1*92cfeba6SchristosHOME                    = .
2*92cfeba6SchristosRANDFILE                = $ENV::HOME/.rnd
3*92cfeba6Schristos
4*92cfeba6Schristosoid_section             = new_oids
5*92cfeba6Schristos
6*92cfeba6Schristos[ new_oids ]
7*92cfeba6Schristostsa_policy1 = 1.2.3.4.1
8*92cfeba6Schristostsa_policy2 = 1.2.3.4.5.6
9*92cfeba6Schristostsa_policy3 = 1.2.3.4.5.7
10*92cfeba6Schristos
11*92cfeba6Schristos[ ca ]
12*92cfeba6Schristosdefault_ca      = CA_default            # The default ca section
13*92cfeba6Schristos
14*92cfeba6Schristos[ CA_default ]
15*92cfeba6Schristos
16*92cfeba6Schristosdir             = ./cruft		# Where everything is kept
17*92cfeba6Schristoscerts           = $dir/certs            # Where the issued certs are kept
18*92cfeba6Schristoscrl_dir         = $dir/crl              # Where the issued crl are kept
19*92cfeba6Schristosdatabase        = $dir/index.txt        # database index file.
20*92cfeba6Schristosnew_certs_dir   = $dir/certs         # default place for new certs.
21*92cfeba6Schristoscertificate     = $dir/cacert.pem       # The CA certificate
22*92cfeba6Schristosserial          = $dir/serial           # The current serial number
23*92cfeba6Schristoscrlnumber       = $dir/crlnumber        # the current crl number
24*92cfeba6Schristoscrl             = $dir/crl.pem          # The current CRL
25*92cfeba6Schristosprivate_key     = $dir/private/cakey.pem# The private key
26*92cfeba6SchristosRANDFILE        = $dir/private/.rand    # private random number file
27*92cfeba6Schristosx509_extensions = usr_cert              # The extentions to add to the cert
28*92cfeba6Schristosname_opt        = ca_default            # Subject Name options
29*92cfeba6Schristoscert_opt        = ca_default            # Certificate field options
30*92cfeba6Schristosdefault_days    = 365                   # how long to certify for
31*92cfeba6Schristosdefault_crl_days= 30                    # how long before next CRL
32*92cfeba6Schristosdefault_md      = default               # use public key default MD
33*92cfeba6Schristospreserve        = no                    # keep passed DN ordering
34*92cfeba6Schristospolicy          = policy_match
35*92cfeba6Schristos
36*92cfeba6Schristos[ policy_match ]
37*92cfeba6SchristoscountryName             = match
38*92cfeba6SchristosstateOrProvinceName     = match
39*92cfeba6SchristosorganizationName        = match
40*92cfeba6SchristosorganizationalUnitName  = optional
41*92cfeba6SchristoscommonName              = supplied
42*92cfeba6SchristosemailAddress            = optional
43*92cfeba6Schristos
44*92cfeba6Schristos[ policy_anything ]
45*92cfeba6SchristoscountryName             = optional
46*92cfeba6SchristosstateOrProvinceName     = optional
47*92cfeba6SchristoslocalityName            = optional
48*92cfeba6SchristosorganizationName        = optional
49*92cfeba6SchristosorganizationalUnitName  = optional
50*92cfeba6SchristoscommonName              = supplied
51*92cfeba6SchristosemailAddress            = optional
52*92cfeba6Schristos
53*92cfeba6Schristos[ req ]
54*92cfeba6Schristosdefault_bits            = @KEY_BITS@
55*92cfeba6Schristosdefault_keyfile         = privkey.pem
56*92cfeba6Schristosdistinguished_name      = req_distinguished_name
57*92cfeba6Schristosattributes              = req_attributes
58*92cfeba6Schristosx509_extensions = v3_ca # The extentions to add to the self signed cert
59*92cfeba6Schristos
60*92cfeba6Schristosstring_mask = utf8only
61*92cfeba6Schristos
62*92cfeba6Schristos[ req_distinguished_name ]
63*92cfeba6SchristosbasicConstraints=CA:FALSE
64*92cfeba6Schristos
65*92cfeba6Schristos[ req_attributes ]
