You can use the following example files with the openssl
command if you want to avoid entering the values for each parameter required when creating certificates.
Note: You must update the configuration files with the actual values for your environment. For more information, see Creating CA signed certificates.
The sample configuration file to generate the Root CA certificate
[ ca ] default_ca = CA_LOC [ CA_LOC ] prompt = no dir = /home/myuser/ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand private_key = $dir/private/myrootCA.key certificate = $dir/certs/myrootCA.crt crlnumber = $dir/crlnum crl = $dir/crl/mycrl.pem default_crl_days = 30 preserve = no policy = policy default_days = 365 [ policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = supplied [ req ] default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha256 x509_extensions = v3_ca [ req_distinguished_name ] countryName = AB stateOrProvinceName = CD localityName = EF_GH organizationName = myorg organizationalUnitName = myorgunit commonName = mycn emailAddress = [email protected] [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature
The sample configuration file to generate the CSR for a server certificate
[ req ] prompt = no days = 365 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = AB stateOrProvinceName = CD localityName = EFG_HIJ organizationName = MyOrg organizationalUnitName = MyOrgUnit commonName = mycommname.com emailAddress = [email protected] [ v3_req ] basicConstraints = CA:false extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] DNS.0 = localhost DNS.1 = myexampleserver.com
The sample configuration file to generate the CSR for a Client certificate
[ req ] prompt = no days = 365 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = AB stateOrProvinceName = CD localityName = EFG_HIJ organizationName = MyOrg organizationalUnitName = MyOrgUnit commonName = mycommname.com emailAddress = [email protected] [ v3_req ] basicConstraints = CA:false extendedKeyUsage = clientAuth subjectAltName = @sans [ sans ] DNS.0 = localhost DNS.1 = myexampleclient.com
Sumber : https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=gssccr-configuration-file-generating-self-signed-certificates-certificate-requests