1# $NetBSD: pkgsrc.cnf,v 1.1.1.1 2009/02/02 20:44:09 joerg Exp $ 2# 3# OpenSSL sample configuration file for use by pkgsrc.sh 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11#################################################################### 12[ ca ] 13default_ca = CA_default # The default ca section 14 15#################################################################### 16[ CA_default ] 17 18dir = ./pkgsrc # Where everything is kept 19certs = $dir/certs # Where the issued certs are kept 20crl_dir = $dir/crl # Where the issued crl are kept 21database = $dir/index.txt # database index file. 22#unique_subject = no # Set to 'no' to allow creation of 23 # several ctificates with same subject. 24new_certs_dir = $dir/newcerts # default place for new certs. 25 26certificate = $dir/cacert.pem # The CA certificate 27serial = $dir/serial # The current serial number 28crlnumber = $dir/crlnumber # the current crl number 29 # must be commented out to leave a V1 CRL 30crl = $dir/crl.pem # The current CRL 31private_key = $dir/private/cakey.pem# The private key 32RANDFILE = $dir/private/.rand # private random number file 33 34# Comment out the following two lines for the "traditional" 35# (and highly broken) format. 36name_opt = ca_default # Subject Name options 37cert_opt = ca_default # Certificate field options 38 39# Extension copying option: use with caution. 40# copy_extensions = copy 41 42# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 43# so this is commented out by default to leave a V1 CRL. 44# crlnumber must also be commented out to leave a V1 CRL. 45# crl_extensions = crl_ext 46 47default_days = 365 # how long to certify for 48default_crl_days= 30 # how long before next CRL 49default_md = default # use public key default MD 50preserve = no # keep passed DN ordering 51 52# A few difference way of specifying how similar the request should look 53# For type CA, the listed attributes must be the same, and the optional 54# and supplied fields are just that :-) 55policy = policy_match 56 57# For the CA policy 58[ policy_match ] 59countryName = match 60stateOrProvinceName = match 61organizationName = match 62organizationalUnitName = optional 63commonName = supplied 64emailAddress = optional 65 66# For the 'anything' policy 67# At this point in time, you must list all acceptable 'object' 68# types. 69[ policy_anything ] 70countryName = optional 71stateOrProvinceName = optional 72localityName = optional 73organizationName = optional 74organizationalUnitName = optional 75commonName = supplied 76emailAddress = optional 77 78#################################################################### 79[ req ] 80default_bits = 2048 81default_keyfile = privkey.pem 82default_md = sha1 83distinguished_name = req_distinguished_name 84x509_extensions = v3_ca # The extentions to add to the self signed cert 85 86string_mask = utf8only 87 88[ req_distinguished_name ] 89countryName = Country Name (2 letter code) 90countryName_default = AU 91countryName_min = 2 92countryName_max = 2 93 94stateOrProvinceName = State or Province Name (full name) 95stateOrProvinceName_default = Some-State 96 97localityName = Locality Name (eg, city) 98 990.organizationName = Organization Name (eg, company) 1000.organizationName_default = Internet Widgits Pty Ltd 101 102# we can do this but it is not needed normally :-) 103#1.organizationName = Second Organization Name (eg, company) 104#1.organizationName_default = World Wide Web Pty Ltd 105 106organizationalUnitName = Organizational Unit Name (eg, section) 107#organizationalUnitName_default = 108 109commonName = Common Name (eg, YOUR name) 110commonName_max = 64 111 112emailAddress = Email Address 113emailAddress_max = 64 114 115[ pkgkey ] 116nsComment = "Certificate for binary pkgsrc packages" 117 118subjectKeyIdentifier=hash 119authorityKeyIdentifier=keyid,issuer 120 121subjectAltName=email:move 122 123extendedKeyUsage = codeSigning, emailProtection 124 125[ pkgsec ] 126nsComment = "Certificate for pkg-vulnerabilities" 127 128subjectKeyIdentifier=hash 129authorityKeyIdentifier=keyid,issuer 130 131subjectAltName=email:move 132 133[ v3_ca ] 134subjectKeyIdentifier=hash 135authorityKeyIdentifier=keyid:always,issuer:always 136basicConstraints = critical,CA:true 137