1*913ec974Sbeck# 2*913ec974Sbeck# OpenSSL example configuration file. 3*913ec974Sbeck# This is mostly being used for generation of certificate requests. 4*913ec974Sbeck# 5*913ec974Sbeck 6*913ec974SbeckRANDFILE = $ENV::HOME/.rnd 7*913ec974Sbeckoid_file = $ENV::HOME/.oid 8*913ec974Sbeckoid_section = new_oids 9*913ec974Sbeck 10*913ec974Sbeck# To use this configuration file with the "-extfile" option of the 11*913ec974Sbeck# "openssl x509" utility, name here the section containing the 12*913ec974Sbeck# X.509v3 extensions to use: 13*913ec974Sbeck# extensions = 14*913ec974Sbeck# (Alternatively, use a configuration file that has only 15*913ec974Sbeck# X.509v3 extensions in its main [= default] section.) 16*913ec974Sbeck 17*913ec974Sbeck[ new_oids ] 18*913ec974Sbeck 19*913ec974Sbeck# We can add new OIDs in here for use by 'ca' and 'req'. 20*913ec974Sbeck# Add a simple OID like this: 21*913ec974Sbeck# testoid1=1.2.3.4 22*913ec974Sbeck# Or use config file substitution like this: 23*913ec974Sbeck# testoid2=${testoid1}.5.6 24*913ec974Sbeck 25*913ec974Sbeck#################################################################### 26*913ec974Sbeck[ ca ] 27*913ec974Sbeckdefault_ca = CA_default # The default ca section 28*913ec974Sbeck 29*913ec974Sbeck#################################################################### 30*913ec974Sbeck[ CA_default ] 31*913ec974Sbeck 32*913ec974Sbeckdir = ./demoCA # Where everything is kept 33*913ec974Sbeckcerts = $dir/certs # Where the issued certs are kept 34*913ec974Sbeckcrl_dir = $dir/crl # Where the issued crl are kept 35*913ec974Sbeckdatabase = $dir/index.txt # database index file. 36*913ec974Sbecknew_certs_dir = $dir/newcerts # default place for new certs. 37*913ec974Sbeck 38*913ec974Sbeckcertificate = $dir/cacert.pem # The CA certificate 39*913ec974Sbeckserial = $dir/serial # The current serial number 40*913ec974Sbeckcrl = $dir/crl.pem # The current CRL 41*913ec974Sbeckprivate_key = $dir/private/cakey.pem# The private key 42*913ec974SbeckRANDFILE = $dir/private/.rand # private random number file 43*913ec974Sbeck 44*913ec974Sbeckx509_extensions = usr_cert # The extentions to add to the cert 45*913ec974Sbeck 46*913ec974Sbeck# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 47*913ec974Sbeck# so this is commented out by default to leave a V1 CRL. 48*913ec974Sbeck# crl_extensions = crl_ext 49*913ec974Sbeck 50*913ec974Sbeckdefault_days = 365 # how long to certify for 51*913ec974Sbeckdefault_crl_days= 30 # how long before next CRL 52*913ec974Sbeckdefault_md = md5 # which md to use. 53*913ec974Sbeckpreserve = no # keep passed DN ordering 54*913ec974Sbeck 55*913ec974Sbeck# A few difference way of specifying how similar the request should look 56*913ec974Sbeck# For type CA, the listed attributes must be the same, and the optional 57*913ec974Sbeck# and supplied fields are just that :-) 58*913ec974Sbeckpolicy = policy_match 59*913ec974Sbeck 60*913ec974Sbeck# For the CA policy 61*913ec974Sbeck[ policy_match ] 62*913ec974SbeckcountryName = match 63*913ec974SbeckstateOrProvinceName = match 64*913ec974SbeckorganizationName = match 65*913ec974SbeckorganizationalUnitName = optional 66*913ec974SbeckcommonName = supplied 67*913ec974SbeckemailAddress = optional 68*913ec974Sbeck 69*913ec974Sbeck# For the 'anything' policy 70*913ec974Sbeck# At this point in time, you must list all acceptable 'object' 71*913ec974Sbeck# types. 