1# 2# Based on the OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] 12CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl 13 14# Extra OBJECT IDENTIFIER info: 15oid_section = new_oids 16 17# To use this configuration file with the "-extfile" option of the 18# "openssl x509" utility, name here the section containing the 19# X.509v3 extensions to use: 20# extensions = 21# (Alternatively, use a configuration file that has only 22# X.509v3 extensions in its main [= default] section.) 23 24[ new_oids ] 25# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential 26scardLogin=1.3.6.1.4.1.311.20.2.2 27# Used in a smart card login certificate's subject alternative name 28msUPN=1.3.6.1.4.1.311.20.2.3 29# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller 30msKDC=1.3.6.1.5.2.3.5 31# Identifies the AD GUID 32msADGUID=1.3.6.1.4.1.311.25.1 33 34#################################################################### 35[ ca ] 36default_ca = CA_default # The default ca section 37 38#################################################################### 39[ CA_default ] 40 41dir = CA-samba.example.com # Where everything is kept 42certs = $dir/_none_certs # Where the issued certs are kept 43crl_dir = $dir/_none_crl # Where the issued crl are kept 44database = $dir/Private/CA-samba.example.com-index.txt # database index file. 45unique_subject = yes # Set to 'no' to allow creation of 46 # several certificates with same subject. 47new_certs_dir = $dir/NewCerts # default place for new certs. 48 49certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate 50serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number 51crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number 52 # must be commented out to leave a V1 CRL 53 54#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL 55crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL 56private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key 57RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file 58 59#x509_extensions = # The extensions to add to the cert 60x509_extensions = template_x509_extensions 61 62# Comment out the following two lines for the "traditional" 63# (and highly broken) format. 64name_opt = ca_default # Subject Name options 65cert_opt = ca_default # Certificate field options 66 67# Extension copying option: use with caution. 68# copy_extensions = copy 69 70# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 71# so this is commented out by default to leave a V1 CRL. 72# crlnumber must also be commented out to leave a V1 CRL. 73crl_extensions = crl_ext 74 75default_days = 7300 # how long to certify for 76default_crl_days= 7300 # how long before next CRL 77default_md = sha256 # use public key default MD 78preserve = no # keep passed DN ordering 79 80# A few difference way of specifying how similar the request should look 81# For type CA, the listed attributes must be the same, and the optional 82# and supplied fields are just that :-) 83policy = policy_match 84 85# For the CA policy 86[ policy_match ] 87countryName = match 88stateOrProvinceName = match 89organizationName = match 90organizationalUnitName = optional 91commonName = supplied 92emailAddress = optional 93 94# For the 'anything' policy 95# At this point in time, you must list all acceptable 'object' 96# types. 97[ policy_anything ] 98countryName = match 99stateOrProvinceName = match 100localityName = match 101organizationName = match 102organizationalUnitName = match 103commonName = supplied 104emailAddress = supplied 105 106#################################################################### 107[ req ] 108default_bits = 4096 109distinguished_name = req_distinguished_name 110attributes = req_attributes 111x509_extensions = v3_ca # The extensions to add to the self signed cert 112 113# Passwords for private keys if not present they will be prompted for 114# input_password = secret 115# output_password = secret 116 117# This sets a mask for permitted string types. There are several options. 118# default: PrintableString, T61String, BMPString. 119# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 120# utf8only: only UTF8Strings (PKIX recommendation after 2004). 121# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 122# MASK:XXXX a literal mask value. 123# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 124string_mask = utf8only 125 126# req_extensions = v3_req # The extensions to add to a certificate request 127 128[ req_distinguished_name ] 129countryName = Country Name (2 letter code) 130countryName_default = US 131countryName_min = 2 132countryName_max = 2 133 134stateOrProvinceName = State or Province Name (full name) 135stateOrProvinceName_default = SambaState 136 137localityName = Locality Name (eg, city) 138localityName_default = SambaCity 139 140organizationName = Organization Name (eg, company) 141organizationName_default = SambaSelfTesting 142 143organizationalUnitName = Organizational Unit Name (eg, section) 144organizationalUnitName_default = Domain Controllers 145 146commonName = Common Name (eg, YOUR name) 147commonName_default = addc.addom.samba.example.com 148commonName_max = 64 149 150emailAddress = Email Address 151emailAddress_default = ca-samba.example.com@samba.example.com 152emailAddress_max = 64 153 154# SET-ex3 = SET extension number 3 155 156[ req_attributes ] 157#challengePassword = A challenge password 158#challengePassword_min = 4 159#challengePassword_max = 20 160# 161#unstructuredName = An optional company name 162 163[ v3_req ] 164 165# Extensions to add to a certificate request 166 167basicConstraints = CA:FALSE 168keyUsage = nonRepudiation, digitalSignature, keyEncipherment 169 170[ v3_ca ] 171# Extensions for a typical CA 172# PKIX recommendation. 173subjectKeyIdentifier=hash 174authorityKeyIdentifier=keyid:always,issuer 175 176# This is what PKIX recommends but some broken software chokes on critical 177# extensions. 178#basicConstraints = critical,CA:true 179# So we do this instead. 180basicConstraints = CA:true 181 182# Key usage: this is typical for a CA certificate. 183keyUsage = cRLSign, keyCertSign 184 185crlDistributionPoints=URI:$CRLDISTPT 186 187# Some might want this also 188nsCertType = sslCA, emailCA 189 190# Include email address in subject alt name: another PKIX recommendation 191subjectAltName=email:copy 192# Copy issuer details 193issuerAltName=issuer:copy 194 195[ crl_ext ] 196# CRL extensions. 197# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 198 199issuerAltName=issuer:copy 200authorityKeyIdentifier=keyid:always 201 202#[ usr_cert_mskdc ] 203[ template_x509_extensions ] 204 205# These extensions are added when 'ca' signs a request for a domain controller certificate. 206 207# This goes against PKIX guidelines but some CAs do it and some software 208# requires this to avoid interpreting an end user certificate as a CA. 209 210basicConstraints=CA:FALSE 211crlDistributionPoints=URI:$CRLDISTPT 212 213# Here are some examples of the usage of nsCertType. If it is omitted 214# the certificate can be used for anything *except* object signing. 215 216# This is OK for an SSL server. 217nsCertType = server 218 219# This is typical in keyUsage for a client certificate. 220keyUsage = nonRepudiation, digitalSignature, keyEncipherment 221 222# This will be displayed in Netscape's comment listbox. 223nsComment = "Domain Controller Certificate addc.addom.samba.example.com" 224 225# PKIX recommendations harmless if included in all certificates. 226subjectKeyIdentifier=hash 227authorityKeyIdentifier=keyid,issuer 228 229# This stuff is for subjectAltName and issuerAltname. 230 231subjectAltName=@dc_subjalt 232 233# Copy subject details 234issuerAltName=issuer:copy 235 236nsCaRevocationUrl = $CRLDISTPT 237#nsBaseUrl 238#nsRevocationUrl 239#nsRenewalUrl 240#nsCaPolicyUrl 241#nsSslServerName 242 243#Extended Key requirements for our domain controller certs 244# serverAuth - says cert can be used to identify an ssl/tls server 245# msKDC - says cert can be used to identify a Kerberos Domain Controller. 246extendedKeyUsage = clientAuth,serverAuth,msKDC 247 248[dc_subjalt] 249DNS=addc.addom.samba.example.com 250otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF 251