1# $NetBSD: pkgsrc.cnf,v 1.1.1.1 2009/02/02 20:44:09 joerg Exp $
2#
3# OpenSSL sample configuration file for use by pkgsrc.sh
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11####################################################################
12[ ca ]
13default_ca	= CA_default		# The default ca section
14
15####################################################################
16[ CA_default ]
17
18dir		= ./pkgsrc		# Where everything is kept
19certs		= $dir/certs		# Where the issued certs are kept
20crl_dir		= $dir/crl		# Where the issued crl are kept
21database	= $dir/index.txt	# database index file.
22#unique_subject	= no			# Set to 'no' to allow creation of
23					# several ctificates with same subject.
24new_certs_dir	= $dir/newcerts		# default place for new certs.
25
26certificate	= $dir/cacert.pem 	# The CA certificate
27serial		= $dir/serial 		# The current serial number
28crlnumber	= $dir/crlnumber	# the current crl number
29					# must be commented out to leave a V1 CRL
30crl		= $dir/crl.pem 		# The current CRL
31private_key	= $dir/private/cakey.pem# The private key
32RANDFILE	= $dir/private/.rand	# private random number file
33
34# Comment out the following two lines for the "traditional"
35# (and highly broken) format.
36name_opt 	= ca_default		# Subject Name options
37cert_opt 	= ca_default		# Certificate field options
38
39# Extension copying option: use with caution.
40# copy_extensions = copy
41
42# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
43# so this is commented out by default to leave a V1 CRL.
44# crlnumber must also be commented out to leave a V1 CRL.
45# crl_extensions	= crl_ext
46
47default_days	= 365			# how long to certify for
48default_crl_days= 30			# how long before next CRL
49default_md	= default		# use public key default MD
50preserve	= no			# keep passed DN ordering
51
52# A few difference way of specifying how similar the request should look
53# For type CA, the listed attributes must be the same, and the optional
54# and supplied fields are just that :-)
55policy		= policy_match
56
57# For the CA policy
58[ policy_match ]
59countryName		= match
60stateOrProvinceName	= match
61organizationName	= match
62organizationalUnitName	= optional
63commonName		= supplied
64emailAddress		= optional
65
66# For the 'anything' policy
67# At this point in time, you must list all acceptable 'object'
68# types.
69[ policy_anything ]
70countryName		= optional
71stateOrProvinceName	= optional
72localityName		= optional
73organizationName	= optional
74organizationalUnitName	= optional
75commonName		= supplied
76emailAddress		= optional
77
78####################################################################
79[ req ]
80default_bits		= 2048
81default_keyfile 	= privkey.pem
82default_md		= sha1
83distinguished_name	= req_distinguished_name
84x509_extensions	= v3_ca	# The extentions to add to the self signed cert
85
86string_mask = utf8only
87
88[ req_distinguished_name ]
89countryName			= Country Name (2 letter code)
90countryName_default		= AU
91countryName_min			= 2
92countryName_max			= 2
93
94stateOrProvinceName		= State or Province Name (full name)
95stateOrProvinceName_default	= Some-State
96
97localityName			= Locality Name (eg, city)
98
990.organizationName		= Organization Name (eg, company)
1000.organizationName_default	= Internet Widgits Pty Ltd
101
102# we can do this but it is not needed normally :-)
103#1.organizationName		= Second Organization Name (eg, company)
104#1.organizationName_default	= World Wide Web Pty Ltd
105
106organizationalUnitName		= Organizational Unit Name (eg, section)
107#organizationalUnitName_default	=
108
109commonName			= Common Name (eg, YOUR name)
110commonName_max			= 64
111
112emailAddress			= Email Address
113emailAddress_max		= 64
114
115[ pkgkey ]
116nsComment			= "Certificate for binary pkgsrc packages"
117
118subjectKeyIdentifier=hash
119authorityKeyIdentifier=keyid,issuer
120
121subjectAltName=email:move
122
123extendedKeyUsage = codeSigning, emailProtection
124
125[ pkgsec ]
126nsComment			= "Certificate for pkg-vulnerabilities"
127
128subjectKeyIdentifier=hash
129authorityKeyIdentifier=keyid,issuer
130
131subjectAltName=email:move
132
133[ v3_ca ]
134subjectKeyIdentifier=hash
135authorityKeyIdentifier=keyid:always,issuer:always
136basicConstraints = critical,CA:true
137