OpenSSL Configuration

OpenSSL can be configured via a configuration file, which is used to specify various settings for different OpenSSL operations. This configuration file is typically used for creating certificates, defining CA policies, and setting defaults for OpenSSL commands.

Location of the Configuration File

By default, OpenSSL looks for a configuration file in /etc/ssl/openssl.cnf or /usr/local/ssl/openssl.cnf. You can also specify a custom configuration file using the -config option with OpenSSL commands.

Structure of the Configuration File

The configuration file is divided into sections, each starting with a section name enclosed in square brackets (e.g., [req]). Below is an example structure of an OpenSSL configuration file:

# Default configuration file for OpenSSL.

[ req ]
default_bits       = 2048
default_md         = sha256
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name
attributes         = req_attributes
x509_extensions    = v3_ca # The extensions to add to the self-signed cert

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California
localityName                    = Locality Name (eg, city)
localityName_default            = San Francisco
organizationName                = Organization Name (eg, company)
organizationName_default        = Example Corp
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, fully qualified host name)
commonName_max                  = 64

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

[ v3_ca ]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = critical, CA:true

Key Sections and Their Options

[req] Specifies default settings for certificate requests.

  • default_bits: The default key size in bits (e.g., 2048).

  • default_md: The default message digest algorithm (e.g., sha256).

  • default_keyfile: The default filename for the private key.

  • distinguished_name: Section containing DN fields.

  • attributes: Section containing request attributes.

[req_distinguished_name] Defines the fields for the Distinguished Name (DN) in certificate requests.

  • countryName: Specifies the country name.

  • stateOrProvinceName: Specifies the state or province name.

  • localityName: Specifies the city or locality name.

  • organizationName: Specifies the organization name.

  • organizationalUnitName: Specifies the organizational unit name.

  • commonName: Specifies the common name (e.g., FQDN).

[req_attributes] Defines additional attributes for the certificate request.

  • challengePassword: Optional password to protect the certificate request.

[v3_ca] Specifies extensions for a Certificate Authority (CA) certificate.

  • subjectKeyIdentifier: Provides a means of identifying certificates that contain a particular public key.

  • authorityKeyIdentifier: Identifies the public key corresponding to the private key used to sign a certificate.

  • basicConstraints: Specifies whether the certificate is for a CA.

Using a Custom Configuration File

To use a custom configuration file with OpenSSL commands, use the -config option followed by the path to your configuration file:

openssl req -new -key private.key -out request.csr -config /path/to/openssl.cnf

Use Cases

Customizing Certificate Requests OpenSSL configuration files allow you to customize the details included in certificate requests, making it easier to create certificates with specific attributes.

Automating Certificate Generation By specifying default values and policies, configuration files streamline the process of generating multiple certificates, ensuring consistency and reducing manual input errors.

Managing CA Policies Configuration files help define and enforce policies for Certificate Authorities, including setting extension values and constraints for issued certificates.

Conclusion

OpenSSL configuration files provide a flexible way to manage and automate the creation of certificates, set default values, and enforce policies. Understanding the structure and options available in the configuration file allows administrators to efficiently manage their SSL/TLS infrastructure and ensure consistency across their certificates.

PreviousOCSP (Online Certificate Status Protocol)NextPEM, DER, PKCS

Last updated