# # Filename: openssl-conf-radsec.example.org.txt # # Sample openssl configuration file to generate a key pair and a # dc-sDN-attribute-style PKCS#10 CSR with included requested # SubjectAlternativeNames (SaNs) # # Sample openssl commandline command to generate a CSR with this openssl config file: # # Alternative 1: Generating a new server key and a new CSR # # openssl req -config ./openssl-conf-radsec.example.org.txt -new -keyout radsec.example.org-newkey.pem -out radsec.example.org-csr.pem # # Alternative 2: Re-using an existing server key and generating a new CSR # # openssl req -config ./openssl-conf-radsec.example.org.txt -new -key radsec.example.org-key.pem -out radsec.example.org-csr.pem # # To remove the passphrase from the private key file use # # openssl rsa -in radsec.example.org-newkey.pem -out radsec.example.org-key.pem # # This eases automatic startup of the SSL/TLS-server when restarted or # rebooted. Check for secure file access permissions on the private key file. # Do not transfer the private key unencrypted over network connections. # # If generated directly on a secure filesystem with proper secure file access # permissions on the server system add option -nodes to the "openssl req ..." # command to omit setting the secret key's passphrase protection - this eases # automatic startup of the SSL/TLS-server when restarted or rebooted. # # To set an AES256 passphrase on the private key file use # # openssl rsa -aes256 -in radsec.example.org-key.pem -out radsec.example.org-key.pem # # To check what is actually in a CSR file use # # openssl req -text -verify -in radsec.example.org-csr.pem # RANDFILE=/dev/urandom [ req ] default_bits = 2048 # key length 2048 or 4096 bits RSA distinguished_name = req_distinguished_name req_extensions = req_cert_extensions default_md = sha256 dirstring_type = nombstr prompt = no [ req_distinguished_name ] # requested SubjectDN # 1.DC = net # mandatory 2.DC = geant # mandatory 3.DC = eduroam # mandatory C = XX # mandatory, two letter ISO country code of the country the organisation # named in the O-attribute has its office / branch O = Organisation # mandatory, official legal name of organisation, check with NRO/eduroamOT # (less than 65 character, abbreviate if necessary, # no diacritical characters, use without diacritics or use ä->ae, Å->A, æ->ae, ø->oe etc) #1.OU= Organisational Unit # optional, organisational *unit* name of the organisation # # named in the O-attribute (less than 65 character, no diacritical characters) #2.OU= Organisational Sub Unit # optional, organisational *sub-unit* name of the organisational unit # # named in the previous OU-attribute (less than 65 character, no diacritical characters) # # # more optional OU-attributes if needed... CN = radsec.example.org # mandatory, server name (FQDN), must also be included as a SaN, see below [req_cert_extensions] subjectAltName=@subject_alt_name [ subject_alt_name ] # requested SubjectAlternativeNames (SaNs) # # SaNs of type DNS # change those FQDNs to real FQDNs in domains registered to the organisation named in the O-attribute # DNS.1=radsec.example.org # mandatory, server name (FQDN) from CN-attribute DNS.2=radsec1.example.org # optional, further server name (FQDN) DNS.3=radsec2.example.org # optional, further server name (FQDN) # more optional server names (FQDNs) if needed... # SANs of type IP (discurraged) # IP#s are normally not needed in SSL/TLS-certificates # change those RFC 1918 IP#s to real IP#s assigned to the organisation named in the O-attribute # #IP.1=10.11.12.13 # optional, IPv4 or IPv6 IP# #IP.2=192.168.2.42 # optional, IPv4 or IPv6 IP# # more optional server names (FQDNs) if needed...