1# OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)
2
3HOME			= .
4RANDFILE		= $ENV::HOME/.rnd
5oid_section		= new_oids
6
7[ new_oids ]
8
9#logotypeoid=1.3.6.1.5.5.7.1.12
10
11####################################################################
12[ ca ]
13default_ca	= CA_default		# The default ca section
14
15####################################################################
16[ CA_default ]
17
18dir		= ./rootCA		# Where everything is kept
19certs		= $dir/certs		# Where the issued certs are kept
20crl_dir		= $dir/crl		# Where the issued crl are kept
21database	= $dir/index.txt	# database index file.
22#unique_subject	= no			# Set to 'no' to allow creation of
23					# several certificates with same subject
24new_certs_dir	= $dir/newcerts		# default place for new certs.
25
26certificate	= $dir/cacert.pem 	# The CA certificate
27serial		= $dir/serial 		# The current serial number
28crlnumber	= $dir/crlnumber	# the current crl number
29					# must be commented out to leave a V1 CRL
30crl		= $dir/crl.pem 		# The current CRL
31private_key	= $dir/private/cakey.pem# The private key
32RANDFILE	= $dir/private/.rand	# private random number file
33
34x509_extensions	= usr_cert		# The extentions to add to the cert
35
36name_opt 	= ca_default		# Subject Name options
37cert_opt 	= ca_default		# Certificate field options
38
39default_days	= 365			# how long to certify for
40default_crl_days= 30			# how long before next CRL
41default_md	= default		# use public key default MD
42preserve	= no			# keep passed DN ordering
43
44policy		= policy_match
45
46# For the CA policy
47[ policy_match ]
48countryName		= match
49stateOrProvinceName	= optional
50organizationName	= match
51organizationalUnitName	= optional
52commonName		= supplied
53emailAddress		= optional
54
55[ policy_anything ]
56countryName		= optional
57stateOrProvinceName	= optional
58localityName		= optional
59organizationName	= optional
60organizationalUnitName	= optional
61commonName		= supplied
62emailAddress		= optional
63
64####################################################################
65[ req ]
66default_bits		= 2048
67default_keyfile 	= privkey.pem
68distinguished_name	= req_distinguished_name
69attributes		= req_attributes
70x509_extensions	= v3_ca	# The extentions to add to the self signed cert
71
72input_password = @PASSWORD@
73output_password = @PASSWORD@
74
75string_mask = utf8only
76
77[ req_distinguished_name ]
78countryName			= Country Name (2 letter code)
79countryName_default		= US
80countryName_min			= 2
81countryName_max			= 2
82
83localityName			= Locality Name (eg, city)
84localityName_default		= Tuusula
85
860.organizationName		= Organization Name (eg, company)
870.organizationName_default	= WFA Hotspot 2.0
88
89##organizationalUnitName		= Organizational Unit Name (eg, section)
90#organizationalUnitName_default	=
91#@OU@
92
93commonName			= Common Name (e.g. server FQDN or YOUR name)
94#@CN@
95commonName_max			= 64
96
97emailAddress			= Email Address
98emailAddress_max		= 64
99
100[ req_attributes ]
101
102[ v3_req ]
103
104# Extensions to add to a certificate request
105basicConstraints = CA:FALSE
106keyUsage = nonRepudiation, digitalSignature, keyEncipherment
107subjectAltName=DNS:example.com,DNS:another.example.com
108
109[ v3_ca ]
110
111# Hotspot 2.0 PKI requirements
112subjectKeyIdentifier=hash
113basicConstraints = critical,CA:true
114keyUsage = critical, cRLSign, keyCertSign
115
116[ crl_ext ]
117
118# issuerAltName=issuer:copy
119authorityKeyIdentifier=keyid:always
120
121[ v3_OCSP ]
122
123basicConstraints = CA:FALSE
124keyUsage = nonRepudiation, digitalSignature, keyEncipherment
125extendedKeyUsage = OCSPSigning
126