kaito834 · August 18, 2019 05:05
diff --git a/root-ca_withAdditionalComments.conf b/root-ca_withAdditionalComments.conf
 # Download https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf and
 # Add additional comments to understand this OpenSSL configuration deeply
 # Referred version of root-ca.conf: https://github.com/ivanr/bulletproof-tls/commit/5a8db5563afe86aa8a47dcee4dee8fb9d409961e
 #
 # You can find a document below for OpenSSL configuration format
 # https://www.openssl.org/docs/manmaster/man5/config.html

 # https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
 # "The first section of a configuration file is special and is referred to as the default section.
 #  This section is usually unnamed and spans from the start of file until the first named section.
 #  When a name is being looked up it is first looked up in a named section (if any) and then the default section."
 [default]
 name                    = root-ca
 domain_suffix           = example.com
 aia_url                 = http://$name.$domain_suffix/$name.crt
 crl_url                 = http://$name.$domain_suffix/$name.crl
 # https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
 # "The value string undergoes variable expansion. This can be done by including the form $var or ${var}:
 #  this will substitute the value of the named variable in the current section."
 ocsp_url                = http://ocsp.$name.$domain_suffix:9080
 # https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
 # "Otherwise the section to be used must be named in the default_ca option of the ca section of the configuration file
 #  (or in the default section of the configuration file)."
 default_ca              = ca_default
 name_opt                = utf8,esc_ctrl,multiline,lname,align

 # Referred from section: req below
 [ca_dn]
 countryName             = "GB"
 organizationName        = "Example"
 commonName              = "Root CA"

 # This section is used by "openssl ca" command
 # https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
 [ca_default]
 home                    = .
 database                = $home/db/index
 serial                  = $home/db/serial
 crlnumber               = $home/db/crlnumber
 certificate             = $home/$name.crt
 private_key             = $home/private/$name.key
 RANDFILE                = $home/private/random
 new_certs_dir           = $home/certs
 unique_subject          = no
 # copy_extensions, https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
 # https://www.openssl.org/docs/manmaster/man1/ca.html#WARNINGS
 # "The copy_extensions option should be used with caution. If care is not taken then it can be a security risk.
 #  For example if a certificate request contains a basicConstraints extension with CA:TRUE and
 #  the copy_extensions value is set to copyall and the user does not spot this when the certificate is displayed
 #  then this will hand the requester a valid CA certificate."
 #
 # "This situation can be avoided by setting copy_extensions to copy and including basicConstraints
 #  with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored."
 copy_extensions         = none
 default_days            = 3650
 default_crl_days        = 365
 default_md              = sha256
 # https://www.openssl.org/docs/manmaster/man1/ca.html#POLICY-FORMAT
 # match   : must match the same field in the CA certificate
 # supplied: must be present
 # optional: may be present
 # Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set but this can be regarded more of a quirk than intended behaviour.
 policy                  = policy_c_o_match

 [policy_c_o_match]
 countryName             = match
 stateOrProvinceName     = optional
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional

 # This section is used by "openssl req" command
 # https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
 # "The configuration options are specified in the req section of the configuration file.
 #  As with all configuration files if no value is specified in the specific section (i.e. req)
 #  then the initial unnamed or default section is searched too."
 [req]
 default_bits            = 4096
 encrypt_key             = yes
 default_md              = sha256
 utf8                    = yes
 string_mask             = utf8only
 prompt                  = no
 # distinguished_name, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
 # "This specifies the section containing the distinguished name fields to prompt for
 #  when generating a certificate or certificate request."
 # https://www.openssl.org/docs/manmaster/man1/req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
 distinguished_name      = ca_dn
 # req_extensions, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
 # "This specifies the configuration file section containing a list of extensions to add to the certificate request."
 req_extensions          = ca_ext

 # Referred from section: req above
 # https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
 [ca_ext]
 # https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Basic-Constraints
 # "This is a multi valued extension which indicates whether a certificate is a CA certificate."
 basicConstraints        = critical,CA:true
 # https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Key-Usage
 # "Key usage is a multi valued extension consisting of a list of names of the permitted key usages."
 keyUsage                = critical,keyCertSign,cRLSign
 subjectKeyIdentifier    = hash

 [sub_ca_ext]
 # https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#DESCRIPTION
 # "The long form allows the values to be placed in a separate section:
 # basicConstraints=critical,@bs_section"
 authorityInfoAccess     = @issuer_info
 authorityKeyIdentifier  = keyid:always
 basicConstraints        = critical,CA:true,pathlen:0
 crlDistributionPoints   = @crl_info
 # https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
 # "This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for,"
 extendedKeyUsage        = clientAuth,serverAuth
 keyUsage                = critical,keyCertSign,cRLSign
 nameConstraints         = @name_constraints
 subjectKeyIdentifier    = hash

 [crl_info]
 URI.0                   = $crl_url

 [issuer_info]
 caIssuers;URI.0         = $aia_url
 OCSP;URI.0              = $ocsp_url

 [name_constraints]
 permitted;DNS.0=example.com
 permitted;DNS.1=example.org
 excluded;IP.0=0.0.0.0/0.0.0.0
 excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

