Ryan Kozak

Network Architect based in Vancouver, BC.

Posts

Links

Fingerprint

c6a1 8eb3 d0b2 4298 3afc 9279 feda 1ff5 75cc 1b01

Copyright (c) Ryan Kozak. Programs and code snippets licensed under the GNU GPL v3 license. Other content licensed under the CC BY-SA 4.0 license.

Powered by Jekyll — Theme by BDHU, modified by Ryan Kozak.

OpenSSL Config File for Creating Certificate Signing Requests

Posted on August 3 2022 under security and openssl

openssl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# openssl req -new -config ./$HOSTNAME.conf -keyout ./$HOSTNAME.key -out ./$HOSTNAME.csr
# openssl x509 -req -days 3650 -signkey ./$HOSTNAME.key -in ./$HOSTNAME.csr -out ./$HOSTNAME.crt

oid_section = OIDs

[ OIDs ]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
caVersion               = 1.3.6.1.4.1.311.21.1

[ req ]
default_bits            = 3072
encrypt_key             = no
default_md              = sha384
string_mask             = nombstr
prompt                  = no
distinguished_name      = req_distinguished_name
req_extensions          = req_extensions

[ req_distinguished_name ]
#countryName             =
#stateOrProvinceName     =
#localityName            =
#organizationName        =
#organizationalUnitName  =
commonName              = ${ENV::HOSTNAME}
#emailAddress            =

[ req_extensions ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage        = clientAuth, serverAuth
#certificateTemplateName = ASN1:PRINTABLESTRING:WebServer
#caVersion               = ASN1:INTEGER:0
subjectAltName          = @req_alt_names

[ req_alt_names ]
DNS.1                   = ${req_distinguished_name::CN}