1 # OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)
4 RANDFILE = $ENV::HOME/.rnd
9 #logotypeoid=1.3.6.1.5.5.7.1.12
11 ####################################################################
13 default_ca = CA_default # The default ca section
15 ####################################################################
18 dir = ./rootCA # Where everything is kept
19 certs = $dir/certs # Where the issued certs are kept
20 crl_dir = $dir/crl # Where the issued crl are kept
21 database = $dir/index.txt # database index file.
22 #unique_subject = no # Set to 'no' to allow creation of
23 # several certificates with same subject
24 new_certs_dir = $dir/newcerts # default place for new certs.
26 certificate = $dir/cacert.pem # The CA certificate
27 serial = $dir/serial # The current serial number
28 crlnumber = $dir/crlnumber # the current crl number
29 # must be commented out to leave a V1 CRL
30 crl = $dir/crl.pem # The current CRL
31 private_key = $dir/private/cakey.pem# The private key
32 RANDFILE = $dir/private/.rand # private random number file
34 x509_extensions = usr_cert # The extentions to add to the cert
36 name_opt = ca_default # Subject Name options
37 cert_opt = ca_default # Certificate field options
39 default_days = 365 # how long to certify for
40 default_crl_days= 30 # how long before next CRL
41 default_md = default # use public key default MD
42 preserve = no # keep passed DN ordering
49 stateOrProvinceName = optional
50 organizationName = match
51 organizationalUnitName = optional
53 emailAddress = optional
56 countryName = optional
57 stateOrProvinceName = optional
58 localityName = optional
59 organizationName = optional
60 organizationalUnitName = optional
62 emailAddress = optional
64 ####################################################################
67 default_keyfile = privkey.pem
68 distinguished_name = req_distinguished_name
69 attributes = req_attributes
70 x509_extensions = v3_ca # The extentions to add to the self signed cert
72 input_password = @PASSWORD@
73 output_password = @PASSWORD@
75 string_mask = utf8only
77 [ req_distinguished_name ]
78 countryName = Country Name (2 letter code)
79 countryName_default = US
83 localityName = Locality Name (eg, city)
84 localityName_default = Tuusula
86 0.organizationName = Organization Name (eg, company)
87 0.organizationName_default = WFA Hotspot 2.0
89 ##organizationalUnitName = Organizational Unit Name (eg, section)
90 #organizationalUnitName_default =
93 commonName = Common Name (e.g. server FQDN or YOUR name)
97 emailAddress = Email Address
104 # Extensions to add to a certificate request
105 basicConstraints = CA:FALSE
106 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
107 subjectAltName=DNS:example.com,DNS:another.example.com
111 # Hotspot 2.0 PKI requirements
112 subjectKeyIdentifier=hash
113 basicConstraints = critical,CA:true
114 keyUsage = critical, cRLSign, keyCertSign
118 # issuerAltName=issuer:copy
119 authorityKeyIdentifier=keyid:always
123 basicConstraints = CA:FALSE
124 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
125 extendedKeyUsage = OCSPSigning