1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca' and 'req'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30#################################################################### 31[ ca ] 32default_ca = CA_default # The default ca section 33 34#################################################################### 35[ CA_default ] 36 37dir = ./demoCA # Where everything is kept 38certs = $dir/certs # Where the issued certs are kept 39crl_dir = $dir/crl # Where the issued crl are kept 40database = $dir/index.txt # database index file. 41#unique_subject = no # Set to 'no' to allow creation of 42 # several ctificates with same subject. 43new_certs_dir = $dir/newcerts # default place for new certs. 44 45certificate = $dir/cacert.pem # The CA certificate 46serial = $dir/serial # The current serial number 47crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 49crl = $dir/crl.pem # The current CRL 50private_key = $dir/private/cakey.pem# The private key 51RANDFILE = $dir/private/.rand # private random number file 52 53x509_extensions = usr_cert # The extentions to add to the cert 54 55# Comment out the following two lines for the "traditional" 56# (and highly broken) format. 57name_opt = ca_default # Subject Name options 58cert_opt = ca_default # Certificate field options 59 60# Extension copying option: use with caution. 61# copy_extensions = copy 62 63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64# so this is commented out by default to leave a V1 CRL. 65# crlnumber must also be commented out to leave a V1 CRL. 66# crl_extensions = crl_ext 67 68default_days = 365 # how long to certify for 69default_crl_days= 30 # how long before next CRL 70default_md = sha1 # which md to use. 71preserve = no # keep passed DN ordering 72 73# A few difference way of specifying how similar the request should look 74# For type CA, the listed attributes must be the same, and the optional 75# and supplied fields are just that :-) 76policy = policy_match 77 78# For the CA policy 79[ policy_match ] 80countryName = match 81stateOrProvinceName = match 82organizationName = match 83organizationalUnitName = optional 84commonName = supplied 85emailAddress = optional 86 87# For the 'anything' policy 88# At this point in time, you must list all acceptable 'object' 89# types. 90[ policy_anything ] 91countryName = optional 92stateOrProvinceName = optional 93localityName = optional 94organizationName = optional 95organizationalUnitName = optional 96commonName = supplied 97emailAddress = optional 98 99#################################################################### 100[ req ] 101default_bits = 1024 102default_keyfile = privkey.pem 103distinguished_name = req_distinguished_name 104attributes = req_attributes 105x509_extensions = v3_ca # The extentions to add to the self signed cert 106 107# Passwords for private keys if not present they will be prompted for 108# input_password = secret 109# output_password = secret 110 111# This sets a mask for permitted string types. There are several options. 112# default: PrintableString, T61String, BMPString. 113# pkix : PrintableString, BMPString. 114# utf8only: only UTF8Strings. 115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 116# MASK:XXXX a literal mask value. 117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 118# so use this option with caution! 119string_mask = nombstr 120 121# req_extensions = v3_req # The extensions to add to a certificate request 122 123[ req_distinguished_name ] 124countryName = Country Name (2 letter code) 125countryName_default = AU 126countryName_min = 2 127countryName_max = 2 128 129stateOrProvinceName = State or Province Name (full name) 130stateOrProvinceName_default = Some-State 131 132localityName = Locality Name (eg, city) 133 1340.organizationName = Organization Name (eg, company) 1350.organizationName_default = Internet Widgits Pty Ltd 136 137# we can do this but it is not needed normally :-) 138#1.organizationName = Second Organization Name (eg, company) 139#1.organizationName_default = World Wide Web Pty Ltd 140 141organizationalUnitName = Organizational Unit Name (eg, section) 142#organizationalUnitName_default = 143 144commonName = Common Name (eg, YOUR name) 145commonName_max = 64 146 147emailAddress = Email Address 148emailAddress_max = 64 149 150# SET-ex3 = SET extension number 3 151 152[ req_attributes ] 153challengePassword = A challenge password 154challengePassword_min = 4 155challengePassword_max = 20 156 157unstructuredName = An optional company name 158 159[ usr_cert ] 160 161# These extensions are added when 'ca' signs a request. 