Skip to Content Information Center
Markvision Enterprise

Markvision Enterprise

Creating an OpenSSL configuration file

  1. Run the following command:

    • nano /etc/certs/openxpki_ca-one/openssl.conf

    Note:  If your server is reachable using the fully qualified domain name (FQDN), then use the DNS of the server instead of its IP address.

    Sample file

    # x509_extensions               = v3_ca_extensions
    # x509_extensions               = v3_issuing_extensions
    # x509_extensions               = v3_datavault_extensions
    # x509_extensions               = v3_scep_extensions
    # x509_extensions               = v3_web_extensions
    # x509_extensions               = v3_ca_reqexts # not for root self-signed, only for issuing
    ## x509_extensions              = v3_datavault_reqexts # not required self-signed
    # x509_extensions               = v3_scep_reqexts
    # x509_extensions               = v3_web_reqexts
    
    [ req ]
    default_bits            = 4096
    distinguished_name      = req_distinguished_name
    
    [ req_distinguished_name ]
    domainComponent         = Domain Component
    commonName              = Common Name
    
    [ v3_ca_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    
    [ v3_datavault_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    
    [ v3_scep_reqexts ]
    subjectKeyIdentifier    = hash
    
    [ v3_web_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    
    [ v3_ca_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_issuing_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer:always
    crlDistributionPoints   = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crl
    authorityInfoAccess     = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
    
    [ v3_datavault_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_scep_extensions ]
    subjectKeyIdentifier    = hash
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid,issuer
    
    [ v3_web_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    basicConstraints        = critical,CA:FALSE
    subjectAltName          = DNS:stlopenxpki.lexmark.com
    crlDistributionPoints   = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crl
    authorityInfoAccess     = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crt
    
  2. Change the IP address and CA certificate name with your setup information.

  3. Save the file.

Was this article helpful?
Top