 [ocsp_ext]
 authorityKeyIdentifier  = keyid:always
 basicConstraints        = critical,CA:false
 extendedKeyUsage        = OCSPSigning
 noCheck                 = yes
 keyUsage                = critical,digitalSignature
 subjectKeyIdentifier    = hash
	# Download https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf and
	# Add additional comments to understand this OpenSSL configuration deeply
	# Referred version of root-ca.conf: https://github.com/ivanr/bulletproof-tls/commit/5a8db5563afe86aa8a47dcee4dee8fb9d409961e
	#
	# You can find a document below for OpenSSL configuration format
	# https://www.openssl.org/docs/manmaster/man5/config.html

	# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
	# "The first section of a configuration file is special and is referred to as the default section.
	# This section is usually unnamed and spans from the start of file until the first named section.
	# When a name is being looked up it is first looked up in a named section (if any) and then the default section."
	[default]
	name = root-ca
	domain_suffix = example.com
	aia_url = http://$name.$domain_suffix/$name.crt
	crl_url = http://$name.$domain_suffix/$name.crl
	# https://www.openssl.org/docs/manmaster/man5/config.html#DESCRIPTION
	# "The value string undergoes variable expansion. This can be done by including the form $var or ${var}:
	# this will substitute the value of the named variable in the current section."
	ocsp_url = http://ocsp.$name.$domain_suffix:9080
	# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	# "Otherwise the section to be used must be named in the default_ca option of the ca section of the configuration file
	# (or in the default section of the configuration file)."
	default_ca = ca_default
	name_opt = utf8,esc_ctrl,multiline,lname,align

	# Referred from section: req below
	[ca_dn]
	countryName = "GB"
	organizationName = "Example"
	commonName = "Root CA"

	# This section is used by "openssl ca" command
	# https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	[ca_default]
	home = .
	database = $home/db/index
	serial = $home/db/serial
	crlnumber = $home/db/crlnumber
	certificate = $home/$name.crt
	private_key = $home/private/$name.key
	RANDFILE = $home/private/random
	new_certs_dir = $home/certs
	unique_subject = no
	# copy_extensions, https://www.openssl.org/docs/manmaster/man1/ca.html#CONFIGURATION-FILE-OPTIONS
	# https://www.openssl.org/docs/manmaster/man1/ca.html#WARNINGS
	# "The copy_extensions option should be used with caution. If care is not taken then it can be a security risk.
	# For example if a certificate request contains a basicConstraints extension with CA:TRUE and
	# the copy_extensions value is set to copyall and the user does not spot this when the certificate is displayed
	# then this will hand the requester a valid CA certificate."
	#
	# "This situation can be avoided by setting copy_extensions to copy and including basicConstraints
	# with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored."
	copy_extensions = none
	default_days = 3650
	default_crl_days = 365
	default_md = sha256
	# https://www.openssl.org/docs/manmaster/man1/ca.html#POLICY-FORMAT
	# match : must match the same field in the CA certificate
	# supplied: must be present
	# optional: may be present
	# Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set but this can be regarded more of a quirk than intended behaviour.
	policy = policy_c_o_match

	[policy_c_o_match]
	countryName = match
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	# This section is used by "openssl req" command
	# https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "The configuration options are specified in the req section of the configuration file.
	# As with all configuration files if no value is specified in the specific section (i.e. req)
	# then the initial unnamed or default section is searched too."
	[req]
	default_bits = 4096
	encrypt_key = yes
	default_md = sha256
	utf8 = yes
	string_mask = utf8only
	prompt = no
	# distinguished_name, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "This specifies the section containing the distinguished name fields to prompt for
	# when generating a certificate or certificate request."
	# https://www.openssl.org/docs/manmaster/man1/req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
	distinguished_name = ca_dn
	# req_extensions, https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION-FILE-FORMAT
	# "This specifies the configuration file section containing a list of extensions to add to the certificate request."
	req_extensions = ca_ext

	# Referred from section: req above
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
	[ca_ext]
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Basic-Constraints
	# "This is a multi valued extension which indicates whether a certificate is a CA certificate."
	basicConstraints = critical,CA:true
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Key-Usage
	# "Key usage is a multi valued extension consisting of a list of names of the permitted key usages."
	keyUsage = critical,keyCertSign,cRLSign
	subjectKeyIdentifier = hash

	[sub_ca_ext]
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#DESCRIPTION
	# "The long form allows the values to be placed in a separate section:
	# basicConstraints=critical,@bs_section"
	authorityInfoAccess = @issuer_info
	authorityKeyIdentifier = keyid:always
	basicConstraints = critical,CA:true,pathlen:0
	crlDistributionPoints = @crl_info
	# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
	# "This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for,"
	extendedKeyUsage = clientAuth,serverAuth
	keyUsage = critical,keyCertSign,cRLSign
	nameConstraints = @name_constraints
	subjectKeyIdentifier = hash

	[crl_info]
	URI.0 = $crl_url

	[issuer_info]
	caIssuers;URI.0 = $aia_url
	OCSP;URI.0 = $ocsp_url

	[name_constraints]
	permitted;DNS.0=example.com
	permitted;DNS.1=example.org
	excluded;IP.0=0.0.0.0/0.0.0.0
	excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

	[ocsp_ext]
	authorityKeyIdentifier = keyid:always
	basicConstraints = critical,CA:false
	extendedKeyUsage = OCSPSigning
	noCheck = yes
	keyUsage = critical,digitalSignature
	subjectKeyIdentifier = hash