sl@0: # sl@0: # OpenSSL example configuration file. sl@0: # This is mostly being used for generation of certificate requests. sl@0: # sl@0: sl@0: # This definition stops the following lines choking if HOME isn't sl@0: # defined. sl@0: HOME = . sl@0: RANDFILE = $ENV::HOME/.rnd sl@0: sl@0: # Extra OBJECT IDENTIFIER info: sl@0: #oid_file = $ENV::HOME/.oid sl@0: oid_section = new_oids sl@0: sl@0: # To use this configuration file with the "-extfile" option of the sl@0: # "openssl x509" utility, name here the section containing the sl@0: # X.509v3 extensions to use: sl@0: # extensions = sl@0: # (Alternatively, use a configuration file that has only sl@0: # X.509v3 extensions in its main [= default] section.) sl@0: sl@0: [ new_oids ] sl@0: sl@0: # We can add new OIDs in here for use by 'ca' and 'req'. sl@0: # Add a simple OID like this: sl@0: # testoid1=1.2.3.4 sl@0: # Or use config file substitution like this: sl@0: # testoid2=${testoid1}.5.6 sl@0: sl@0: #################################################################### sl@0: [ ca ] sl@0: default_ca = CA_default # The default ca section sl@0: sl@0: #################################################################### sl@0: [ CA_default ] sl@0: sl@0: dir = ./demoCA # Where everything is kept sl@0: certs = $dir/certs # Where the issued certs are kept sl@0: crl_dir = $dir/crl # Where the issued crl are kept sl@0: database = $dir/index.txt # database index file. sl@0: #unique_subject = no # Set to 'no' to allow creation of sl@0: # several ctificates with same subject. sl@0: new_certs_dir = $dir/newcerts # default place for new certs. sl@0: sl@0: certificate = $dir/cacert.pem # The CA certificate sl@0: serial = $dir/serial # The current serial number sl@0: crlnumber = $dir/crlnumber # the current crl number sl@0: # must be commented out to leave a V1 CRL sl@0: crl = $dir/crl.pem # The current CRL sl@0: private_key = $dir/private/cakey.pem# The private key sl@0: RANDFILE = $dir/private/.rand # private random number file sl@0: sl@0: x509_extensions = usr_cert # The extentions to add to the cert sl@0: sl@0: # Comment out the following two lines for the "traditional" sl@0: # (and highly broken) format. sl@0: name_opt = ca_default # Subject Name options sl@0: cert_opt = ca_default # Certificate field options sl@0: sl@0: # Extension copying option: use with caution. sl@0: # copy_extensions = copy sl@0: sl@0: # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs sl@0: # so this is commented out by default to leave a V1 CRL. sl@0: # crlnumber must also be commented out to leave a V1 CRL. sl@0: # crl_extensions = crl_ext sl@0: sl@0: default_days = 365 # how long to certify for sl@0: default_crl_days= 30 # how long before next CRL sl@0: default_md = sha1 # which md to use. sl@0: preserve = no # keep passed DN ordering sl@0: sl@0: # A few difference way of specifying how similar the request should look sl@0: # For type CA, the listed attributes must be the same, and the optional sl@0: # and supplied fields are just that :-) sl@0: policy = policy_match sl@0: sl@0: # For the CA policy sl@0: [ policy_match ] sl@0: countryName = match sl@0: stateOrProvinceName = match sl@0: organizationName = match sl@0: organizationalUnitName = optional sl@0: commonName = supplied sl@0: emailAddress = optional sl@0: sl@0: # For the 'anything' policy sl@0: # At this point in time, you must list all acceptable 'object' sl@0: # types. sl@0: [ policy_anything ] sl@0: countryName = optional sl@0: stateOrProvinceName = optional sl@0: localityName = optional sl@0: organizationName = optional sl@0: organizationalUnitName = optional sl@0: commonName = supplied sl@0: emailAddress = optional