72*913ec974Sbeck[ policy_anything ] 73*913ec974SbeckcountryName = optional 74*913ec974SbeckstateOrProvinceName = optional 75*913ec974SbecklocalityName = optional 76*913ec974SbeckorganizationName = optional 77*913ec974SbeckorganizationalUnitName = optional 78*913ec974SbeckcommonName = supplied 79*913ec974SbeckemailAddress = optional 80*913ec974Sbeck 81*913ec974Sbeck#################################################################### 82*913ec974Sbeck[ req ] 83*913ec974Sbeckdefault_bits = 1024 84*913ec974Sbeckdefault_keyfile = privkey.pem 85*913ec974Sbeckdistinguished_name = req_distinguished_name 86*913ec974Sbeckattributes = req_attributes 87*913ec974Sbeckx509_extensions = v3_ca # The extentions to add to the self signed cert 88*913ec974Sbeck 89*913ec974Sbeck[ req_distinguished_name ] 90*913ec974SbeckcountryName = Country Name (2 letter code) 91*913ec974SbeckcountryName_default = AU 92*913ec974SbeckcountryName_min = 2 93*913ec974SbeckcountryName_max = 2 94*913ec974Sbeck 95*913ec974SbeckstateOrProvinceName = State or Province Name (full name) 96*913ec974SbeckstateOrProvinceName_default = Some-State 97*913ec974Sbeck 98*913ec974SbecklocalityName = Locality Name (eg, city) 99*913ec974Sbeck 100*913ec974Sbeck0.organizationName = Organization Name (eg, company) 101*913ec974Sbeck0.organizationName_default = Internet Widgits Pty Ltd 102*913ec974Sbeck 103*913ec974Sbeck# we can do this but it is not needed normally :-) 104*913ec974Sbeck#1.organizationName = Second Organization Name (eg, company) 105*913ec974Sbeck#1.organizationName_default = World Wide Web Pty Ltd 106*913ec974Sbeck 107*913ec974SbeckorganizationalUnitName = Organizational Unit Name (eg, section) 108*913ec974Sbeck#organizationalUnitName_default = 109*913ec974Sbeck 110*913ec974SbeckcommonName = Common Name (eg, YOUR name) 111*913ec974SbeckcommonName_max = 64 112*913ec974Sbeck 113*913ec974SbeckemailAddress = Email Address 114*913ec974SbeckemailAddress_max = 40 115*913ec974Sbeck 116*913ec974Sbeck# SET-ex3 = SET extension number 3 117*913ec974Sbeck 118*913ec974Sbeck[ req_attributes ] 119*913ec974SbeckchallengePassword = A challenge password 120*913ec974SbeckchallengePassword_min = 4 121*913ec974SbeckchallengePassword_max = 20 122*913ec974Sbeck 123*913ec974SbeckunstructuredName = An optional company name 124*913ec974Sbeck 125*913ec974Sbeck[ usr_cert ] 126*913ec974Sbeck 127*913ec974Sbeck# These extensions are added when 'ca' signs a request. 128*913ec974Sbeck 129*913ec974Sbeck# This goes against PKIX guidelines but some CAs do it and some software 130*913ec974Sbeck# requires this to avoid interpreting an end user certificate as a CA. 131*913ec974Sbeck 132*913ec974SbeckbasicConstraints=CA:FALSE 133*913ec974Sbeck 134*913ec974Sbeck# Here are some examples of the usage of nsCertType. If it is omitted 135*913ec974Sbeck# the certificate can be used for anything *except* object signing. 136*913ec974Sbeck 137*913ec974Sbeck# This is OK for an SSL server. 