1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file		= $ENV::HOME/.oid
13oid_section		= new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions		=
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30# Policies used by the TSA examples.
31tsa_policy1 = 1.2.3.4.1
32tsa_policy2 = 1.2.3.4.5.6
33tsa_policy3 = 1.2.3.4.5.7
34
35####################################################################
36[ ca ]
37default_ca	= CA_default		# The default ca section
38
39####################################################################
40[ CA_default ]
41
42dir		= ./demoCA		# Where everything is kept
43certs		= $dir/certs		# Where the issued certs are kept
44crl_dir		= $dir/crl		# Where the issued crl are kept
45database	= $dir/index.txt	# database index file.
46#unique_subject	= no			# Set to 'no' to allow creation of
47					# several certs with same subject.
48new_certs_dir	= $dir/newcerts		# default place for new certs.
49
50certificate	= $dir/cacert.pem 	# The CA certificate
51serial		= $dir/serial 		# The current serial number
52crlnumber	= $dir/crlnumber	# the current crl number
53					# must be commented out to leave a V1 CRL
54crl		= $dir/crl.pem 		# The current CRL
55private_key	= $dir/private/cakey.pem# The private key
56RANDFILE	= $dir/private/.rand	# private random number file
57
58x509_extensions	= usr_cert		# The extensions to add to the cert
59
60# Comment out the following two lines for the "traditional"
61# (and highly broken) format.
62name_opt 	= ca_default		# Subject Name options
63cert_opt 	= ca_default		# Certificate field options
64
65# Extension copying option: use with caution.
66# copy_extensions = copy
67
68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
69# so this is commented out by default to leave a V1 CRL.
70# crlnumber must also be commented out to leave a V1 CRL.
71# crl_extensions	= crl_ext
72
73default_days	= 365			# how long to certify for
74default_crl_days= 30			# how long before next CRL
75default_md	= default		# use public key default MD
76preserve	= no			# keep passed DN ordering
77
78# A few difference way of specifying how similar the request should look
79# For type CA, the listed attributes must be the same, and the optional
80# and supplied fields are just that :-)
81policy		= policy_match
82
83# For the CA policy
84[ policy_match ]
85countryName		= match
86stateOrProvinceName	= match
87organizationName	= match
88organizationalUnitName	= optional
89commonName		= supplied
90emailAddress		= optional
91
92# For the 'anything' policy
93# At this point in time, you must list all acceptable 'object'
94# types.
95[ policy_anything ]
96countryName		= optional
97stateOrProvinceName	= optional
98localityName		= optional
99organizationName	= optional
100organizationalUnitName	= optional
101commonName		= supplied
102emailAddress		= optional
103
104####################################################################
105[ req ]
106default_bits		= 2048
107default_keyfile 	= privkey.pem
108distinguished_name	= req_distinguished_name
109attributes		= req_attributes
110x509_extensions	= v3_ca	# The extensions to add to the self signed cert
111
112# Passwords for private keys if not present they will be prompted for
113# input_password = secret
114# output_password = secret
115
116# This sets a mask for permitted string types. There are several options.
117# default: PrintableString, T61String, BMPString.
118# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
119# utf8only: only UTF8Strings (PKIX recommendation after 2004).
120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
121# MASK:XXXX a literal mask value.
122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
123string_mask = utf8only
124
125# req_extensions = v3_req # The extensions to add to a certificate request
126
127[ req_distinguished_name ]
128countryName			= Country Name (2 letter code)
129countryName_default		= AU
130countryName_min			= 2
131countryName_max			= 2
132
133stateOrProvinceName		= State or Province Name (full name)
134stateOrProvinceName_default	= Some-State
135
136localityName			= Locality Name (eg, city)
137
1380.organizationName		= Organization Name (eg, company)
1390.organizationName_default	= Internet Widgits Pty Ltd
140
141# we can do this but it is not needed normally :-)
142#1.organizationName		= Second Organization Name (eg, company)
143#1.organizationName_default	= World Wide Web Pty Ltd
144
145organizationalUnitName		= Organizational Unit Name (eg, section)
146#organizationalUnitName_default	=
147
148commonName			= Common Name (e.g. server FQDN or YOUR name)
149commonName_max			= 64
150
151emailAddress			= Email Address
152emailAddress_max		= 64
153
154# SET-ex3			= SET extension number 3
155
156[ req_attributes ]
157challengePassword		= A challenge password
158challengePassword_min		= 4
159challengePassword_max		= 20
160
161unstructuredName		= An optional company name
162
163[ usr_cert ]
164
165# These extensions are added when 'ca' signs a request.
166
167# This goes against PKIX guidelines but some CAs do it and some software
168# requires this to avoid interpreting an end user certificate as a CA.
169
170basicConstraints=CA:FALSE
171
172# Here are some examples of the usage of nsCertType. If it is omitted
173# the certificate can be used for anything *except* object signing.
174
175# This is OK for an SSL server.
176# nsCertType			= server
177
178# For an object signing certificate this would be used.
179# nsCertType = objsign
180
181# For normal client use this is typical
182# nsCertType = client, email
183
184# and for everything including object signing:
185# nsCertType = client, email, objsign
186
187# This is typical in keyUsage for a client certificate.
188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
189
190# This will be displayed in Netscape's comment listbox.
191nsComment			= "OpenSSL Generated Certificate"
192
193# PKIX recommendations harmless if included in all certificates.
194subjectKeyIdentifier=hash
195authorityKeyIdentifier=keyid,issuer
196
197# This stuff is for subjectAltName and issuerAltname.
198# Import the email address.
199# subjectAltName=email:copy
200# An alternative to produce certificates that aren't
201# deprecated according to PKIX.
202# subjectAltName=email:move
203
204# Copy subject details
205# issuerAltName=issuer:copy
206
207#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
208#nsBaseUrl
209#nsRevocationUrl
210#nsRenewalUrl
211#nsCaPolicyUrl
212#nsSslServerName
213
214# This is required for TSA certificates.
215# extendedKeyUsage = critical,timeStamping
216
217[ v3_req ]
218
219# Extensions to add to a certificate request
220
221basicConstraints = CA:FALSE
222keyUsage = nonRepudiation, digitalSignature, keyEncipherment
223
224[ v3_ca ]
225
226
227# Extensions for a typical CA
228
229
230# PKIX recommendation.
231
232subjectKeyIdentifier=hash
233
234authorityKeyIdentifier=keyid:always,issuer
235
236basicConstraints = critical,CA:true
237
238# Key usage: this is typical for a CA certificate. However since it will
239# prevent it being used as an test self-signed certificate it is best
240# left out by default.
241# keyUsage = cRLSign, keyCertSign
242
243# Some might want this also
244# nsCertType = sslCA, emailCA
245
246# Include email address in subject alt name: another PKIX recommendation
247# subjectAltName=email:copy
248# Copy issuer details
249# issuerAltName=issuer:copy
250
251# DER hex encoding of an extension: beware experts only!
252# obj=DER:02:03
253# Where 'obj' is a standard or added object
254# You can even override a supported extension:
255# basicConstraints= critical, DER:30:03:01:01:FF
256
257[ crl_ext ]
258
259# CRL extensions.
260# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
261
262# issuerAltName=issuer:copy
263authorityKeyIdentifier=keyid:always
264
265[ proxy_cert_ext ]
266# These extensions should be added when creating a proxy certificate
267
268# This goes against PKIX guidelines but some CAs do it and some software
269# requires this to avoid interpreting an end user certificate as a CA.
270
271basicConstraints=CA:FALSE
272
273# Here are some examples of the usage of nsCertType. If it is omitted
274# the certificate can be used for anything *except* object signing.
275
276# This is OK for an SSL server.
277# nsCertType			= server
278
279# For an object signing certificate this would be used.
280# nsCertType = objsign
281
282# For normal client use this is typical
283# nsCertType = client, email
284
285# and for everything including object signing:
286# nsCertType = client, email, objsign
287
288# This is typical in keyUsage for a client certificate.
289# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
290
291# This will be displayed in Netscape's comment listbox.
292nsComment			= "OpenSSL Generated Certificate"
293
294# PKIX recommendations harmless if included in all certificates.
295subjectKeyIdentifier=hash
296authorityKeyIdentifier=keyid,issuer
297
298# This stuff is for subjectAltName and issuerAltname.
299# Import the email address.
300# subjectAltName=email:copy
301# An alternative to produce certificates that aren't
302# deprecated according to PKIX.
303# subjectAltName=email:move
304
305# Copy subject details
306# issuerAltName=issuer:copy
307
308#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
309#nsBaseUrl
310#nsRevocationUrl
311#nsRenewalUrl
312#nsCaPolicyUrl
313#nsSslServerName
314
315# This really needs to be in place for it to be a proxy certificate.
316proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
317
318####################################################################
319[ tsa ]
320
321default_tsa = tsa_config1	# the default TSA section
322
323[ tsa_config1 ]
324
325# These are used by the TSA reply generation only.
326dir		= ./demoCA		# TSA root directory
327serial		= $dir/tsaserial	# The current serial number (mandatory)
328crypto_device	= builtin		# OpenSSL engine to use for signing
329signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
330					# (optional)
331certs		= $dir/cacert.pem	# Certificate chain to include in reply
332					# (optional)
333signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
334signer_digest  = sha256			# Signing digest to use. (Optional)
335default_policy	= tsa_policy1		# Policy if request did not specify it
336					# (optional)
337other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
338digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
339accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
340clock_precision_digits  = 0	# number of digits after dot. (optional)
341ordering		= yes	# Is ordering defined for timestamps?
342				# (optional, default: no)
343tsa_name		= yes	# Must the TSA name be included in the reply?
344				# (optional, default: no)
345ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
346				# (optional, default: no)
347
348#[ v3_root ]
349#basicConstraints = critical, CA:true
350#extendedKeyUsage = critical, OCSPSigning, timeStamping
351#keyUsage = critical, keyCertSign, cRLSign
352
353[ v3_intermediate ]
354basicConstraints = critical, CA:true
355extendedKeyUsage = OCSPSigning, timeStamping, serverAuth
356keyUsage = critical, keyCertSign, cRLSign
357