alpha/micro-ca: comparison lib/templates/ca

equal deleted inserted replaced

-:6657142678fa
+:04c4e7da49ff
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# This definition stops the following lines choking if HOME isn't
-# defined.
-#HOME			= .
-#RANDFILE		= $ENV::HOME/.rnd
-# Extra OBJECT IDENTIFIER info:
-#oid_file		= $ENV::HOME/.oid
-#oid_section		= new_oids
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-####################################################################
-[ CA_default ]
-[% IF not cadir %]
-[% THROW param "missing ca dir" %]
-[% END %]
-dir		= [% cadir %]
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-[% IF not cacrt %]
-[% THROW param "missing ca crt" %]
-[% END %]
-certificate	= [% cacrt %]           # The CA certificate
-serial		= $dir/serial 		# The current serial number
-crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
-crl		= $dir/crl.pem 		# The current CRL
-[% IF not cakey %]
-[% THROW param "missing ca key" %]
-[% END %]
-private_key	= [% cakey %]           # The private key
-RANDFILE	= $dir/.rand		# private random number file
-x509_extensions	= usr_cert		# The extentions to add to the cert
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-# Extension copying option: use with caution.
-# copy_extensions = copy
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
-[% DEFAULT days = 365 %]
-default_days	= [% days %]		# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= sha1			# which md to use.
-preserve	= no			# keep passed DN ordering
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-[% DEFAULT policy = de %]
-policy		= [% policy %]
-# For the CA policy
-[ policy_de ]
-countryName		= match
-stateOrProvinceName	= supplied
-organizationName	= supplied
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-####################################################################
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-[% IF type %]
-# This is OK for an SSL server.
-nsCertType			= [% type %]
-[% END %]
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-nsCaRevocationUrl		= https://ssl.schlittermann.de/ca/ca-crl.pem
-nsRevocationUrl			= https://ssl.schlittermann.de/ca/crt-crl.pem

changeset 4	04c4e7da49ff
parent 3	6657142678fa