Last updated
Last updated
OpenSSL can be configured via a configuration file, which is used to specify various settings for different OpenSSL operations. This configuration file is typically used for creating certificates, defining CA policies, and setting defaults for OpenSSL commands.
By default, OpenSSL looks for a configuration file in /etc/ssl/openssl.cnf
or /usr/local/ssl/openssl.cnf
. You can also specify a custom configuration file using the -config
option with OpenSSL commands.
The configuration file is divided into sections, each starting with a section name enclosed in square brackets (e.g., [req]
). Below is an example structure of an OpenSSL configuration file:
[req] Specifies default settings for certificate requests.
default_bits
: The default key size in bits (e.g., 2048).
default_md
: The default message digest algorithm (e.g., sha256).
default_keyfile
: The default filename for the private key.
distinguished_name
: Section containing DN fields.
attributes
: Section containing request attributes.
[req_distinguished_name] Defines the fields for the Distinguished Name (DN) in certificate requests.
countryName
: Specifies the country name.
stateOrProvinceName
: Specifies the state or province name.
localityName
: Specifies the city or locality name.
organizationName
: Specifies the organization name.
organizationalUnitName
: Specifies the organizational unit name.
commonName
: Specifies the common name (e.g., FQDN).
[req_attributes] Defines additional attributes for the certificate request.
challengePassword
: Optional password to protect the certificate request.
[v3_ca] Specifies extensions for a Certificate Authority (CA) certificate.
subjectKeyIdentifier
: Provides a means of identifying certificates that contain a particular public key.
authorityKeyIdentifier
: Identifies the public key corresponding to the private key used to sign a certificate.
basicConstraints
: Specifies whether the certificate is for a CA.
To use a custom configuration file with OpenSSL commands, use the -config
option followed by the path to your configuration file:
Customizing Certificate Requests OpenSSL configuration files allow you to customize the details included in certificate requests, making it easier to create certificates with specific attributes.
Automating Certificate Generation By specifying default values and policies, configuration files streamline the process of generating multiple certificates, ensuring consistency and reducing manual input errors.
Managing CA Policies Configuration files help define and enforce policies for Certificate Authorities, including setting extension values and constraints for issued certificates.
OpenSSL configuration files provide a flexible way to manage and automate the creation of certificates, set default values, and enforce policies. Understanding the structure and options available in the configuration file allows administrators to efficiently manage their SSL/TLS infrastructure and ensure consistency across their certificates.