sl@0: sl@0: #################################################################### sl@0: [ req ] sl@0: default_bits = 1024 sl@0: default_keyfile = privkey.pem sl@0: distinguished_name = req_distinguished_name sl@0: attributes = req_attributes sl@0: x509_extensions = v3_ca # The extentions to add to the self signed cert sl@0: sl@0: # Passwords for private keys if not present they will be prompted for sl@0: # input_password = secret sl@0: # output_password = secret sl@0: sl@0: # This sets a mask for permitted string types. There are several options. sl@0: # default: PrintableString, T61String, BMPString. sl@0: # pkix : PrintableString, BMPString. sl@0: # utf8only: only UTF8Strings. sl@0: # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). sl@0: # MASK:XXXX a literal mask value. sl@0: # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings sl@0: # so use this option with caution! sl@0: string_mask = nombstr sl@0: sl@0: # req_extensions = v3_req # The extensions to add to a certificate request sl@0: sl@0: [ req_distinguished_name ] sl@0: countryName = Country Name (2 letter code) sl@0: countryName_default = AU sl@0: countryName_min = 2 sl@0: countryName_max = 2 sl@0: sl@0: stateOrProvinceName = State or Province Name (full name) sl@0: stateOrProvinceName_default = Some-State sl@0: sl@0: localityName = Locality Name (eg, city) sl@0: sl@0: 0.organizationName = Organization Name (eg, company) sl@0: 0.organizationName_default = Internet Widgits Pty Ltd sl@0: sl@0: # we can do this but it is not needed normally :-) sl@0: #1.organizationName = Second Organization Name (eg, company) sl@0: #1.organizationName_default = World Wide Web Pty Ltd sl@0: sl@0: organizationalUnitName = Organizational Unit Name (eg, section) sl@0: #organizationalUnitName_default = sl@0: sl@0: commonName = Common Name (eg, YOUR name) sl@0: commonName_max = 64 sl@0: sl@0: emailAddress = Email Address sl@0: emailAddress_max = 64 sl@0: sl@0: # SET-ex3 = SET extension number 3 sl@0: sl@0: [ req_attributes ] sl@0: challengePassword = A challenge password sl@0: challengePassword_min = 4 sl@0: challengePassword_max = 20 sl@0: sl@0: unstructuredName = An optional company name sl@0: sl@0: [ usr_cert ] sl@0: sl@0: # These extensions are added when 'ca' signs a request. sl@0: sl@0: # This goes against PKIX guidelines but some CAs do it and some software sl@0: # requires this to avoid interpreting an end user certificate as a CA. sl@0: sl@0: basicConstraints=CA:FALSE sl@0: sl@0: # Here are some examples of the usage of nsCertType. If it is omitted sl@0: # the certificate can be used for anything *except* object signing. sl@0: sl@0: # This is OK for an SSL server. sl@0: # nsCertType = server sl@0: sl@0: # For an object signing certificate this would be used. sl@0: # nsCertType = objsign sl@0: sl@0: # For normal client use this is typical sl@0: # nsCertType = client, email sl@0: sl@0: # and for everything including object signing: sl@0: # nsCertType = client, email, objsign sl@0: sl@0: # This is typical in keyUsage for a client certificate. sl@0: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment sl@0: sl@0: # This will be displayed in Netscape's comment listbox. sl@0: nsComment = "OpenSSL Generated Certificate" sl@0: sl@0: # PKIX recommendations harmless if included in all certificates. sl@0: subjectKeyIdentifier=hash sl@0: authorityKeyIdentifier=keyid,issuer sl@0: sl@0: # This stuff is for subjectAltName and issuerAltname. sl@0: # Import the email address. sl@0: # subjectAltName=email:copy sl@0: # An alternative to produce certificates that aren't sl@0: # deprecated according to PKIX. sl@0: # subjectAltName=email:move sl@0: sl@0: # Copy