|
1 # |
|
2 # OpenSSL example configuration file. |
|
3 # This is mostly being used for generation of certificate requests. |
|
4 # |
|
5 |
|
6 # This definition stops the following lines choking if HOME isn't |
|
7 # defined. |
|
8 HOME = . |
|
9 RANDFILE = $ENV::HOME/.rnd |
|
10 |
|
11 # Extra OBJECT IDENTIFIER info: |
|
12 #oid_file = $ENV::HOME/.oid |
|
13 oid_section = new_oids |
|
14 |
|
15 # To use this configuration file with the "-extfile" option of the |
|
16 # "openssl x509" utility, name here the section containing the |
|
17 # X.509v3 extensions to use: |
|
18 # extensions = |
|
19 # (Alternatively, use a configuration file that has only |
|
20 # X.509v3 extensions in its main [= default] section.) |
|
21 |
|
22 [ new_oids ] |
|
23 |
|
24 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. |
|
25 # Add a simple OID like this: |
|
26 # testoid1=1.2.3.4 |
|
27 # Or use config file substitution like this: |
|
28 # testoid2=${testoid1}.5.6 |
|
29 |
|
30 # Policies used by the TSA examples. |
|
31 tsa_policy1 = 1.2.3.4.1 |
|
32 tsa_policy2 = 1.2.3.4.5.6 |
|
33 tsa_policy3 = 1.2.3.4.5.7 |
|
34 |
|
35 #################################################################### |
|
36 [ ca ] |
|
37 default_ca = CA_default # The default ca section |
|
38 |
|
39 #################################################################### |
|
40 [ CA_default ] |
|
41 |
|
42 dir = ca # Where everything is kept |
|
43 certs = $dir/certs # Where the issued certs are kept |
|
44 crl_dir = $dir/crl # Where the issued crl are kept |
|
45 database = $dir/index.txt # database index file. |
|
46 unique_subject = no # Set to 'no' to allow creation of |
|
47 # several ctificates with same subject. |
|
48 new_certs_dir = $dir/newcerts # default place for new certs. |
|
49 |
|
50 certificate = $dir/ca-crt.pem # The CA certificate |
|
51 serial = $dir/serial # The current serial number |
|
52 crlnumber = $dir/crlnumber # the current crl number |
|
53 # must be commented out to leave a V1 CRL |
|
54 crl = $dir/crl.pem # The current CRL |
|
55 private_key = $dir/private/ca-key.pem# The private key |
|
56 RANDFILE = $dir/private/.rand # private random number file |
|
57 |
|
58 x509_extensions = usr_cert # The extentions to add to the cert |
|
59 |
|
60 # Comment out the following two lines for the "traditional" |
|
61 # (and highly broken) format. |
|
62 name_opt = ca_default # Subject Name options |
|
63 cert_opt = ca_default # Certificate field options |
|
64 |
|
65 # Extension copying option: use with caution. |
|
66 # copy_extensions = copy |
|
67 |
|
68 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs |
|
69 # so this is commented out by default to leave a V1 CRL. |
|
70 # crlnumber must also be commented out to leave a V1 CRL. |
|
71 # crl_extensions = crl_ext |
|
72 |
|
73 default_days = 365 # how long to certify for |
|
74 default_crl_days= 30 # how long before next CRL |
|
75 default_md = default # use public key default MD |
|
76 preserve = no # keep passed DN ordering |
|
77 |
|
78 # A few difference way of specifying how similar the request should look |
|
79 # For type CA, the listed attributes must be the same, and the optional |
|
80 # and supplied fields are just that :-) |
|
81 policy = policy_anything |
|
82 |
|
83 # For the CA policy |
|
84 [ policy_match ] |
|
85 countryName = match |
|
86 stateOrProvinceName = match |
|
87 organizationName = match |
|
88 organizationalUnitName = optional |
|
89 commonName = supplied |
|
90 emailAddress = optional |
|
91 |
|
92 # For the 'anything' policy |
|
93 # At this point in time, you must list all acceptable 'object' |
|
94 # types. |
|
95 [ policy_anything ] |
|
96 countryName = optional |
|
97 stateOrProvinceName = optional |
|
98 localityName = optional |
|
99 organizationName = optional |
|
100 organizationalUnitName = optional |
|
101 commonName = supplied |
|
102 emailAddress = optional |
|
103 |
|
104 #################################################################### |
|
105 [ req ] |
|
106 default_bits = 1024 |
|
107 default_keyfile = privkey.pem |
|
108 distinguished_name = req_distinguished_name |
|
109 attributes = req_attributes |
|
110 x509_extensions = v3_ca # The extentions to add to the self signed cert |
|
111 |
|
112 # Passwords for private keys if not present they will be prompted for |
|
113 # input_password = secret |
|
114 # output_password = secret |
|
115 |
|
116 # This sets a mask for permitted string types. There are several options. |
|
117 # default: PrintableString, T61String, BMPString. |
|
118 # pkix : PrintableString, BMPString (PKIX recommendation before 2004) |
|
119 # utf8only: only UTF8Strings (PKIX recommendation after 2004). |
|
120 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). |
|
121 # MASK:XXXX a literal mask value. |
|
122 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. |
|
123 string_mask = utf8only |
|
124 |
|
125 # req_extensions = v3_req # The extensions to add to a certificate request |
|
126 |
|
127 [ req_distinguished_name ] |
|
128 countryName = Country Name (2 letter code) |
|
129 countryName_default = DE |
|
130 countryName_min = 2 |
|
131 countryName_max = 2 |
|
132 |
|
133 stateOrProvinceName = State or Province Name (full name) |
|
134 stateOrProvinceName_default = Saxony |
|
135 |
|
136 localityName = Locality Name (eg, city) |
|
137 |
|
138 0.organizationName = Organization Name (eg, company) |
|
139 0.organizationName_default = Marktjagd |
|
140 |
|
141 # we can do this but it is not needed normally :-) |
|
142 #1.organizationName = Second Organization Name (eg, company) |
|
143 #1.organizationName_default = World Wide Web Pty Ltd |
|
144 |
|
145 organizationalUnitName = Organizational Unit Name (eg, section) |
|
146 organizationalUnitName_default = VPN |
|
147 |
|
148 commonName = Common Name (e.g. server FQDN or YOUR name) |
|
149 commonName_max = 64 |
|
150 |
|
151 emailAddress = Email Address |
|
152 emailAddress_max = 64 |
|
153 |
|
154 # SET-ex3 = SET extension number 3 |
|
155 |
|
156 [ req_attributes ] |
|
157 challengePassword = A challenge password |
|
158 challengePassword_min = 4 |
|
159 challengePassword_max = 20 |
|
160 |
|
161 unstructuredName = An optional company name |
|
162 |
|
163 [ usr_cert ] |
|
164 |
|
165 # These extensions are added when 'ca' signs a request. |
|
166 |
|
167 # This goes against PKIX guidelines but some CAs do it and some software |
|
168 # requires this to avoid interpreting an end user certificate as a CA. |
|
169 |
|
170 basicConstraints=CA:FALSE |
|
171 |
|
172 # Here are some examples of the usage of nsCertType. If it is omitted |
|
173 # the certificate can be used for anything *except* object signing. |
|
174 |
|
175 # This is OK for an SSL server. |
|
176 # nsCertType = server |
|
177 |
|
178 # For an object signing certificate this would be used. |
|
179 # nsCertType = objsign |
|
180 |
|
181 # For normal client use this is typical |
|
182 # nsCertType = client, email |
|
183 |
|
184 # and for everything including object signing: |
|
185 # nsCertType = client, email, objsign |
|
186 |
|
187 # This is typical in keyUsage for a client certificate. |
|
188 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
189 |
|
190 # This will be displayed in Netscape's comment listbox. |
|
191 nsComment = "OpenSSL Generated Certificate" |
|
192 |
|
193 # PKIX recommendations harmless if included in all certificates. |
|
194 subjectKeyIdentifier=hash |
|
195 authorityKeyIdentifier=keyid,issuer |
|
196 |
|
197 # This stuff is for subjectAltName and issuerAltname. |
|
198 # Import the email address. |
|
199 # subjectAltName=email:copy |
|
200 # An alternative to produce certificates that aren't |
|
201 # deprecated according to PKIX. |
|
202 # subjectAltName=email:move |
|
203 |
|
204 # Copy subject details |
|
205 # issuerAltName=issuer:copy |
|
206 |
|
207 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
|
208 #nsBaseUrl |
|
209 #nsRevocationUrl |
|
210 #nsRenewalUrl |
|
211 #nsCaPolicyUrl |
|
212 #nsSslServerName |
|
213 |
|
214 # This is required for TSA certificates. |
|
215 # extendedKeyUsage = critical,timeStamping |
|
216 |
|
217 [ ca_cert ] |
|
218 basicConstraints = CA:TRUE |
|
219 subjectKeyIdentifier=hash |
|
220 authorityKeyIdentifier=keyid,issuer |
|
221 |
|
222 [ client ] |
|
223 basicConstraints = CA:FALSE |
|
224 nsComment = "OpenSSL generated certificate" |
|
225 nsCertType = client |
|
226 subjectKeyIdentifier=hash |
|
227 authorityKeyIdentifier=keyid,issuer |
|
228 |
|
229 [ server ] |
|
230 basicConstraints = CA:FALSE |
|
231 nsComment = "OpenSSL CA generated certificate" |
|
232 nsCertType = server |
|
233 subjectKeyIdentifier=hash |
|
234 authorityKeyIdentifier=keyid,issuer |
|
235 |
|
236 [ v3_req ] |
|
237 |
|
238 # Extensions to add to a certificate request |
|
239 |
|
240 basicConstraints = CA:FALSE |
|
241 keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
242 |
|
243 [ v3_ca ] |
|
244 |
|
245 # Extensions for a typical CA |
|
246 |
|
247 # PKIX recommendation. |
|
248 |
|
249 subjectKeyIdentifier=hash |
|
250 |
|
251 authorityKeyIdentifier=keyid:always,issuer |
|
252 |
|
253 # This is what PKIX recommends but some broken software chokes on critical |
|
254 # extensions. |
|
255 #basicConstraints = critical,CA:true |
|
256 # So we do this instead. |
|
257 basicConstraints = CA:true |
|
258 |
|
259 # Key usage: this is typical for a CA certificate. However since it will |
|
260 # prevent it being used as an test self-signed certificate it is best |
|
261 # left out by default. |
|
262 # keyUsage = cRLSign, keyCertSign |
|
263 |
|
264 # Some might want this also |
|
265 # nsCertType = sslCA, emailCA |
|
266 |
|
267 # Include email address in subject alt name: another PKIX recommendation |
|
268 # subjectAltName=email:copy |
|
269 # Copy issuer details |
|
270 # issuerAltName=issuer:copy |
|
271 |
|
272 # DER hex encoding of an extension: beware experts only! |
|
273 # obj=DER:02:03 |
|
274 # Where 'obj' is a standard or added object |
|
275 # You can even override a supported extension: |
|
276 # basicConstraints= critical, DER:30:03:01:01:FF |
|
277 |
|
278 [ crl_ext ] |
|
279 |
|
280 # CRL extensions. |
|
281 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
|
282 |
|
283 # issuerAltName=issuer:copy |
|
284 authorityKeyIdentifier=keyid:always |
|
285 |
|
286 [ proxy_cert_ext ] |
|
287 # These extensions should be added when creating a proxy certificate |
|
288 |
|
289 # This goes against PKIX guidelines but some CAs do it and some software |
|
290 # requires this to avoid interpreting an end user certificate as a CA. |
|
291 |
|
292 basicConstraints=CA:FALSE |
|
293 |
|
294 # Here are some examples of the usage of nsCertType. If it is omitted |
|
295 # the certificate can be used for anything *except* object signing. |
|
296 |
|
297 # This is OK for an SSL server. |
|
298 # nsCertType = server |
|
299 |
|
300 # For an object signing certificate this would be used. |
|
301 # nsCertType = objsign |
|
302 |
|
303 # For normal client use this is typical |
|
304 # nsCertType = client, email |
|
305 |
|
306 # and for everything including object signing: |
|
307 # nsCertType = client, email, objsign |
|
308 |
|
309 # This is typical in keyUsage for a client certificate. |
|
310 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
311 |
|
312 # This will be displayed in Netscape's comment listbox. |
|
313 nsComment = "OpenSSL Generated Certificate" |
|
314 |
|
315 # PKIX recommendations harmless if included in all certificates. |
|
316 subjectKeyIdentifier=hash |
|
317 authorityKeyIdentifier=keyid,issuer |
|
318 |
|
319 # This stuff is for subjectAltName and issuerAltname. |
|
320 # Import the email address. |
|
321 # subjectAltName=email:copy |
|
322 # An alternative to produce certificates that aren't |
|
323 # deprecated according to PKIX. |
|
324 # subjectAltName=email:move |
|
325 |
|
326 # Copy subject details |
|
327 # issuerAltName=issuer:copy |
|
328 |
|
329 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
|
330 #nsBaseUrl |
|
331 #nsRevocationUrl |
|
332 #nsRenewalUrl |
|
333 #nsCaPolicyUrl |
|
334 #nsSslServerName |
|
335 |
|
336 # This really needs to be in place for it to be a proxy certificate. |
|
337 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
|
338 |
|
339 #################################################################### |
|
340 [ tsa ] |
|
341 |
|
342 default_tsa = tsa_config1 # the default TSA section |
|
343 |
|
344 [ tsa_config1 ] |
|
345 |
|
346 # These are used by the TSA reply generation only. |
|
347 dir = ./demoCA # TSA root directory |
|
348 serial = $dir/tsaserial # The current serial number (mandatory) |
|
349 crypto_device = builtin # OpenSSL engine to use for signing |
|
350 signer_cert = $dir/tsacert.pem # The TSA signing certificate |
|
351 # (optional) |
|
352 certs = $dir/cacert.pem # Certificate chain to include in reply |
|
353 # (optional) |
|
354 signer_key = $dir/private/tsakey.pem # The TSA private key (optional) |
|
355 |
|
356 default_policy = tsa_policy1 # Policy if request did not specify it |
|
357 # (optional) |
|
358 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
|
359 digests = md5, sha1 # Acceptable message digests (mandatory) |
|
360 accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
|
361 clock_precision_digits = 0 # number of digits after dot. (optional) |
|
362 ordering = yes # Is ordering defined for timestamps? |
|
363 # (optional, default: no) |
|
364 tsa_name = yes # Must the TSA name be included in the reply? |
|
365 # (optional, default: no) |
|
366 ess_cert_id_chain = no # Must the ESS cert id chain be included? |
|
367 # (optional, default: no) |