1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30# Policies used by the TSA examples. 31tsa_policy1 = 1.2.3.4.1 32tsa_policy2 = 1.2.3.4.5.6 33tsa_policy3 = 1.2.3.4.5.7 34 35#################################################################### 36[ ca ] 37default_ca = CA_default # The default ca section 38 39#################################################################### 40[ CA_default ] 41 42dir = ./demoCA # Where everything is kept 43certs = $dir/certs # Where the issued certs are kept 44crl_dir = $dir/crl # Where the issued crl are kept 45database = $dir/index.txt # database index file. 46#unique_subject = no # Set to 'no' to allow creation of 47 # several certs with same subject. 48new_certs_dir = $dir/newcerts # default place for new certs. 49 50certificate = $dir/cacert.pem # The CA certificate 51serial = $dir/serial # The current serial number 52crlnumber = $dir/crlnumber # the current crl number 53 # must be commented out to leave a V1 CRL 54crl = $dir/crl.pem # The current CRL 55private_key = $dir/private/cakey.pem# The private key 56RANDFILE = $dir/private/.rand # private random number file 57 58x509_extensions = usr_cert # The extensions to add to the cert 59 60# Comment out the following two lines for the "traditional" 61# (and highly broken) format. 62name_opt = ca_default # Subject Name options 63cert_opt = ca_default # Certificate field options 64 65# Extension copying option: use with caution. 66# copy_extensions = copy 67 68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69# so this is commented out by default to leave a V1 CRL. 70# crlnumber must also be commented out to leave a V1 CRL. 71# crl_extensions = crl_ext 72 73default_days = 365 # how long to certify for 74default_crl_days= 30 # how long before next CRL 75default_md = default # use public key default MD 76preserve = no # keep passed DN ordering 77 78# A few difference way of specifying how similar the request should look 79# For type CA, the listed attributes must be the same, and the optional 80# and supplied fields are just that :-) 81policy = policy_match 82 83# For the CA policy 84[ policy_match ] 85countryName = match 86stateOrProvinceName = match 87organizationName = match 88organizationalUnitName = optional 89commonName = supplied 90emailAddress = optional 91 92# For the 'anything' policy 93# At this point in time, you must list all acceptable 'object' 94# types. 95[ policy_anything ] 96countryName = optional 97stateOrProvinceName = optional 98localityName = optional 99organizationName = optional 100organizationalUnitName = optional 101commonName = supplied 102emailAddress = optional 103 104#################################################################### 105[ req ] 106default_bits = 2048 107default_keyfile = privkey.pem 108distinguished_name = req_distinguished_name 109attributes = req_attributes 110x509_extensions = v3_ca # The extensions to add to the self signed cert 111 112# Passwords for private keys if not present they will be prompted for 113# input_password = secret 114# output_password = secret 115 116# This sets a mask for permitted string types. There are several options. 117# default: PrintableString, T61String, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 119# utf8only: only UTF8Strings (PKIX recommendation after 2004). 120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 121# MASK:XXXX a literal mask value. 122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 123string_mask = utf8only 124 125# req_extensions = v3_req # The extensions to add to a certificate request 126 127[ req_distinguished_name ] 128countryName = Country Name (2 letter code) 129countryName_default = AU 130countryName_min = 2 131countryName_max = 2 132 133stateOrProvinceName = State or Province Name (full name) 134stateOrProvinceName_default = Some-State 135 136localityName = Locality Name (eg, city) 137 1380.organizationName = Organization Name (eg, company) 1390.organizationName_default = Internet Widgits Pty Ltd 140 141# we can do this but it is not needed normally :-) 142#1.organizationName = Second Organization Name (eg, company) 143#1.organizationName_default = World Wide Web Pty Ltd 144 145organizationalUnitName = Organizational Unit Name (eg, section) 146#organizationalUnitName_default = 147 148commonName = Common Name (e.g. server FQDN or YOUR name) 149commonName_max = 64 150 151emailAddress = Email Address 152emailAddress_max = 64 153 154# SET-ex3 = SET extension number 3 155 156[ req_attributes ] 157challengePassword = A challenge password 158challengePassword_min = 4 159challengePassword_max = 20 160 161unstructuredName = An optional company name 162 163[ usr_cert ] 164 165# These extensions are added when 'ca' signs a request. 166 167# This goes against PKIX guidelines but some CAs do it and some software 168# requires this to avoid interpreting an end user certificate as a CA. 169 170basicConstraints=CA:FALSE 171 172# Here are some examples of the usage of nsCertType. If it is omitted 173# the certificate can be used for anything *except* object signing. 174 175# This is OK for an SSL server. 176# nsCertType = server 177 178# For an object signing certificate this would be used. 179# nsCertType = objsign 180 181# For normal client use this is typical 182# nsCertType = client, email 183 184# and for everything including object signing: 185# nsCertType = client, email, objsign 186 187# This is typical in keyUsage for a client certificate. 