From 81a2dc26523ff98ef6f58a06bd63965f6aae7185 Mon Sep 17 00:00:00 2001
From: tips-of-mine <54597409+tips-of-mine@users.noreply.github.com>
Date: Sun, 15 Jun 2025 09:35:21 +0200
Subject: [PATCH] Create root-openssl.conf

---
 scripts/configs/root-openssl.conf | 77 +++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 scripts/configs/root-openssl.conf

diff --git a/scripts/configs/root-openssl.conf b/scripts/configs/root-openssl.conf
new file mode 100644
index 0000000..6e53243
--- /dev/null
+++ b/scripts/configs/root-openssl.conf
@@ -0,0 +1,77 @@
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+[ CA_default ]
+dir             = /opt/tls              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+database        = $dir/index.txt        # database index file.
+                                        # several certs with same subject.
+new_certs_dir   = $dir/certs            # default place for new certs.
+certificate     = $dir/certs/ca.cert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # the current crl number
+                                        # must be commented out to leave a V1 CRL
+private_key     = $dir/private/ca.key.pem # The private key
+
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = sha256                # use SHA-256 by default
+preserve        = no                    # keep passed DN ordering
+policy          = policy_match
+
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits            = 4096
+default_md              = sha256
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+x509_extensions         = v3_ca
+string_mask             = nombstr
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = FR
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = NORD
+localityName                    = Locality Name (eg, city)
+localityName_default            = ROUBAIX
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = IT
+organizationalUnitName          = Organizational Unit Name (eg, section)
+commonName                      = Common Name (eg, your name or your server\'s hostname)
+commonName_max                  = 64
+emailAddress                    = EmailAddress
+emailAddress_max                = 64
+emailAddress_default            = sec@test.testing
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign