site.conf

# From https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

[ req ]
default_bits		= 2048
distinguished_name	= subject
req_extensions		= req_ext
x509_extensions		= x509_ext
string_mask		= utf8only

[ subject ]
countryName_default	= AU
stateOrProvinceName_default = QLD
localityName_default	= Sunshine Coast
organizationName_default = trustydns1
commonName_default	= example.net
emailAddress_default	= doh@example.net

countryName		= Country Name (2 letter code)
stateOrProvinceName	= State or Province Name (full name)
localityName		= Locality Name (eg, city)
organizationName	= Organization Name (eg, company)
commonName		= Common Name (e.g. server FQDN or YOUR name)
emailAddress		= Email Address

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints	= CA:FALSE
keyUsage		= digitalSignature, keyEncipherment
subjectAltName		= @alternate_names
nsComment		= "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
extendedKeyUsage	= serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier	= hash

basicConstraints	= CA:FALSE
keyUsage		= digitalSignature, keyEncipherment, nonRepudiation
subjectAltName		= @alternate_names
nsComment		= "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage    = serverAuth, clientAuth

[ alternate_names ]

DNS.1			= localhost.example.com

[ ca ]

default_ca		= CA_default

[ CA_default ]

dir			= ./cadir

certs			= $dir/certs            # Where the issued certs are kept
crl_dir			= $dir/crl              # Where the issued crl are kept
database		= $dir/database 	# database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir		= $dir         		# default place for new certs.

certificate		= $dir/cacert.pem       # The CA certificate
serial			= $dir/serial           # The current serial number
crlnumber		= $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl			= $dir/crl.pem          # The current CRL
private_key		= $dir/cakey.pem	# The private key
RANDFILE		= $dir/.rand    	# private random number file


policy			= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier	= hash

authorityKeyIdentifier	= keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints	= CA:true