1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9 10# Extra OBJECT IDENTIFIER info: 11#oid_file = $ENV::HOME/.oid 12oid_section = new_oids 13 14# To use this configuration file with the "-extfile" option of the 15# "openssl x509" utility, name here the section containing the 16# X.509v3 extensions to use: 17# extensions = 18# (Alternatively, use a configuration file that has only 19# X.509v3 extensions in its main [= default] section.) 20 21[ new_oids ] 22 23# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 24# Add a simple OID like this: 25# testoid1=1.2.3.4 26# Or use config file substitution like this: 27# testoid2=${testoid1}.5.6 28 29# Policies used by the TSA examples. 30tsa_policy1 = 1.2.3.4.1 31tsa_policy2 = 1.2.3.4.5.6 32tsa_policy3 = 1.2.3.4.5.7 33 34#################################################################### 35[ ca ] 36default_ca = CA_default # The default ca section 37 38#################################################################### 39[ CA_default ] 40 41dir = ./demoCA # Where everything is kept 42certs = $dir/certs # Where the issued certs are kept 43crl_dir = $dir/crl # Where the issued crl are kept 44database = $dir/index.txt # database index file. 45#unique_subject = no # Set to 'no' to allow creation of 46 # several ctificates with same subject. 47new_certs_dir = $dir/newcerts # default place for new certs. 48 49certificate = $dir/cacert.pem # The CA certificate 50serial = $dir/serial # The current serial number 51crlnumber = $dir/crlnumber # the current crl number 52 # must be commented out to leave a V1 CRL 53crl = $dir/crl.pem # The current CRL 54private_key = $dir/private/cakey.pem# The private key 55 56x509_extensions = usr_cert # The extentions to add to the cert 57 58# Comment out the following two lines for the "traditional" 59# (and highly broken) format. 60name_opt = ca_default # Subject Name options 61cert_opt = ca_default # Certificate field options 62 63# Extension copying option: use with caution. 64# copy_extensions = copy 65 66# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 67# so this is commented out by default to leave a V1 CRL. 68# crlnumber must also be commented out to leave a V1 CRL. 69# crl_extensions = crl_ext 70 71default_days = 365 # how long to certify for 72default_crl_days= 30 # how long before next CRL 73default_md = default # use public key default MD 74preserve = no # keep passed DN ordering 75 76# A few difference way of specifying how similar the request should look 77# For type CA, the listed attributes must be the same, and the optional 78# and supplied fields are just that :-) 79policy = policy_match 80 81# For the CA policy 82[ policy_match ] 83countryName = match 84stateOrProvinceName = match 85organizationName = match 86organizationalUnitName = optional 87commonName = supplied 88emailAddress = optional 89 90# For the 'anything' policy 91# At this point in time, you must list all acceptable 'object' 92# types. 93[ policy_anything ] 94countryName = optional 95stateOrProvinceName = optional 96localityName = optional 97organizationName = optional 98organizationalUnitName = optional 99commonName = supplied 100emailAddress = optional 101 102#################################################################### 103[ req ] 104default_bits = 1024 105default_keyfile = privkey.pem 106distinguished_name = req_distinguished_name 107attributes = req_attributes 108x509_extensions = v3_ca # The extentions to add to the self signed cert 109 110# Passwords for private keys if not present they will be prompted for 111# input_password = secret 112# output_password = secret 113 114# This sets a mask for permitted string types. There are several options. 115# default: PrintableString, T61String, BMPString. 116# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 117# utf8only: only UTF8Strings (PKIX recommendation after 2004). 118# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 119# MASK:XXXX a literal mask value. 120# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 121string_mask = utf8only 122 123# req_extensions = v3_req # The extensions to add to a certificate request 124 125[ req_distinguished_name ] 126countryName = Country Name (2 letter code) 127countryName_default = AU 128countryName_min = 2 129countryName_max = 2 130 131stateOrProvinceName = State or Province Name (full name) 132stateOrProvinceName_default = Some-State 133 134localityName = Locality Name (eg, city) 135 1360.organizationName = Organization Name (eg, company) 1370.organizationName_default = Internet Widgits Pty Ltd 138 139# we can do this but it is not needed normally :-) 140#1.organizationName = Second Organization Name (eg, company) 141#1.organizationName_default = World Wide Web Pty Ltd 142 143organizationalUnitName = Organizational Unit Name (eg, section) 144#organizationalUnitName_default = 145 146commonName = Common Name (e.g. server FQDN or YOUR name) 147commonName_max = 64 148 149emailAddress = Email Address 150emailAddress_max = 64 151 152# SET-ex3 = SET extension number 3 153 154[ req_attributes ] 155challengePassword = A challenge password 156challengePassword_min = 4 157challengePassword_max = 20 158 159unstructuredName = An optional company name 160 161[ usr_cert ] 162 163# These extensions are added when 'ca' signs a request. 164 165# This goes against PKIX guidelines but some CAs do it and some software 166# requires this to avoid interpreting an end user certificate as a CA. 167 168basicConstraints=CA:FALSE 169 170# Here are some examples of the usage of nsCertType. If it is omitted 171# the certificate can be used for anything *except* object signing. 