A small root Certificate Authority is used when several certificate signing requests needs to be signed.
A certificate signed by the Certificate Authority will only be considered valid by systems and browsers which trust the Certificate Authority. This means that administrators or end users need to install the self signed certificate which belong to the Certificate Authority in their browsers or systems.
Setting up a Certificate Authority is useful in intranet or enterprise environments. For internet use, commercial Certificate Authorities like Verisign and Thawte are the best choice.
[ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = . # top dir database = $dir/index.txt # index file. new_certs_dir = $dir # new certs dir certificate = $dir/ca.cer # The CA cert serial = $dir/serial # serial no file private_key = $dir/ca.key # CA private key RANDFILE = $dir/.rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN nameopt = default_ca # Subject name display option certopt = default_ca # Certificate display option copy_extensions = none # Don't copy extensions from request [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
Warning! This is a basic CA configuration example
file for test usage only.
If CA is intended for production use, CA
administrators are required to review configuration. There are number of
configuration parameters which should be reviewed carefully, e.g. basicConstraints,
x509_extensions and keyUsage.
echo 01 > serial