[ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 60 default_crl_days = 30 default_md = sha256 preserve = no policy = policy_match copy_extensions = copy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = whatever output_password = whatever #req_extensions = v3_req [server] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = admin@example.org commonName = "Example Server Certificate" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # This should be a host name of the RADIUS server. # Note that the host name is exchanged in EAP *before* # the user machine has network access. So the host name # here doesn't really have to match anything in DNS. [alt_names] DNS.1 = radius.example.com # NAIRealm from RFC 7585 otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com