# OpenSSL configuration file. [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name prompt = no # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca # Try to force use of PrintableString throughout string_mask = pkix [ req_distinguished_name ] C=GB ST=London L=London O=Google OU=Eng CN=FakeCertificateAuthority [ v3_ca ] subjectKeyIdentifier = 01020304 authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:10 keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly [ v3_int_ca ] subjectKeyIdentifier = 05060708 authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly extendedKeyUsage = serverAuth,clientAuth [ v3_int_ca_pair ] subjectKeyIdentifier = 0a0b0c0d authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly extendedKeyUsage = serverAuth,clientAuth [ v3_ca1 ] subjectKeyIdentifier = 11121314 authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:10 keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly [ v3_user ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly