1[default]
2batch = 1 # do not use stdin
3total_timeout = 8 # prevent, e.g., infinite polling due to error
4trusted = trusted.crt
5newkey = new.key
6newkeypass =
7cmd = ir
8out_trusted = root.crt
9#certout = test.cert.pem
10policies = certificatePolicies
11#policy_oids = 1.2.3.4
12#policy_oids_critical = 1
13#verbosity = 7
14
15############################# server configurations
16
17[Mock] # the built-in OpenSSL CMP mock server
18# no_check_time = 1
19server_host = 127.0.0.1 # localhost
20# server_port = 0 means that the port is determined by the server
21server_port = 0
22server_tls = $server_port
23server_cert = server.crt
24server = $server_host:$server_port
25server_path = pkix/
26path = $server_path
27ca_dn = /CN=Root CA
28recipient = $ca_dn
29server_dn = /CN=server.example
30expect_sender = $server_dn
31subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf"
32newkey = signer.key
33out_trusted = signer_root.crt
34kur_port = $server_port
35pbm_port = $server_port
36pbm_ref =
37pbm_secret = pass:test
38cert = signer.crt
39key  = signer.p12
40keypass = pass:12345
41ignore_keyusage = 0
42column = 0
43sleep = 0
44
45############################# aspects
46
47[connection]
48msg_timeout = 5
49total_timeout =
50# reset any TLS options to default:
51tls_used =
52tls_cert =
53tls_key =
54tls_keypass =
55tls_trusted =
56tls_host =
57
58[tls]
59server =
60tls_used =
61tls_cert =
62tls_key =
63tls_keypass =
64tls_trusted =
65tls_host =
66
67[credentials]
68ref =
69secret =
70cert =
71key =
72keypass =
73extracerts =
74digest =
75unprotected_requests =
76
77[verification]
78#expect_sender =
79srvcert =
80trusted =
81untrusted =
82#unprotected_errors =
83extracertsout =
84
85[commands]
86cmd =
87cacertsout =
88infotype =
89oldcert =
90revreason =
91geninfo =
92
93[enrollment]
94cmd =
95newkey =
96newkeypass =
97#subject =
98issuer =
99days =
100reqexts =
101sans =
102san_nodefault = 0
103#popo =
104implicit_confirm = 0
105disable_confirm = 0
106certout =
107out_trusted =
108oldcert =
109csr =
110
111############################# extra cert template contents
112
113[certificatePolicies]
114certificatePolicies = "critical, @pkiPolicy"
115
116[pkiPolicy]
117policyIdentifier = 1.2.3.4
118
119[reqexts]
120basicConstraints = CA:FALSE
121#basicConstraints = critical, CA:TRUE
122keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation
123extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning
124#crlDistributionPoints = URI:http:
125#authorityInfoAccess = URI:http:
126subjectAltName = @alt_names
127
128[alt_names]
129DNS.0 = localhost
130IP.0 = 127.0.0.1
131IP.1 = 192.168.1.1
132URI.0 = http://192.168.0.2
133
134[reqexts_invalidkey]
135subjectAltName = @alt_names_3
136
137[alt_names_3]
138DNS.0 = localhost
139DNS.1 = xn--rksmrgs-5wao1o.example.com
140DNS.2 = xn--rkmacka-5wa.example.com
141DNS__3 = xn--rksallad-0za.example.com
142