2 RANDFILE = /var/ipfire/ovpn/ca/.rnd
11 dir = /var/ipfire/ovpn
14 database = $dir/certs/index.txt
15 new_certs_dir = $dir/certs
16 certificate = $dir/ca/cacert.pem
17 serial = $dir/certs/serial
19 private_key = $dir/ca/cakey.pem
20 RANDFILE = $dir/ca/.rand
21 x509_extensions = usr_cert
30 countryName = optional
31 stateOrProvinceName = optional
32 organizationName = optional
33 organizationalUnitName = optional
35 emailAddress = optional
39 default_keyfile = privkey.pem
40 distinguished_name = req_distinguished_name
41 attributes = req_attributes
42 x509_extensions = v3_ca
45 [ req_distinguished_name ]
46 countryName = Country Name (2 letter code)
47 countryName_default = GB
51 stateOrProvinceName = State or Province Name (full name)
52 stateOrProvinceName_default =
54 localityName = Locality Name (eg, city)
55 #localityName_default =
57 0.organizationName = Organization Name (eg, company)
58 0.organizationName_default = My Company Ltd
60 organizationalUnitName = Organizational Unit Name (eg, section)
61 #organizationalUnitName_default =
63 commonName = Common Name (eg, your name or your server\'s hostname)
66 emailAddress = Email Address
70 challengePassword = A challenge password
71 challengePassword_min = 4
72 challengePassword_max = 20
73 unstructuredName = An optional company name
76 basicConstraints = CA:FALSE
77 nsComment = "OpenSSL Generated Certificate"
78 subjectKeyIdentifier = hash
79 authorityKeyIdentifier = keyid,issuer:always
80 extendedKeyUsage = clientAuth
81 keyUsage = digitalSignature
85 # JY ADDED -- Make a cert with nsCertType set to "server"
86 basicConstraints = CA:FALSE
88 nsComment = "OpenSSL Generated Server Certificate"
89 subjectKeyIdentifier = hash
90 authorityKeyIdentifier = keyid,issuer:always
91 extendedKeyUsage = serverAuth
92 keyUsage = digitalSignature, keyEncipherment
95 basicConstraints = CA:FALSE
96 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
99 subjectKeyIdentifier = hash
100 authorityKeyIdentifier = keyid:always,issuer:always
101 basicConstraints = CA:true
104 authorityKeyIdentifier = keyid:always,issuer:always