name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
crl_extensions = crl_ext
-default_days = 3650 # how long to certify for
+default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
organizationalUnitName = optional
-commonName = supplied
+commonName = optional
emailAddress = optional
[ policy_anything ]
localityName = optional
organizationName = optional
organizationalUnitName = optional
-commonName = supplied
+commonName = optional
emailAddress = optional
[ req ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
-stateOrProvinceName = State or Province Name (full name)
+#stateOrProvinceName = State or Province Name (full name)
#localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
-organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
## DEFAULT VALUES
##
countryName_default = DE
-stateOrProvinceName_default = Berlin
+#stateOrProvinceName_default = Berlin
#localityName_default = Berlin
0.organizationName_default = Example
-organizationalUnitName_default = People
+#organizationalUnitName_default = Certificate Authorities
+commonName_default = Certificate Authority
[ req_attributes ]
#challengePassword = A challenge password
basicConstraints = critical,CA:true
# keyUsage = cRLSign, keyCertSign
-subjectAltName=email:copy
+#subjectAltName=email:copy
issuerAltName=issuer:copy
[ crl_ext ]
# all *.p12 passwords are 'demo'
# all *.jks passwords are 'changeit'
+SERVER_DN=/C=DE/O=Example/OU=Systems/CN=apps.example.com/
+USERS_BASE_DN=/DC=com/DC=example/OU=users
+
export OPENSSL_CONF=./openssl.cnf
export CATOP=./CA
/etc/pki/tls/misc/CA -newca
-openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=Systems/CN=localhost/ \
+openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 365 \
+ -subj $SERVER_DN \
-keyout newkey.pem -passout pass:demo -out newcrt.pem
openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
-name "jetty" -inkey newkey.pem -in newcrt.pem \
+ -certfile ./CA/cacert.pem \
-out server.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore \
-srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
-alias jetty -destkeystore server.jks -deststorepass changeit
-rm -f server.p12
+#rm -f server.p12
# Import People CA
keytool -importcert -keystore server.jks -storepass changeit \
-alias CA -file CA/cacert.pem
# root user
-openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=root/ \
+openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+ -subj $USERS_BASE_DN/UID=root/ \
-keyout newkey.pem -passout pass:demo -out newcsr.pem
-openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
openssl pkcs12 -export -passin pass:demo -passout pass:demo \
-name "root" -inkey newkey.pem -in newcrt.pem \
-out root.p12
# demo user
-openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=demo/ \
- -keyout newkey.pem -passout pass:demo -out newcsr.pem
-openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
-openssl pkcs12 -export -passin pass:demo -passout pass:demo \
- -name "demo" -inkey newkey.pem -in newcrt.pem \
- -out demo.p12
+#openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+# -subj $USERS_BASE_DN/UID=demo/ \
+# -keyout newkey.pem -passout pass:demo -out newcsr.pem
+#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+#openssl pkcs12 -export -passin pass:demo -passout pass:demo \
+# -name "demo" -inkey newkey.pem -in newcrt.pem \
+# -out demo.p12
# Clean up
-rm -vf new*.pem
+#rm -vf new*.pem