1oid_section = new_oids 2 3[new_oids] 4pkkdcekuoid = 1.3.6.1.5.2.3.5 5 6[ca] 7 8default_ca = user 9 10[usr] 11database = index.txt 12serial = serial 13x509_extensions = usr_cert 14default_md=sha1 15policy = policy_match 16email_in_dn = no 17certs = . 18 19[ocsp] 20database = index.txt 21serial = serial 22x509_extensions = ocsp_cert 23default_md=sha1 24policy = policy_match 25email_in_dn = no 26certs = . 27 28[usr_ke] 29database = index.txt 30serial = serial 31x509_extensions = usr_cert_ke 32default_md=sha1 33policy = policy_match 34email_in_dn = no 35certs = . 36 37[usr_ds] 38database = index.txt 39serial = serial 40x509_extensions = usr_cert_ds 41default_md=sha1 42policy = policy_match 43email_in_dn = no 44certs = . 45 46[pkinit_client] 47database = index.txt 48serial = serial 49x509_extensions = pkinit_client_cert 50default_md=sha1 51policy = policy_match 52email_in_dn = no 53certs = . 54 55[pkinit_kdc] 56database = index.txt 57serial = serial 58x509_extensions = pkinit_kdc_cert 59default_md=sha1 60policy = policy_match 61email_in_dn = no 62certs = . 63 64[https] 65database = index.txt 66serial = serial 67x509_extensions = https_cert 68default_md=sha1 69policy = policy_match 70email_in_dn = no 71certs = . 72 73[subca] 74database = index.txt 75serial = serial 76x509_extensions = v3_ca 77default_md=sha1 78policy = policy_match 79email_in_dn = no 80certs = . 81 82 83[req] 84distinguished_name = req_distinguished_name 85x509_extensions = v3_ca # The extentions to add to the self signed cert 86 87string_mask = utf8only 88 89[v3_ca] 90 91subjectKeyIdentifier=hash 92authorityKeyIdentifier=keyid:always,issuer:always 93basicConstraints = CA:true 94keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature 95 96[usr_cert] 97basicConstraints=CA:FALSE 98keyUsage = nonRepudiation, digitalSignature, keyEncipherment 99subjectKeyIdentifier = hash 100 101[usr_cert_ke] 102basicConstraints=CA:FALSE 103keyUsage = nonRepudiation, keyEncipherment 104subjectKeyIdentifier = hash 105 106[proxy_cert] 107basicConstraints=CA:FALSE 108keyUsage = nonRepudiation, digitalSignature, keyEncipherment 109subjectKeyIdentifier = hash 110proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo 111 112[pkinitc_principals] 113princ1 = GeneralString:bar 114 115[pkinitc_principal_seq] 116name_type = EXP:0,INTEGER:1 117name_string = EXP:1,SEQUENCE:pkinitc_principals 118 119[pkinitc_princ_name] 120realm = EXP:0,GeneralString:TEST.H5L.SE 121principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq 122 123[pkinit_client_cert] 124basicConstraints=CA:FALSE 125keyUsage = nonRepudiation, digitalSignature, keyEncipherment 126subjectKeyIdentifier = hash 127subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name 128 129[https_cert] 130basicConstraints=CA:FALSE 131keyUsage = nonRepudiation, digitalSignature, keyEncipherment 132#extendedKeyUsage = https-server XXX 133subjectKeyIdentifier = hash 134 135[pkinit_kdc_cert] 136basicConstraints=CA:FALSE 137keyUsage = nonRepudiation, digitalSignature, keyEncipherment 138extendedKeyUsage = pkkdcekuoid 139subjectKeyIdentifier = hash 140subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 141 142[pkinitkdc_princ_name] 143realm = EXP:0,GeneralString:TEST.H5L.SE 144principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq 145 146[pkinitkdc_principal_seq] 147name_type = EXP:0,INTEGER:1 148name_string = EXP:1,SEQUENCE:pkinitkdc_principals 149 150[pkinitkdc_principals] 151princ1 = GeneralString:krbtgt 152princ2 = GeneralString:TEST.H5L.SE 153 154[proxy10_cert] 155basicConstraints=CA:FALSE 156keyUsage = nonRepudiation, digitalSignature, keyEncipherment 157subjectKeyIdentifier = hash 158proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo 159 160[usr_cert_ds] 161basicConstraints=CA:FALSE 162keyUsage = nonRepudiation, digitalSignature 163subjectKeyIdentifier = hash 164 165[ocsp_cert] 166basicConstraints=CA:FALSE 167keyUsage = nonRepudiation, digitalSignature, keyEncipherment 168# ocsp-nocheck and kp-OCSPSigning 169extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9 170subjectKeyIdentifier = hash 171 172[req_distinguished_name] 173countryName = Country Name (2 letter code) 174countryName_default = SE 175countryName_min = 2 176countryName_max = 2 177 178organizationalName = Organizational Unit Name (eg, section) 179 180commonName = Common Name (eg, YOUR name) 181commonName_max = 64 182 183#[req_attributes] 184#challengePassword = A challenge password 185#challengePassword_min = 4 186#challengePassword_max = 20 187 188[policy_match] 189countryName = match 190commonName = supplied 191