subudear · January 18, 2025 10:43
diff --git a/root_certificate.config b/root_certificate.config
 # This is used with the 'openssl ca' command to sign a request
 [ca]
 default_ca = CA
 [CA]
 # Where OpenSSL stores information
 dir             = .
 certs           = $dir/certs
 crldir          = $dir/crldir
 new_certs_dir   = $certs/newcerts
 database        = $dir/index
 certificate     = $certs/rootcrt.pem
 private_key     = $dir/rootprivkey.pem
 crl             = $crldir/crl.pem   
 serial          = $dir/serial.txt
 RANDFILE        = $dir/.rand
 # How OpenSSL will display certificate after signing
 name_opt    = ca_default
 cert_opt    = ca_default
 # How long the CA certificate is valid for
 default_days = 3650
 # The message digest for self-signing the certificate
 default_md = sha512
 # Subjects don't have to be unique in this CA's database
 unique_subject    = no
 # What to do with CSR extensions
 copy_extensions    = copy
 # Rules on mandatory or optional DN components
 policy      = simple_policy
 # Extensions added while singing with the `openssl ca` command
 x509_extensions = x509_ext
 [simple_policy]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = optional
 domainComponent         = optional
 emailAddress            = optional
 name                    = optional
 surname                 = optional
 givenName               = optional
 dnQualifier             = optional
 [ x509_ext ]
 # These extensions are for a CA certificate
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
 basicConstraints            = critical, CA:TRUE
 keyUsage = critical, keyCertSign, cRLSign, digitalSignature
	# This is used with the 'openssl ca' command to sign a request
	[ca]
	default_ca = CA
	[CA]
	# Where OpenSSL stores information
	dir = .
	certs = $dir/certs
	crldir = $dir/crldir
	new_certs_dir = $certs/newcerts
	database = $dir/index
	certificate = $certs/rootcrt.pem
	private_key = $dir/rootprivkey.pem
	crl = $crldir/crl.pem
	serial = $dir/serial.txt
	RANDFILE = $dir/.rand
	# How OpenSSL will display certificate after signing
	name_opt = ca_default
	cert_opt = ca_default
	# How long the CA certificate is valid for
	default_days = 3650
	# The message digest for self-signing the certificate
	default_md = sha512
	# Subjects don't have to be unique in this CA's database
	unique_subject = no
	# What to do with CSR extensions
	copy_extensions = copy
	# Rules on mandatory or optional DN components
	policy = simple_policy
	# Extensions added while singing with the `openssl ca` command
	x509_extensions = x509_ext
	[simple_policy]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	domainComponent = optional
	emailAddress = optional
	name = optional
	surname = optional
	givenName = optional
	dnQualifier = optional
	[ x509_ext ]
	# These extensions are for a CA certificate
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	basicConstraints = critical, CA:TRUE
	keyUsage = critical, keyCertSign, cRLSign, digitalSignature