#
##::[[--- Windows OpenSSL Config ---]]::##
#####################################################################
##----- Notes -----##
#####################################################################
# All commands required can be found beginning on line 430
# BSD/Linux/Mac users:
# Replace all single/double backslashes with forward slashes. You may also wish to utilize lowercase only,
# and if utilizing spaces in names, ensure utilization of proper break format, i.e. './Sophos\ UTM\ CA.crt'
# Ensure EOLs are LF, not CRLF
# Windows uses CRLF, UNIX utilizes LF
# Sophos users:
# If not using SANs, prior to generating user certs, ensure 'x509_extensions = usr_cert_not_dn'
# This results with 'RFC822 Name = user@email.com' in the SubjectAlternativeName of the certificate.
# Without this, it will be impossible to authenticate to VPNs on Sophos.
# Intermediate CAs & Intermediate CA client certs CANNOT be utilized on Sophos UTM due to how Sophos authenticates.
# Only exception is the WebAdmin certificate, which can be signed by a Public ICA authority for a FQDN.
# For chain of trust to be maintained, CA & ICA must be installed on devices accessing the WebAdmin/User Portal.
#####################################################################
##----- Establish Build Variables -----##
#####################################################################
dir = .
cnf = /etc/ssl/openssl.cnf
CNF = $dir\\openssl.cnf
#####################################################################
##----- Establish CA Profile and Policy -----##
#####################################################################
[ default ]
UTM = "Sophos UTM CA"
WRT = "Router 2 ICA"
VPN = "Router 2 VPN ICA"
[ ca ]
default_ca = CA_default
#####################################################################
[ CA_default ]
certs = $dir\\cert
new_certs_dir = $dir
database = $dir\\index
RANDFILE = $dir\\rand
serial = $dir\\serial
crldir = $dir\\crl
crlnumber = $crldir\\crlnumber
crl = $crldir\\ca.crl.pem
default_crl_days = 3650
certificate = "$dir\\ca\\$UTM.crt.pem"
private_key = "$dir\\ca\\$UTM.key.pem"
default_days = 3650
preserve = no
default_md = sha512
x509_extensions = usr_cert_not_dn
copy_extensions = copy
unique_subject = yes
policy = policy_match
name_opt = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt = ca_default
#####################################################################
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ policy_supply ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = optional
emailAddress = optional
#####################################################################
##----- Establish Certificate Options -----#
#--------------------------------------------------------------------
# If you plan on using TLS ECDHE or ECDH, the bits and hash must exceed the value you wish to have.
# For example, if one wants 2048bit encryption with a SHA256 hash, encryption value must be
# greater than 2048 (3072 or 4096) with a hash greater than SHA256 (SHA384 or SHA512).
# x64 machines can almost always process SHA512 faster than SHA256.
# If you're not planning on using TLS ECDHE or ECDH, a key larger than 2048bit isn't necessary.
# Encrypt key is not currently commmented out; however, as one does not want a server's key to have
# an encrypted password, when creating the key for the server, add -nodes to the Request command.
[ req ]
default_bits = 2048
default_keyfile = private.key.pem
preserve = no
default_md = sha512
string_mask = utf8only
utf8 = yes
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req
x509_extensions = v3_ca
copy_extensions = copy
encrypt_key = yes
[ req_attributes ]
challengePassword =
challengePassword_min = 12
challengePassword_max = 40
#####################################################################
[ req_distinguished_name ]
