# OpenSSL root CA configuration file.[ req ]# Options for the `req` tool (`man req`).default_bits=2048distinguished_name=req_distinguished_namestring_mask=utf8only# SHA-1 is deprecated, so use SHA-2 instead.default_md=sha256# Extension to add when the -x509 option is used.x509_extensions=v3_careq_extensions=v3_req[ v3_req ]# Extensions to add to a certificate requestbasicConstraints=CA:FALSEkeyUsage=nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName=@alt_names[alt_names]DNS.1=rootca.example.com# DNS.2 = *.pass.example.com# DNS.3 = ...# DNS.4 = ...[ req_distinguished_name ]# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.countryName=Country Name (2 letter code)stateOrProvinceName=State or Province NamelocalityName=Locality Name0.organizationName=Organization NameorganizationalUnitName=Organizational Unit NamecommonName=Common NameemailAddress=Email Address# Optionally, specify some defaults.countryName_default=DEstateOrProvinceName_default=BavarialocalityName_default=Munich0.organizationName_default=My Private Root CAorganizationalUnitName_default=My Private Root CAemailAddress_default=email@domain.tldcommonName_default=rootca.example.com[ v3_ca ]# Extensions for a typical CA (`man x509v3_config`).subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints=critical, CA:truekeyUsage=critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]# Extensions for a typical intermediate CA (`man x509v3_config`).subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints=critical, CA:true, pathlen:0keyUsage=critical, digitalSignature, cRLSign, keyCertSign[ server_cert ]# Extensions for server certificates (`man x509v3_config`).basicConstraints=CA:FALSEnsCertType=servernsComment="OpenSSL Generated Server Certificate"subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer:alwayskeyUsage=critical, digitalSignature, keyEnciphermentextendedKeyUsage=serverAuth[ crl_ext ]# Extension for CRLs (`man x509v3_config`).authorityKeyIdentifier=keyid:always
# OpenSSL root CA configuration file.[ req ]# Options for the `req` tool (`man req`).default_bits=2048distinguished_name=req_distinguished_namestring_mask=utf8only# SHA-1 is deprecated, so use SHA-2 instead.default_md=sha256# Extension to add when the -x509 option is used.x509_extensions=v3_careq_extensions=v3_req[ v3_req ]# Extensions to add to a certificate requestbasicConstraints=CA:FALSEkeyUsage=nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName=@alt_names[alt_names]DNS.1=api.example.comDNS.2=*.pass.example.comDNS.3=nginx-ex-ssl-stc-pipeline.6923.rh-us-east-1.openshiftapps.com# DNS.4 = ...# IP.1 = 172.16.0.5[ req_distinguished_name ]# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.countryName=Country Name (2 letter code)stateOrProvinceName=State or Province NamelocalityName=Locality Name0.organizationName=Organization NameorganizationalUnitName=Organizational Unit NamecommonName=Common NameemailAddress=Email Address# Optionally, specify some defaults.countryName_default=DEstateOrProvinceName_default=BavarialocalityName_default=Munich0.organizationName_default=PrivateorganizationalUnitName_default=PrivateemailAddress_default=email@domain.tldcommonName_default=api.example.com[ v3_ca ]# Extensions for a typical CA (`man x509v3_config`).subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints=critical, CA:truekeyUsage=critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]# Extensions for a typical intermediate CA (`man x509v3_config`).subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints=critical, CA:true, pathlen:0keyUsage=critical, digitalSignature, cRLSign, keyCertSign[ server_cert ]# Extensions for server certificates (`man x509v3_config`).basicConstraints=CA:FALSEnsCertType=servernsComment="OpenSSL Generated Server Certificate"subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer:alwayskeyUsage=critical, digitalSignature, keyEnciphermentextendedKeyUsage=serverAuth[ crl_ext ]# Extension for CRLs (`man x509v3_config`).authorityKeyIdentifier=keyid:always
WARNING: If the default certificate is replaced, it must be signed by a public certificate authority already included in the CA bundle as provided by the container userspace.