66*92cfeba6SchristoschallengePassword               = A challenge password
67*92cfeba6SchristoschallengePassword_min           = 4
68*92cfeba6SchristoschallengePassword_max           = 20
69*92cfeba6Schristos
70*92cfeba6SchristosunstructuredName                = An optional company name
71*92cfeba6Schristos
72*92cfeba6Schristos[ usr_cert ]
73*92cfeba6Schristos
74*92cfeba6SchristosbasicConstraints=CA:FALSE
75*92cfeba6SchristosnsComment                       = "OpenSSL Generated Certificate"
76*92cfeba6Schristos
77*92cfeba6SchristossubjectKeyIdentifier=hash
78*92cfeba6SchristosauthorityKeyIdentifier=keyid,issuer
79*92cfeba6Schristos
80*92cfeba6Schristos[ v3_req ]
81*92cfeba6Schristos
82*92cfeba6SchristosbasicConstraints = CA:FALSE
83*92cfeba6SchristoskeyUsage = nonRepudiation, digitalSignature, keyEncipherment
84*92cfeba6SchristossubjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1
85*92cfeba6Schristos
86*92cfeba6Schristos[ v3_ca ]
87*92cfeba6SchristossubjectKeyIdentifier=hash
88*92cfeba6SchristosauthorityKeyIdentifier=keyid:always,issuer
89*92cfeba6SchristosbasicConstraints = CA:true
90*92cfeba6Schristos
91*92cfeba6Schristos[ crl_ext ]
92*92cfeba6Schristos
93*92cfeba6SchristosauthorityKeyIdentifier=keyid:always
94*92cfeba6Schristos
95*92cfeba6Schristos[ proxy_cert_ext ]
96*92cfeba6SchristosbasicConstraints=CA:FALSE
97*92cfeba6SchristosnsComment                       = "OpenSSL Generated Certificate"
98*92cfeba6Schristos
99*92cfeba6SchristossubjectKeyIdentifier=hash
100*92cfeba6SchristosauthorityKeyIdentifier=keyid,issuer
101*92cfeba6SchristosproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
102*92cfeba6Schristos
103*92cfeba6Schristos[ tsa ]
104*92cfeba6Schristos
105*92cfeba6Schristosdefault_tsa = tsa_config1       # the default TSA section
106*92cfeba6Schristos
107*92cfeba6Schristos[ tsa_config1 ]
108*92cfeba6Schristos
109*92cfeba6Schristosdir             = ./demoCA              # TSA root directory
110*92cfeba6Schristosserial          = $dir/tsaserial        # The current serial number (mandatory)
111*92cfeba6Schristoscrypto_device   = builtin               # OpenSSL engine to use for signing
112*92cfeba6Schristossigner_cert     = $dir/tsacert.pem      # The TSA signing certificate
113*92cfeba6Schristos                                        # (optional)
114*92cfeba6Schristoscerts           = $dir/cacert.pem       # Certificate chain to include in reply
115*92cfeba6Schristos                                        # (optional)
116*92cfeba6Schristossigner_key      = $dir/private/tsakey.pem # The TSA private key (optional)
117*92cfeba6Schristos
118*92cfeba6Schristosdefault_policy  = tsa_policy1           # Policy if request did not specify it
119*92cfeba6Schristos                                        # (optional)
120*92cfeba6Schristosother_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
121*92cfeba6Schristosdigests         = md5, sha1             # Acceptable message digests (mandatory)
122*92cfeba6Schristosaccuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
123*92cfeba6Schristosclock_precision_digits  = 0     # number of digits after dot. (optional)
124*92cfeba6Schristosordering                = yes   # Is ordering defined for timestamps?
125*92cfeba6Schristos                                # (optional, default: no)
126*92cfeba6Schristostsa_name                = yes   # Must the TSA name be included in the reply?
127*92cfeba6Schristos                                # (optional, default: no)
128*92cfeba6Schristosess_cert_id_chain       = no    # Must the ESS cert id chain be included?
129*92cfeba6Schristos                                # (optional, default: no)
130