
--- a/scripts/key-pair.template
+++ b/scripts/key-pair.template
@@ -1,10 +1,15 @@
[ req ]
- default_bits = 1024
+ default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
+ string_mask = utf8only
attributes = req_attributes
+ dirstring_type = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md = sha256
+# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
- dirstring_type = nobmp
+
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
@@ -24,4 +29,39 @@
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-04 17:33:53 +0000