138*913ec974Sbeck# nsCertType = server 139*913ec974Sbeck 140*913ec974Sbeck# For an object signing certificate this would be used. 141*913ec974Sbeck# nsCertType = objsign 142*913ec974Sbeck 143*913ec974Sbeck# For normal client use this is typical 144*913ec974Sbeck# nsCertType = client, email 145*913ec974Sbeck 146*913ec974Sbeck# and for everything including object signing: 147*913ec974Sbeck# nsCertType = client, email, objsign 148*913ec974Sbeck 149*913ec974Sbeck# This is typical in keyUsage for a client certificate. 150*913ec974Sbeck# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 151*913ec974Sbeck 152*913ec974Sbeck# This will be displayed in Netscape's comment listbox. 153*913ec974SbecknsComment = "OpenSSL Generated Certificate" 154*913ec974Sbeck 155*913ec974Sbeck# PKIX recommendations harmless if included in all certificates. 156*913ec974SbecksubjectKeyIdentifier=hash 157*913ec974SbeckauthorityKeyIdentifier=keyid,issuer:always 158*913ec974Sbeck 159*913ec974Sbeck# This stuff is for subjectAltName and issuerAltname. 160*913ec974Sbeck# Import the email address. 161*913ec974Sbeck# subjectAltName=email:copy 162*913ec974Sbeck 163*913ec974Sbeck# Copy subject details 164*913ec974Sbeck# issuerAltName=issuer:copy 165*913ec974Sbeck 166*913ec974Sbeck#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 167*913ec974Sbeck#nsBaseUrl 168*913ec974Sbeck#nsRevocationUrl 169*913ec974Sbeck#nsRenewalUrl 170*913ec974Sbeck#nsCaPolicyUrl 171*913ec974Sbeck#nsSslServerName 172*913ec974Sbeck 173*913ec974Sbeck[ v3_ca ] 174*913ec974Sbeck 175*913ec974Sbeck# Extensions for a typical CA 176*913ec974Sbeck 177*913ec974Sbeck 178*913ec974Sbeck# PKIX recommendation. 179*913ec974Sbeck 180*913ec974SbecksubjectKeyIdentifier=hash 181*913ec974Sbeck 182*913ec974SbeckauthorityKeyIdentifier=keyid:always,issuer:always 183*913ec974Sbeck 184*913ec974Sbeck# This is what PKIX recommends but some broken software chokes on critical 185*913ec974Sbeck# extensions. 186*913ec974Sbeck#basicConstraints = critical,CA:true 187*913ec974Sbeck# So we do this instead. 188*913ec974SbeckbasicConstraints = CA:true 189*913ec974Sbeck 190*913ec974Sbeck# Key usage: this is typical for a CA certificate. However since it will 191*913ec974Sbeck# prevent it being used as an test self-signed certificate it is best 192*913ec974Sbeck# left out by default. 193*913ec974Sbeck# keyUsage = cRLSign, keyCertSign 194*913ec974Sbeck 195*913ec974Sbeck# Some might want this also 196*913ec974Sbeck# nsCertType = sslCA, emailCA 197*913ec974Sbeck 198*913ec974Sbeck# Include email address in subject alt name: another PKIX recommendation 199*913ec974Sbeck# subjectAltName=email:copy 200*913ec974Sbeck# Copy issuer details 201*913ec974Sbeck# issuerAltName=issuer:copy 202*913ec974Sbeck 203*913ec974Sbeck# RAW DER hex encoding of an extension: beware experts only! 204*913ec974Sbeck# 1.2.3.5=RAW:02:03 205*913ec974Sbeck# You can even override a supported extension: 206*913ec974Sbeck# basicConstraints= critical, RAW:30:03:01:01:FF 207*913ec974Sbeck 208*913ec974Sbeck[ crl_ext ] 209*913ec974Sbeck 210*913ec974Sbeck# CRL extensions. 211*913ec974Sbeck# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 212*913ec974Sbeck 213*913ec974Sbeck# issuerAltName=issuer:copy 214*913ec974SbeckauthorityKeyIdentifier=keyid:always,issuer:always 215