subject details sl@0: # issuerAltName=issuer:copy sl@0: sl@0: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem sl@0: #nsBaseUrl sl@0: #nsRevocationUrl sl@0: #nsRenewalUrl sl@0: #nsCaPolicyUrl sl@0: #nsSslServerName sl@0: sl@0: [ v3_req ] sl@0: sl@0: # Extensions to add to a certificate request sl@0: sl@0: basicConstraints = CA:FALSE sl@0: keyUsage = nonRepudiation, digitalSignature, keyEncipherment sl@0: sl@0: [ v3_ca ] sl@0: sl@0: sl@0: # Extensions for a typical CA sl@0: sl@0: sl@0: # PKIX recommendation. sl@0: sl@0: subjectKeyIdentifier=hash sl@0: sl@0: authorityKeyIdentifier=keyid:always,issuer:always sl@0: sl@0: # This is what PKIX recommends but some broken software chokes on critical sl@0: # extensions. sl@0: #basicConstraints = critical,CA:true sl@0: # So we do this instead. sl@0: basicConstraints = CA:true sl@0: sl@0: # Key usage: this is typical for a CA certificate. However since it will sl@0: # prevent it being used as an test self-signed certificate it is best sl@0: # left out by default. sl@0: # keyUsage = cRLSign, keyCertSign sl@0: sl@0: # Some might want this also sl@0: # nsCertType = sslCA, emailCA sl@0: sl@0: # Include email address in subject alt name: another PKIX recommendation sl@0: # subjectAltName=email:copy sl@0: # Copy issuer details sl@0: # issuerAltName=issuer:copy sl@0: sl@0: # DER hex encoding of an extension: beware experts only! sl@0: # obj=DER:02:03 sl@0: # Where 'obj' is a standard or added object sl@0: # You can even override a supported extension: sl@0: # basicConstraints= critical, DER:30:03:01:01:FF sl@0: sl@0: [ crl_ext ] sl@0: sl@0: # CRL extensions. sl@0: # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. sl@0: sl@0: # issuerAltName=issuer:copy sl@0: authorityKeyIdentifier=keyid:always,issuer:always sl@0: sl@0: [ proxy_cert_ext ] sl@0: # These extensions should be added when creating a proxy certificate sl@0: sl@0: # This goes against PKIX guidelines but some CAs do it and some software sl@0: # requires this to avoid interpreting an end user certificate as a CA. sl@0: sl@0: basicConstraints=CA:FALSE sl@0: sl@0: # Here are some examples of the usage of nsCertType. If it is omitted sl@0: # the certificate can be used for anything *except* object signing. sl@0: sl@0: # This is OK for an SSL server. sl@0: # nsCertType = server sl@0: sl@0: # For an object signing certificate this would be used. sl@0: # nsCertType = objsign sl@0: sl@0: # For normal client use this is typical sl@0: # nsCertType = client, email sl@0: sl@0: # and for everything including object signing: sl@0: # nsCertType = client, email, objsign sl@0: sl@0: # This is typical in keyUsage for a client certificate. sl@0: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment sl@0: sl@0: # This will be displayed in Netscape's comment listbox. sl@0: nsComment = "OpenSSL Generated Certificate" sl@0: sl@0: # PKIX recommendations harmless if included in all certificates. sl@0: subjectKeyIdentifier=hash sl@0: authorityKeyIdentifier=keyid,issuer:always sl@0: sl@0: # This stuff is for subjectAltName and issuerAltname. sl@0: # Import the email address. sl@0: # subjectAltName=email:copy sl@0: # An alternative to produce certificates that aren't sl@0: # deprecated according to PKIX. sl@0: # subjectAltName=email:move sl@0: sl@0: # Copy subject details sl@0: # issuerAltName=issuer:copy sl@0: sl@0: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem sl@0: #nsBaseUrl sl@0: #nsRevocationUrl sl@0: #nsRenewalUrl sl@0: #nsCaPolicyUrl sl@0: #nsSslServerName sl@0: sl@0: # This really needs to be in place for it to be a proxy certificate. sl@0: proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo