1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/tsrc/topenssl/data/openssl.cnf Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,313 @@
1.4 +#
1.5 +# OpenSSL example configuration file.
1.6 +# This is mostly being used for generation of certificate requests.
1.7 +#
1.8 +
1.9 +# This definition stops the following lines choking if HOME isn't
1.10 +# defined.
1.11 +HOME = .
1.12 +RANDFILE = $ENV::HOME/.rnd
1.13 +
1.14 +# Extra OBJECT IDENTIFIER info:
1.15 +#oid_file = $ENV::HOME/.oid
1.16 +oid_section = new_oids
1.17 +
1.18 +# To use this configuration file with the "-extfile" option of the
1.19 +# "openssl x509" utility, name here the section containing the
1.20 +# X.509v3 extensions to use:
1.21 +# extensions =
1.22 +# (Alternatively, use a configuration file that has only
1.23 +# X.509v3 extensions in its main [= default] section.)
1.24 +
1.25 +[ new_oids ]
1.26 +
1.27 +# We can add new OIDs in here for use by 'ca' and 'req'.
1.28 +# Add a simple OID like this:
1.29 +# testoid1=1.2.3.4
1.30 +# Or use config file substitution like this:
1.31 +# testoid2=${testoid1}.5.6
1.32 +
1.33 +####################################################################
1.34 +[ ca ]
1.35 +default_ca = CA_default # The default ca section
1.36 +
1.37 +####################################################################
1.38 +[ CA_default ]
1.39 +
1.40 +dir = ./demoCA # Where everything is kept
1.41 +certs = $dir/certs # Where the issued certs are kept
1.42 +crl_dir = $dir/crl # Where the issued crl are kept
1.43 +database = $dir/index.txt # database index file.
1.44 +#unique_subject = no # Set to 'no' to allow creation of
1.45 + # several ctificates with same subject.
1.46 +new_certs_dir = $dir/newcerts # default place for new certs.
1.47 +
1.48 +certificate = $dir/cacert.pem # The CA certificate
1.49 +serial = $dir/serial # The current serial number
1.50 +crlnumber = $dir/crlnumber # the current crl number
1.51 + # must be commented out to leave a V1 CRL
1.52 +crl = $dir/crl.pem # The current CRL
1.53 +private_key = $dir/private/cakey.pem# The private key
1.54 +RANDFILE = $dir/private/.rand # private random number file
1.55 +
1.56 +x509_extensions = usr_cert # The extentions to add to the cert
1.57 +
1.58 +# Comment out the following two lines for the "traditional"
1.59 +# (and highly broken) format.
1.60 +name_opt = ca_default # Subject Name options
1.61 +cert_opt = ca_default # Certificate field options
1.62 +
1.63 +# Extension copying option: use with caution.
1.64 +# copy_extensions = copy
1.65 +
1.66 +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
1.67 +# so this is commented out by default to leave a V1 CRL.
1.68 +# crlnumber must also be commented out to leave a V1 CRL.
1.69 +# crl_extensions = crl_ext
1.70 +
1.71 +default_days = 365 # how long to certify for
1.72 +default_crl_days= 30 # how long before next CRL
1.73 +default_md = sha1 # which md to use.
1.74 +preserve = no # keep passed DN ordering
1.75 +
1.76 +# A few difference way of specifying how similar the request should look
1.77 +# For type CA, the listed attributes must be the same, and the optional
1.78 +# and supplied fields are just that :-)
1.79 +policy = policy_match
1.80 +
1.81 +# For the CA policy
1.82 +[ policy_match ]
1.83 +countryName = match
1.84 +stateOrProvinceName = match
1.85 +organizationName = match
1.86 +organizationalUnitName = optional
1.87 +commonName = supplied
1.88 +emailAddress = optional
1.89 +
1.90 +# For the 'anything' policy
1.91 +# At this point in time, you must list all acceptable 'object'
1.92 +# types.
1.93 +[ policy_anything ]
1.94 +countryName = optional
1.95 +stateOrProvinceName = optional
1.96 +localityName = optional
1.97 +organizationName = optional
1.98 +organizationalUnitName = optional
1.99 +commonName = supplied
1.100 +emailAddress = optional
1.101 +
1.102 +####################################################################
1.103 +[ req ]
1.104 +default_bits = 1024
1.105 +default_keyfile = privkey.pem
1.106 +distinguished_name = req_distinguished_name
1.107 +attributes = req_attributes
1.108 +x509_extensions = v3_ca # The extentions to add to the self signed cert
1.109 +
1.110 +# Passwords for private keys if not present they will be prompted for
1.111 +# input_password = secret
1.112 +# output_password = secret
1.113 +
1.114 +# This sets a mask for permitted string types. There are several options.
1.115 +# default: PrintableString, T61String, BMPString.
1.116 +# pkix : PrintableString, BMPString.
1.117 +# utf8only: only UTF8Strings.
1.118 +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
1.119 +# MASK:XXXX a literal mask value.
1.120 +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
1.121 +# so use this option with caution!
1.122 +string_mask = nombstr
1.123 +
1.124 +# req_extensions = v3_req # The extensions to add to a certificate request
1.125 +
1.126 +[ req_distinguished_name ]
1.127 +countryName = Country Name (2 letter code)
1.128 +countryName_default = AU
1.129 +countryName_min = 2
1.130 +countryName_max = 2
1.131 +
1.132 +stateOrProvinceName = State or Province Name (full name)
1.133 +stateOrProvinceName_default = Some-State
1.134 +
1.135 +localityName = Locality Name (eg, city)
1.136 +
1.137 +0.organizationName = Organization Name (eg, company)
1.138 +0.organizationName_default = Internet Widgits Pty Ltd
1.139 +
1.140 +# we can do this but it is not needed normally :-)
1.141 +#1.organizationName = Second Organization Name (eg, company)
1.142 +#1.organizationName_default = World Wide Web Pty Ltd
1.143 +
1.144 +organizationalUnitName = Organizational Unit Name (eg, section)
1.145 +#organizationalUnitName_default =
1.146 +
1.147 +commonName = Common Name (eg, YOUR name)
1.148 +commonName_max = 64
1.149 +
1.150 +emailAddress = Email Address
1.151 +emailAddress_max = 64
1.152 +
1.153 +# SET-ex3 = SET extension number 3
1.154 +
1.155 +[ req_attributes ]
1.156 +challengePassword = A challenge password
1.157 +challengePassword_min = 4
1.158 +challengePassword_max = 20
1.159 +
1.160 +unstructuredName = An optional company name
1.161 +
1.162 +[ usr_cert ]
1.163 +
1.164 +# These extensions are added when 'ca' signs a request.
1.165 +
1.166 +# This goes against PKIX guidelines but some CAs do it and some software
1.167 +# requires this to avoid interpreting an end user certificate as a CA.
1.168 +
1.169 +basicConstraints=CA:FALSE
1.170 +
1.171 +# Here are some examples of the usage of nsCertType. If it is omitted
1.172 +# the certificate can be used for anything *except* object signing.
1.173 +
1.174 +# This is OK for an SSL server.
1.175 +# nsCertType = server
1.176 +
1.177 +# For an object signing certificate this would be used.
1.178 +# nsCertType = objsign
1.179 +
1.180 +# For normal client use this is typical
1.181 +# nsCertType = client, email
1.182 +
1.183 +# and for everything including object signing:
1.184 +# nsCertType = client, email, objsign
1.185 +
1.186 +# This is typical in keyUsage for a client certificate.
1.187 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
1.188 +
1.189 +# This will be displayed in Netscape's comment listbox.
1.190 +nsComment = "OpenSSL Generated Certificate"
1.191 +
1.192 +# PKIX recommendations harmless if included in all certificates.
1.193 +subjectKeyIdentifier=hash
1.194 +authorityKeyIdentifier=keyid,issuer
1.195 +
1.196 +# This stuff is for subjectAltName and issuerAltname.
1.197 +# Import the email address.
1.198 +# subjectAltName=email:copy
1.199 +# An alternative to produce certificates that aren't
1.200 +# deprecated according to PKIX.
1.201 +# subjectAltName=email:move
1.202 +
1.203 +# Copy subject details
1.204 +# issuerAltName=issuer:copy
1.205 +
1.206 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
1.207 +#nsBaseUrl
1.208 +#nsRevocationUrl
1.209 +#nsRenewalUrl
1.210 +#nsCaPolicyUrl
1.211 +#nsSslServerName
1.212 +
1.213 +[ v3_req ]
1.214 +
1.215 +# Extensions to add to a certificate request
1.216 +
1.217 +basicConstraints = CA:FALSE
1.218 +keyUsage = nonRepudiation, digitalSignature, keyEncipherment
1.219 +
1.220 +[ v3_ca ]
1.221 +
1.222 +
1.223 +# Extensions for a typical CA
1.224 +
1.225 +
1.226 +# PKIX recommendation.
1.227 +
1.228 +subjectKeyIdentifier=hash
1.229 +
1.230 +authorityKeyIdentifier=keyid:always,issuer:always
1.231 +
1.232 +# This is what PKIX recommends but some broken software chokes on critical
1.233 +# extensions.
1.234 +#basicConstraints = critical,CA:true
1.235 +# So we do this instead.
1.236 +basicConstraints = CA:true
1.237 +
1.238 +# Key usage: this is typical for a CA certificate. However since it will
1.239 +# prevent it being used as an test self-signed certificate it is best
1.240 +# left out by default.
1.241 +# keyUsage = cRLSign, keyCertSign
1.242 +
1.243 +# Some might want this also
1.244 +# nsCertType = sslCA, emailCA
1.245 +
1.246 +# Include email address in subject alt name: another PKIX recommendation
1.247 +# subjectAltName=email:copy
1.248 +# Copy issuer details
1.249 +# issuerAltName=issuer:copy
1.250 +
1.251 +# DER hex encoding of an extension: beware experts only!
1.252 +# obj=DER:02:03
1.253 +# Where 'obj' is a standard or added object
1.254 +# You can even override a supported extension:
1.255 +# basicConstraints= critical, DER:30:03:01:01:FF
1.256 +
1.257 +[ crl_ext ]
1.258 +
1.259 +# CRL extensions.
1.260 +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
1.261 +
1.262 +# issuerAltName=issuer:copy
1.263 +authorityKeyIdentifier=keyid:always,issuer:always
1.264 +
1.265 +[ proxy_cert_ext ]
1.266 +# These extensions should be added when creating a proxy certificate
1.267 +
1.268 +# This goes against PKIX guidelines but some CAs do it and some software
1.269 +# requires this to avoid interpreting an end user certificate as a CA.
1.270 +
1.271 +basicConstraints=CA:FALSE
1.272 +
1.273 +# Here are some examples of the usage of nsCertType. If it is omitted
1.274 +# the certificate can be used for anything *except* object signing.
1.275 +
1.276 +# This is OK for an SSL server.
1.277 +# nsCertType = server
1.278 +
1.279 +# For an object signing certificate this would be used.
1.280 +# nsCertType = objsign
1.281 +
1.282 +# For normal client use this is typical
1.283 +# nsCertType = client, email
1.284 +
1.285 +# and for everything including object signing:
1.286 +# nsCertType = client, email, objsign
1.287 +
1.288 +# This is typical in keyUsage for a client certificate.
1.289 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
1.290 +
1.291 +# This will be displayed in Netscape's comment listbox.
1.292 +nsComment = "OpenSSL Generated Certificate"
1.293 +
1.294 +# PKIX recommendations harmless if included in all certificates.
1.295 +subjectKeyIdentifier=hash
1.296 +authorityKeyIdentifier=keyid,issuer:always
1.297 +
1.298 +# This stuff is for subjectAltName and issuerAltname.
1.299 +# Import the email address.
1.300 +# subjectAltName=email:copy
1.301 +# An alternative to produce certificates that aren't
1.302 +# deprecated according to PKIX.
1.303 +# subjectAltName=email:move
1.304 +
1.305 +# Copy subject details
1.306 +# issuerAltName=issuer:copy
1.307 +
1.308 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
1.309 +#nsBaseUrl
1.310 +#nsRevocationUrl
1.311 +#nsRenewalUrl
1.312 +#nsCaPolicyUrl
1.313 +#nsSslServerName
1.314 +
1.315 +# This really needs to be in place for it to be a proxy certificate.
1.316 +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo