Skip to Content Information Center
Markvision Enterprise

Markvision Enterprise

Creating an OpenSSL configuration file

The OpenSSL configuration file contains X.509 extensions for generating and signing certificate requests.

  1. Run the following command:

    • nano /etc/certs/openxpki_democa/openssl.conf

    Note:  If your server is reachable using the fully qualified domain name (FQDN), then use the DNS of the server instead of its IP address.

    Sample file

    # x509_extensions               = v3_ca_extensions
    # x509_extensions               = v3_issuing_extensions
    # x509_extensions               = v3_datavault_extensions
    # x509_extensions               = v3_scep_extensions
    # x509_extensions               = v3_web_extensions
    # x509_extensions               = v3_ca_reqexts # not for root self-signed, only for issuing
    ## x509_extensions              = v3_datavault_reqexts # not required self-signed
    # x509_extensions               = v3_scep_reqexts
    # x509_extensions               = v3_web_reqexts
    
    [ req ]
    default_bits            = 4096
    distinguished_name      = req_distinguished_name
    
    [ req_distinguished_name ]
    domainComponent         = Domain Component
    commonName              = Common Name
    
    [ v3_ca_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    
    [ v3_datavault_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    
    [ v3_scep_reqexts ]
    subjectKeyIdentifier    = hash
    
    [ v3_web_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    
    [ v3_ca_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_issuing_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer:always
    crlDistributionPoints   = URI:https://FQDN of your system/openxpki/CertEnroll/MYOPENXPKI.crl
    authorityInfoAccess     = caIssuers;URI:https://FQDN of your system/download/MYOPENXPKI.crt
    
    [ v3_datavault_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_scep_extensions ]
    subjectKeyIdentifier    = hash
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid,issuer
    
    [ v3_web_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    basicConstraints        = critical,CA:FALSE
    subjectAltName          = DNS:FQDN of est server
    crlDistributionPoints   = URI:https://FQDN of your system/openxpki/CertEnroll/MYOPENXPKI_ISSUINGCA.cr
    authorityInfoAccess     = caIssuers;URI:https://FQDN of your system/download/MYOPENXPKI_ISSUINGCA.crt
    
  2. Replace the IP address and CA certificate name with your setup information.

  3. Save the file.

Was this article helpful?
Top