working

1 files changed, 55 insertions, 0 deletions

diff --git a/config_files/certificate-authority/config/create_root_cert.ini b/config_files/certificate-authority/config/create_root_cert.ini
new file mode 100644
index 0000000..3321dd4
--- /dev/null
+++ b/config_files/certificate-authority/config/create_root_cert.ini
@@ -0,0 +1,55 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = sg
+ST                  = hi
+O                   = hi
+OU                  = hi Certificate Authority
+CN                  = hi Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign