# etcd OpenSSL configuration file. SAN = "IP:127.0.0.1" dir = ${ENV:CA_BASE_DIR} [ ca ] default_ca = etcd_ca [ etcd_ca ] certs = $dir/certs certificate = $dir/certs/etcd-ca.crt crl = $dir/crl.pem crl_dir = $dir/crl crlnumber = $dir/crlnumber database = $dir/index.txt email_in_dn = no new_certs_dir = $dir/newcerts private_key = $dir/private/etcd-ca.key serial = $dir/serial RANDFILE = $dir/private/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha512 preserve = no policy = policy_etcd [ policy_etcd ] organizationName = optional commonName = supplied [ req ] default_bits = 4096 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only req_extensions = etcd_client [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 commonName = Common Name (FQDN) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = etcd-ca [ req_attributes ] [ v3_ca ] basicConstraints = CA:true keyUsage = keyCertSign,cRLSign subjectKeyIdentifier = hash [ etcd_client ] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth keyUsage = digitalSignature, keyEncipherment [ etcd_peer ] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = digitalSignature, keyEncipherment subjectAltName = ${ENV::SAN} [ etcd_server ] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = digitalSignature, keyEncipherment subjectAltName = ${ENV::SAN}