172 173# This is OK for an SSL server. 174# nsCertType = server 175 176# For an object signing certificate this would be used. 177# nsCertType = objsign 178 179# For normal client use this is typical 180# nsCertType = client, email 181 182# and for everything including object signing: 183# nsCertType = client, email, objsign 184 185# This is typical in keyUsage for a client certificate. 186# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 187 188# This will be displayed in Netscape's comment listbox. 189nsComment = "OpenSSL Generated Certificate" 190 191# PKIX recommendations harmless if included in all certificates. 192subjectKeyIdentifier=hash 193authorityKeyIdentifier=keyid,issuer 194 195# This stuff is for subjectAltName and issuerAltname. 196# Import the email address. 197# subjectAltName=email:copy 198# An alternative to produce certificates that aren't 199# deprecated according to PKIX. 200# subjectAltName=email:move 201 202# Copy subject details 203# issuerAltName=issuer:copy 204 205#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 206#nsBaseUrl 207#nsRevocationUrl 208#nsRenewalUrl 209#nsCaPolicyUrl 210#nsSslServerName 211 212# This is required for TSA certificates. 213# extendedKeyUsage = critical,timeStamping 214 215[ v3_req ] 216 217# Extensions to add to a certificate request 218 219basicConstraints = CA:FALSE 220keyUsage = nonRepudiation, digitalSignature, keyEncipherment 221 222[ v3_ca ] 223 224 225# Extensions for a typical CA 226 227 228# PKIX recommendation. 229 230subjectKeyIdentifier=hash 231 232authorityKeyIdentifier=keyid:always,issuer 233 234# This is what PKIX recommends but some broken software chokes on critical 235# extensions. 236#basicConstraints = critical,CA:true 237# So we do this instead. 238basicConstraints = CA:true 239 240# Key usage: this is typical for a CA certificate. However since it will 241# prevent it being used as an test self-signed certificate it is best 242# left out by default. 243# keyUsage = cRLSign, keyCertSign 244 245# Some might want this also 246# nsCertType = sslCA, emailCA 247 248# Include email address in subject alt name: another PKIX recommendation 249# subjectAltName=email:copy 250# Copy issuer details 251# issuerAltName=issuer:copy 252 253# DER hex encoding of an extension: beware experts only! 254# obj=DER:02:03 255# Where 'obj' is a standard or added object 256# You can even override a supported extension: 257# basicConstraints= critical, DER:30:03:01:01:FF 258 259[ crl_ext ] 260 261# CRL extensions. 262# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 263 264# issuerAltName=issuer:copy 265authorityKeyIdentifier=keyid:always 266 267[ proxy_cert_ext ] 268# These extensions should be added when creating a proxy certificate 269 270# This goes against PKIX guidelines but some CAs do it and some software 271# requires this to avoid interpreting an end user certificate as a CA. 272 273basicConstraints=CA:FALSE 274 275# Here are some examples of the usage of nsCertType. If it is omitted 276# the certificate can be used for anything *except* object signing. 277 278# This is OK for an SSL server. 279# nsCertType = server 280 281# For an object signing certificate this would be used. 282# nsCertType = objsign 283 284# For normal client use this is typical 285# nsCertType = client, email 286 287# and for everything including object signing: 288# nsCertType = client, email, objsign 289 290# This is typical in keyUsage for a client certificate. 291# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 292 293# This will be displayed in Netscape's comment listbox. 294nsComment = "OpenSSL Generated Certificate" 295 296# PKIX recommendations harmless if included in all certificates. 297subjectKeyIdentifier=hash 298authorityKeyIdentifier=keyid,issuer 299 300# This stuff is for subjectAltName and issuerAltname. 301# Import the email address. 302# subjectAltName=email:copy 303# An alternative to produce certificates that aren't 304# deprecated according to PKIX. 305# subjectAltName=email:move 306 307# Copy subject details 308# issuerAltName=issuer:copy 309 310#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 311#nsBaseUrl 312#nsRevocationUrl 313#nsRenewalUrl 314#nsCaPolicyUrl 315#nsSslServerName 316 317# This really needs to be in place for it to be a proxy certificate. 318proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 319 320#################################################################### 321[ tsa ] 322 323default_tsa = tsa_config1 # the default TSA section 324 325[ tsa_config1 ] 326 327# These are used by the TSA reply generation only. 328dir = ./demoCA # TSA root directory 329serial = $dir/tsaserial # The current serial number (mandatory) 330crypto_device = builtin # OpenSSL engine to use for signing 331signer_cert = $dir/tsacert.pem # The TSA signing certificate 332 # (optional) 333certs = $dir/cacert.pem # Certificate chain to include in reply 334 # (optional) 335signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 336 337default_policy = tsa_policy1 # Policy if request did not specify it 338 # (optional) 339other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 340digests = md5, sha1 # Acceptable message digests (mandatory) 341accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 342clock_precision_digits = 0 # number of digits after dot. (optional) 343ordering = yes # Is ordering defined for timestamps? 344 # (optional, default: no) 345tsa_name = yes # Must the TSA name be included in the reply? 346 # (optional, default: no) 347ess_cert_id_chain = no # Must the ESS cert id chain be included? 348 # (optional, default: no) 349