162 163# This goes against PKIX guidelines but some CAs do it and some software 164# requires this to avoid interpreting an end user certificate as a CA. 165 166basicConstraints=CA:FALSE 167 168# Here are some examples of the usage of nsCertType. If it is omitted 169# the certificate can be used for anything *except* object signing. 170 171# This is OK for an SSL server. 172# nsCertType = server 173 174# For an object signing certificate this would be used. 175# nsCertType = objsign 176 177# For normal client use this is typical 178# nsCertType = client, email 179 180# and for everything including object signing: 181# nsCertType = client, email, objsign 182 183# This is typical in keyUsage for a client certificate. 184# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 185 186# This will be displayed in Netscape's comment listbox. 187nsComment = "OpenSSL Generated Certificate" 188 189# PKIX recommendations harmless if included in all certificates. 190subjectKeyIdentifier=hash 191authorityKeyIdentifier=keyid,issuer 192 193# This stuff is for subjectAltName and issuerAltname. 194# Import the email address. 195# subjectAltName=email:copy 196# An alternative to produce certificates that aren't 197# deprecated according to PKIX. 198# subjectAltName=email:move 199 200# Copy subject details 201# issuerAltName=issuer:copy 202 203#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 204#nsBaseUrl 205#nsRevocationUrl 206#nsRenewalUrl 207#nsCaPolicyUrl 208#nsSslServerName 209 210[ v3_req ] 211 212# Extensions to add to a certificate request 213 214basicConstraints = CA:FALSE 215keyUsage = nonRepudiation, digitalSignature, keyEncipherment 216 217[ v3_ca ] 218 219 220# Extensions for a typical CA 221 222 223# PKIX recommendation. 224 225subjectKeyIdentifier=hash 226 227authorityKeyIdentifier=keyid:always,issuer:always 228 229# This is what PKIX recommends but some broken software chokes on critical 230# extensions. 231#basicConstraints = critical,CA:true 232# So we do this instead. 233basicConstraints = CA:true 234 235# Key usage: this is typical for a CA certificate. However since it will 236# prevent it being used as an test self-signed certificate it is best 237# left out by default. 238# keyUsage = cRLSign, keyCertSign 239 240# Some might want this also 241# nsCertType = sslCA, emailCA 242 243# Include email address in subject alt name: another PKIX recommendation 244# subjectAltName=email:copy 245# Copy issuer details 246# issuerAltName=issuer:copy 247 248# DER hex encoding of an extension: beware experts only! 249# obj=DER:02:03 250# Where 'obj' is a standard or added object 251# You can even override a supported extension: 252# basicConstraints= critical, DER:30:03:01:01:FF 253 254[ crl_ext ] 255 256# CRL extensions. 257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258 259# issuerAltName=issuer:copy 260authorityKeyIdentifier=keyid:always,issuer:always 261 262[ proxy_cert_ext ] 263# These extensions should be added when creating a proxy certificate 264 265# This goes against PKIX guidelines but some CAs do it and some software 266# requires this to avoid interpreting an end user certificate as a CA. 267 268basicConstraints=CA:FALSE 269 270# Here are some examples of the usage of nsCertType. If it is omitted 271# the certificate can be used for anything *except* object signing. 272 273# This is OK for an SSL server. 274# nsCertType = server 275 276# For an object signing certificate this would be used. 277# nsCertType = objsign 278 279# For normal client use this is typical 280# nsCertType = client, email 281 282# and for everything including object signing: 283# nsCertType = client, email, objsign 284 285# This is typical in keyUsage for a client certificate. 286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287 288# This will be displayed in Netscape's comment listbox. 289nsComment = "OpenSSL Generated Certificate" 290 291# PKIX recommendations harmless if included in all certificates. 292subjectKeyIdentifier=hash 293authorityKeyIdentifier=keyid,issuer:always 294 295# This stuff is for subjectAltName and issuerAltname. 296# Import the email address. 297# subjectAltName=email:copy 298# An alternative to produce certificates that aren't 299# deprecated according to PKIX. 300# subjectAltName=email:move 301 302# Copy subject details 303# issuerAltName=issuer:copy 304 305#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306#nsBaseUrl 307#nsRevocationUrl 308#nsRenewalUrl 309#nsCaPolicyUrl 310#nsSslServerName 311 312# This really needs to be in place for it to be a proxy certificate. 313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 314