188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 189 190# This will be displayed in Netscape's comment listbox. 191nsComment = "OpenSSL Generated Certificate" 192 193# PKIX recommendations harmless if included in all certificates. 194subjectKeyIdentifier=hash 195authorityKeyIdentifier=keyid,issuer 196 197# This stuff is for subjectAltName and issuerAltname. 198# Import the email address. 199# subjectAltName=email:copy 200# An alternative to produce certificates that aren't 201# deprecated according to PKIX. 202# subjectAltName=email:move 203 204# Copy subject details 205# issuerAltName=issuer:copy 206 207#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 208#nsBaseUrl 209#nsRevocationUrl 210#nsRenewalUrl 211#nsCaPolicyUrl 212#nsSslServerName 213 214# This is required for TSA certificates. 215# extendedKeyUsage = critical,timeStamping 216 217[ v3_req ] 218 219# Extensions to add to a certificate request 220 221basicConstraints = CA:FALSE 222keyUsage = nonRepudiation, digitalSignature, keyEncipherment 223 224[ v3_ca ] 225 226 227# Extensions for a typical CA 228 229 230# PKIX recommendation. 231 232subjectKeyIdentifier=hash 233 234authorityKeyIdentifier=keyid:always,issuer 235 236basicConstraints = critical,CA:true 237 238# Key usage: this is typical for a CA certificate. However since it will 239# prevent it being used as an test self-signed certificate it is best 240# left out by default. 241# keyUsage = cRLSign, keyCertSign 242 243# Some might want this also 244# nsCertType = sslCA, emailCA 245 246# Include email address in subject alt name: another PKIX recommendation 247# subjectAltName=email:copy 248# Copy issuer details 249# issuerAltName=issuer:copy 250 251# DER hex encoding of an extension: beware experts only! 252# obj=DER:02:03 253# Where 'obj' is a standard or added object 254# You can even override a supported extension: 255# basicConstraints= critical, DER:30:03:01:01:FF 256 257[ crl_ext ] 258 259# CRL extensions. 260# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 261 262# issuerAltName=issuer:copy 263authorityKeyIdentifier=keyid:always 264 265[ proxy_cert_ext ] 266# These extensions should be added when creating a proxy certificate 267 268# This goes against PKIX guidelines but some CAs do it and some software 269# requires this to avoid interpreting an end user certificate as a CA. 270 271basicConstraints=CA:FALSE 272 273# Here are some examples of the usage of nsCertType. If it is omitted 274# the certificate can be used for anything *except* object signing. 275 276# This is OK for an SSL server. 277# nsCertType = server 278 279# For an object signing certificate this would be used. 280# nsCertType = objsign 281 282# For normal client use this is typical 283# nsCertType = client, email 284 285# and for everything including object signing: 286# nsCertType = client, email, objsign 287 288# This is typical in keyUsage for a client certificate. 289# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 290 291# This will be displayed in Netscape's comment listbox. 292nsComment = "OpenSSL Generated Certificate" 293 294# PKIX recommendations harmless if included in all certificates. 295subjectKeyIdentifier=hash 296authorityKeyIdentifier=keyid,issuer 297 298# This stuff is for subjectAltName and issuerAltname. 299# Import the email address. 300# subjectAltName=email:copy 301# An alternative to produce certificates that aren't 302# deprecated according to PKIX. 303# subjectAltName=email:move 304 305# Copy subject details 306# issuerAltName=issuer:copy 307 308#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 309#nsBaseUrl 310#nsRevocationUrl 311#nsRenewalUrl 312#nsCaPolicyUrl 313#nsSslServerName 314 315# This really needs to be in place for it to be a proxy certificate. 316proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 317 318#################################################################### 319[ tsa ] 320 321default_tsa = tsa_config1 # the default TSA section 322 323[ tsa_config1 ] 324 325# These are used by the TSA reply generation only. 326dir = ./demoCA # TSA root directory 327serial = $dir/tsaserial # The current serial number (mandatory) 328crypto_device = builtin # OpenSSL engine to use for signing 329signer_cert = $dir/tsacert.pem # The TSA signing certificate 330 # (optional) 331certs = $dir/cacert.pem # Certificate chain to include in reply 332 # (optional) 333signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 334signer_digest = sha256 # Signing digest to use. (Optional) 335default_policy = tsa_policy1 # Policy if request did not specify it 336 # (optional) 337other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 338digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 339accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 340clock_precision_digits = 0 # number of digits after dot. (optional) 341ordering = yes # Is ordering defined for timestamps? 342 # (optional, default: no) 343tsa_name = yes # Must the TSA name be included in the reply? 344 # (optional, default: no) 345ess_cert_id_chain = no # Must the ESS cert id chain be included? 346 # (optional, default: no) 347 348#[ v3_root ] 349#basicConstraints = critical, CA:true 350#extendedKeyUsage = critical, OCSPSigning, timeStamping 351#keyUsage = critical, keyCertSign, cRLSign 352 353[ v3_intermediate ] 354basicConstraints = critical, CA:true 355extendedKeyUsage = OCSPSigning, timeStamping, serverAuth 356keyUsage = critical, keyCertSign, cRLSign 357