countryName = xx
countryName_max = 2
stateOrProvinceName = State
localityName = Locality
0.organizationName = Organization
organizationalUnitName = Organizational Unit
commonName = Common Name
commonName_max = 64
emailAddres = Email
emailAddress_max = 64
countryName_default = US
stateOrProvinceName_default = State
localityName_default = Locality
0.organizationName_default = Sophos UTM
organizationalUnitName_default = LAN
#####################################################################
##----- Establish SubjectAltName (SAN) Profiles -----##
#####################################################################
# All server certs with WebUIs should have their loopback IP specified in their SAN profile
# This prevents certificate errors if connecting to the device, router, or server via an SSH tunnel
# Certain OS CA certs must have the loopback IP specified in SAN profile (i.e. Sophos UTM's CA)
# Provided one utilizes the SAN profile, Common Names can be whatever one wishes (i.e. not the DNS or IP)
# SANs can be: email (an email address), URI (a uniform resource indicator), DNS (a DNS domain name),
# RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name), and otherName.
#--------------------------------------------------------------------
##----- Certificate Authorities -----##
#--------------------------------------------------------------------
# Main #
[ alt_ca_main ]
DNS.1 = BellevueCA
IP.1 = 127.0.0.1
# Router 2 #
[ alt_ica_router2 ]
DNS.1 = Router.2
IP.1 = 127.0.0.1
# Code Signing #
[ alt_signing_ica ]
DNS.1 = Code-Signing
#--------------------------------------------------------------------
##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Main #
# Servers #
[ alt_sophos ]
IP.1 = 192.168.2.1
IP.2 = 127.0.0.1
DNS.1 = UTM.LEDE
DNS.2 = your.ddns.com
[ alt_freenas ]
IP.1 = 192.168.2.13
IP.2 = 192.168.2.130
IP.3 = 127.0.0.1
DNS.1 = Free.LEDE
DNS.2 = your-fqdn.com
[ alt_vpn_server1 ]
IP.1 = 10.0.0.1
DNS.1 = your.ddns.com
# Clients #
[ alt_xps13 ]
email.1 = xxxx@mailbox.org
DNS.1 = VPN-xps13-Hostname
[ alt_remoop5 ]
email.1 = xxxx@mailbox.org
DNS.1 = VPN-remoop5-Hostname
[ alt_matti ]
email.1 = xxxx@mailbox.org
DNS.1 = VPN-matti-Hostname
[ alt_hanna ]
email.1 = xxxx@mailbox.org
DNS.1 = VPN-hanna-Hostname
#--------------------------------------------------------------------
##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Router 2 #
# Servers #
[ alt_lede ]
IP.1 = 192.168.2.2
IP.2 = 127.0.0.1
DNS.1 = LAN.LEDE
[ alt_vpn_server2 ]
IP.1 = 192.168.0.1
DNS.1 = xxxx.duckdns.org
# Clients #
[ alt_vpn2_xps13 ]
DNS.1 = VPN-xps13-Hostname
email.1 = xxxx@mailbox.org
[ alt_vpn2_remoop5 ]
DNS.1 = VPN-remoop5-Hostname
email.1 = xxxx@mailbox.org
[ alt_vpn2_matti ]
DNS.1 = VPN-matti-Hostname
email.1 = xxxx@mailbox.org
[ alt_vpn2_hanna ]
DNS.1 = VPN-hanna-Hostname
email.1 = xxxx@mailbox.org
# Code Signing #
# Cert1 #
[ alt_codesign ]
email.1 = user@email.com
#####################################################################
##----- Establish Certificate Authority V3 Profiles -----##
#--------------------------------------------------------------------
# These V3 CA profiles must not be modified to contain any more, or any less, KUs
# These have been configured specifically for security & its imperative no other keyUsages are set
# For an ICA to be capable of signing additional CAs/ICAs, pathlen number must mirror number of CAs/ICAs
# it can sign. By default, all ICAs are set to 0, meaning they can sign certs, but not other CAs/ICAs.
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = @alt_ca_main
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[ v3_ica_router2 ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = @alt_ica_router2
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[ v3_signing_ica ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName = @alt_signing_ica
[ crl_ext ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always, issuer:always
#####################################################################
##----- Establish Generalized V3 Certificate Profiles -----##
#--------------------------------------------------------------------
[ v3_req ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
[ usr_cert_dn ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection
[ usr_cert_not_dn ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection
#####################################################################
##----- Establish Client Certificate V3 Profiles -----##
#--------------------------------------------------------------------
# These V3 profiles should not be modified to contain less than what they are currently configured with.
# These have been specifically configured with security in mind.
# All servers capable of TLS should contain all keyUsages, except for dataEncipherment
# VPN and file servers should not have less than digitalSignature, keyEncipherment, keyAgreement
# All servers must contain EKU serverAuth
# All server [VPN] clients must contain EKU clientAuth
#--------------------------------------------------------------------
##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Main #
# Servers #
[ v3_sophos ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_sophos
[ v3_freenas ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_freenas
[ v3_vpn_server1 ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server1
# Clients #
[ v3_xps13 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_xps13
[ v3_remoop5 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_remoop5
[ v3_matti ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_matti
[ v3_hanna ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_hanna
#--------------------------------------------------------------------
##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Router 2 #
# Servers #
[ v3_lede ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_lede
[ v3_vpn_server2 ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server2
# Clients #
[ v3_vpn2_xps13 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_xps13
[ v3_vpn2_remoop5 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_remoop5
[ v3_vpn2_matti ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_matti
[ v3_vpn2_hanna ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_hanna
# Code Signing #
# Certificates #
[ v3_codesign ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, mcCTLSign, timeStamping
subjectAltName = @alt_codesign