rustls-example/certs/ica/ica.conf

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# # Directory and file locations.
# dir               = /root/ca/intermediate
# certs             = $dir/certs
# crl_dir           = $dir/crl
# new_certs_dir     = $dir/newcerts
# database          = $dir/index.txt
# serial            = $dir/serial
# RANDFILE          = $dir/private/.rand

# # The root key and root certificate.
# private_key       = $dir/private/intermediate.key.pem
# certificate       = $dir/certs/intermediate.cert.pem

# # For certificate revocation lists.
# crlnumber         = $dir/crlnumber
# crl               = $dir/crl/intermediate.crl.pem
# crl_extensions    = crl_ext
# default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 384
distinguished_name  = req_distinguished_name
string_mask         = utf8only
prompt                  = no
encrypt_key             = no

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = KR
stateOrProvinceName             = Seoul
localityName                    = Seoul
0.organizationName              = SCOPE.Inc
organizationalUnitName          = SCOPE Lab
commonName                      = SCOPE ICA (Lab)
emailAddress                    = scopelab@scope.co.kr

# Optionally, specify some defaults.
# countryName_default             = TR
# stateOrProvinceName_default     = Istanbul
# localityName_default            = Istanbul
# 0.organizationName_default      = Safderun
# organizationalUnitName_default  = Safderun Intermediate CA
# commonName_default              = Safderun Intermediate CA
# emailAddress_default            = burakberkkeskin@gmail.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
Initialize Commit 2024-08-05 16:52:19 +09:00			`[ ca ]`
			# `man ca`
			`default_ca = CA_default`

			`[ CA_default ]`
			`# # Directory and file locations.`
			`# dir = /root/ca/intermediate`
			`# certs = $dir/certs`
			`# crl_dir = $dir/crl`
			`# new_certs_dir = $dir/newcerts`
			`# database = $dir/index.txt`
			`# serial = $dir/serial`
			`# RANDFILE = $dir/private/.rand`

			`# # The root key and root certificate.`
			`# private_key = $dir/private/intermediate.key.pem`
			`# certificate = $dir/certs/intermediate.cert.pem`

			`# # For certificate revocation lists.`
			`# crlnumber = $dir/crlnumber`
			`# crl = $dir/crl/intermediate.crl.pem`
			`# crl_extensions = crl_ext`
			`# default_crl_days = 30`

			`# SHA-1 is deprecated, so use SHA-2 instead.`
			`default_md = sha256`

			`name_opt = ca_default`
			`cert_opt = ca_default`
			`default_days = 375`
			`preserve = no`
			`policy = policy_loose`

			`[ policy_strict ]`
			`# The root CA should only sign intermediate certificates that match.`
			# See the POLICY FORMAT section of `man ca`.
			`countryName = match`
			`stateOrProvinceName = match`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ policy_loose ]`
			`# Allow the intermediate CA to sign a more diverse range of certificates.`
			# See the POLICY FORMAT section of the `ca` man page.
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ req ]`
			# Options for the `req` tool (`man req`).
			`default_bits = 384`
			`distinguished_name = req_distinguished_name`
			`string_mask = utf8only`
			`prompt = no`
			`encrypt_key = no`

			`# SHA-1 is deprecated, so use SHA-2 instead.`
			`default_md = sha256`

			`# Extension to add when the -x509 option is used.`
			`x509_extensions = v3_ca`

			`[ req_distinguished_name ]`
			`# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.`
			`countryName = KR`
			`stateOrProvinceName = Seoul`
Fix: Invalid Certificate 2024-08-07 18:04:14 +09:00			`localityName = Seoul`
Initialize Commit 2024-08-05 16:52:19 +09:00			`0.organizationName = SCOPE.Inc`
			`organizationalUnitName = SCOPE Lab`
			`commonName = SCOPE ICA (Lab)`
			`emailAddress = scopelab@scope.co.kr`

			`# Optionally, specify some defaults.`
			`# countryName_default = TR`
			`# stateOrProvinceName_default = Istanbul`
			`# localityName_default = Istanbul`
			`# 0.organizationName_default = Safderun`
			`# organizationalUnitName_default = Safderun Intermediate CA`
			`# commonName_default = Safderun Intermediate CA`
			`# emailAddress_default = burakberkkeskin@gmail.com`

			`[ v3_ca ]`
			# Extensions for a typical CA (`man x509v3_config`).
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always,issuer`
			`basicConstraints = critical, CA:true`
			`keyUsage = critical, digitalSignature, cRLSign, keyCertSign`

			`[ v3_intermediate_ca ]`
			# Extensions for a typical intermediate CA (`man x509v3_config`).
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always,issuer`
			`basicConstraints = critical, CA:true, pathlen:0`
			`keyUsage = critical, digitalSignature, cRLSign, keyCertSign`

			`[ usr_cert ]`
			# Extensions for client certificates (`man x509v3_config`).
			`basicConstraints = CA:FALSE`
			`nsCertType = client, email`
			`nsComment = "OpenSSL Generated Client Certificate"`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer`
			`keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment`
			`extendedKeyUsage = clientAuth, emailProtection`

			`[ server_cert ]`
			# Extensions for server certificates (`man x509v3_config`).
			`basicConstraints = CA:FALSE`
			`nsCertType = server`
			`nsComment = "OpenSSL Generated Server Certificate"`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer:always`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`extendedKeyUsage = serverAuth`

			`[ crl_ext ]`
			# Extension for CRLs (`man x509v3_config`).
			`authorityKeyIdentifier=keyid:always`

			`[ ocsp ]`
			# Extension for OCSP signing certificates (`man ocsp`).
			`basicConstraints = CA:FALSE`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer`
			`keyUsage = critical, digitalSignature`
			`extendedKeyUsage = critical, OCSPSigning`