Configuring the OpenSSL configuration file

Last Updated : Jun 05, 2020 |

Procedure

  1. Determine the location of OpenSSL’s default openssl.cnf file. On RHEL, it is at /etc/pki/tls/openssl.cnf. If not, use the find command to locate the file, that is find / -name openssl.cnf
  2. Copy the openssl.cnf file to the certificates home directory, for example cp /etc/pki/tls/openssl.cnf /certificates
  3. Change directories to the certificates home directory, for example cd /certificates
  4. Edit the copied version of the openssl.cnf file with the following changes, for example vi /certificates/openssl.cnf

    • Modify the following line in the section [ CA_default ]

      Change from:

      dir            = ../../CA

      Change to:

      dir            = ./CA

    • Comment out the two appearances of the following line:

      Change from:

      nsComment                      = "OpenSSL Generated Certificate"

      Change to:

      #nsComment                    = "OpenSSL Generated Certificate"

    • Uncomment the following line and add v3_req to extensions.

      Change from:

      # X.509v3 extensions to use:

      # extensions           =

      Change to:

      # X.509v3 extensions to use:

      extensions           = v3_req

    • Uncomment the following line.

      Change from:

      # req_extensions = v3_req # The extensions to add to a certificate request.

      Change to:

      req_extensions = v3_req # The extensions to add to a certificate request.

    • Change the following line in the [ v3_req ] section.

      Change from:

      keyUsage = nonRepudiation, digitalSignature, keyEncipherment

      Change to:

      keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

    • Add the following line to the [ v3_req ] section.

      extendedKeyUsage=serverAuth,clientAuth

    • Add the following line to the [ usr_cert ] section.

      Change from:

      # These extensions are added when 'ca' signs a request.

      Change to:

      # These extensions are added when 'ca' signs a request.

      keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

      extendedKeyUsage=serverAuth,clientAuth

    • Change string_mask in the [ req ] section to the following:

      • string_mask = MASK:0x2002

    • If you want to use a message digest higher than sha1, for example sha256, change the option default_md in the [ req ] section

  5. Save changes to the openssl.cnf file.