xref: /aosp_15_r20/external/cronet/net/tools/quic/certs/ca.cnf (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1# Defaults in the event they're not set in the environment
2CA_DIR    = out
3KEY_SIZE  = 2048
4ALGO      = sha256
5CERT_TYPE = root
6CA_NAME   = req_env_dn
7
8[ca]
9default_ca = CA_root
10preserve   = yes
11
12# The default test root, used to generate certificates and CRLs.
13[CA_root]
14dir           = $ENV::CA_DIR
15key_size      = $ENV::KEY_SIZE
16algo          = $ENV::ALGO
17cert_type     = $ENV::CERT_TYPE
18type          = $key_size-$algo-$cert_type
19database      = $dir/$type-index.txt
20new_certs_dir = $dir
21serial        = $dir/$type-serial
22certificate   = $dir/$type.pem
23private_key   = $dir/$type.key
24RANDFILE      = $dir/.rand
25default_days     = 3650
26default_crl_days = 30
27default_md       = sha256
28policy           = policy_anything
29unique_subject   = no
30copy_extensions  = copy
31
32[user_cert]
33# Extensions to add when signing a request for an EE cert
34basicConstraints       = critical, CA:false
35subjectKeyIdentifier   = hash
36authorityKeyIdentifier = keyid:always
37extendedKeyUsage       = serverAuth,clientAuth
38
39[ca_cert]
40# Extensions to add when signing a request for an intermediate/CA cert
41basicConstraints       = critical, CA:true
42subjectKeyIdentifier   = hash
43keyUsage               = critical, keyCertSign, cRLSign
44
45[crl_extensions]
46# Extensions to add when signing a CRL
47authorityKeyIdentifier = keyid:always
48
49[policy_anything]
50# Default signing policy
51countryName            = optional
52stateOrProvinceName    = optional
53localityName           = optional
54organizationName       = optional
55organizationalUnitName = optional
56commonName             = optional
57emailAddress           = optional
58
59[req]
60# The request section used to generate the root CA certificate. This should
61# not be used to generate end-entity certificates. For certificates other
62# than the root CA, see README to find the appropriate configuration file
63# (ie: openssl_cert.cnf).
64default_bits       = $ENV::KEY_SIZE
65default_md         = sha256
66string_mask        = utf8only
67prompt             = no
68encrypt_key        = no
69distinguished_name = $ENV::CA_NAME
70x509_extensions    = req_ca_exts
71
72[req_env_dn]
73CN = QUIC Server Root CA
74
75[req_ca_exts]
76basicConstraints       = critical, CA:true
77keyUsage               = critical, keyCertSign, cRLSign
78subjectKeyIdentifier   = hash
79