1*b1cdbd2cSJim Jagielski###############################################################
2*b1cdbd2cSJim Jagielski#
3*b1cdbd2cSJim Jagielski#  Licensed to the Apache Software Foundation (ASF) under one
4*b1cdbd2cSJim Jagielski#  or more contributor license agreements.  See the NOTICE file
5*b1cdbd2cSJim Jagielski#  distributed with this work for additional information
6*b1cdbd2cSJim Jagielski#  regarding copyright ownership.  The ASF licenses this file
7*b1cdbd2cSJim Jagielski#  to you under the Apache License, Version 2.0 (the
8*b1cdbd2cSJim Jagielski#  "License"); you may not use this file except in compliance
9*b1cdbd2cSJim Jagielski#  with the License.  You may obtain a copy of the License at
10*b1cdbd2cSJim Jagielski#
11*b1cdbd2cSJim Jagielski#    http://www.apache.org/licenses/LICENSE-2.0
12*b1cdbd2cSJim Jagielski#
13*b1cdbd2cSJim Jagielski#  Unless required by applicable law or agreed to in writing,
14*b1cdbd2cSJim Jagielski#  software distributed under the License is distributed on an
15*b1cdbd2cSJim Jagielski#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*b1cdbd2cSJim Jagielski#  KIND, either express or implied.  See the License for the
17*b1cdbd2cSJim Jagielski#  specific language governing permissions and limitations
18*b1cdbd2cSJim Jagielski#  under the License.
19*b1cdbd2cSJim Jagielski#
20*b1cdbd2cSJim Jagielski###############################################################
21*b1cdbd2cSJim Jagielski
22*b1cdbd2cSJim Jagielski#
23*b1cdbd2cSJim Jagielski# OpenSSL example configuration file.
24*b1cdbd2cSJim Jagielski# This is mostly being used for generation of certificate requests.
25*b1cdbd2cSJim Jagielski#
26*b1cdbd2cSJim Jagielski
27*b1cdbd2cSJim Jagielski# This definition stops the following lines choking if HOME isn't
28*b1cdbd2cSJim Jagielski# defined.
29*b1cdbd2cSJim JagielskiHOME			= .
30*b1cdbd2cSJim JagielskiRANDFILE		= $ENV::HOME/.rnd
31*b1cdbd2cSJim Jagielski
32*b1cdbd2cSJim Jagielski# Extra OBJECT IDENTIFIER info:
33*b1cdbd2cSJim Jagielski#oid_file		= $ENV::HOME/.oid
34*b1cdbd2cSJim Jagielskioid_section		= new_oids
35*b1cdbd2cSJim Jagielski
36*b1cdbd2cSJim Jagielski# To use this configuration file with the "-extfile" option of the
37*b1cdbd2cSJim Jagielski# "openssl x509" utility, name here the section containing the
38*b1cdbd2cSJim Jagielski# X.509v3 extensions to use:
39*b1cdbd2cSJim Jagielski# extensions		=
40*b1cdbd2cSJim Jagielski# (Alternatively, use a configuration file that has only
41*b1cdbd2cSJim Jagielski# X.509v3 extensions in its main [= default] section.)
42*b1cdbd2cSJim Jagielski
43*b1cdbd2cSJim Jagielski[ new_oids ]
44*b1cdbd2cSJim Jagielski
45*b1cdbd2cSJim Jagielski# We can add new OIDs in here for use by 'ca' and 'req'.
46*b1cdbd2cSJim Jagielski# Add a simple OID like this:
47*b1cdbd2cSJim Jagielski# testoid1=1.2.3.4
48*b1cdbd2cSJim Jagielski# Or use config file substitution like this:
49*b1cdbd2cSJim Jagielski# testoid2=${testoid1}.5.6
50*b1cdbd2cSJim Jagielski
51*b1cdbd2cSJim Jagielski####################################################################
52*b1cdbd2cSJim Jagielski[ ca ]
53*b1cdbd2cSJim Jagielskidefault_ca	= CA_default		# The default ca section
54*b1cdbd2cSJim Jagielski
55*b1cdbd2cSJim Jagielski####################################################################
56*b1cdbd2cSJim Jagielski[ CA_default ]
57*b1cdbd2cSJim Jagielski
58*b1cdbd2cSJim Jagielskidir		= ./demoCA		# Where everything is kept
59*b1cdbd2cSJim Jagielskicerts		= $dir/certs		# Where the issued certs are kept
60*b1cdbd2cSJim Jagielskicrl_dir		= $dir/crl		# Where the issued crl are kept
61*b1cdbd2cSJim Jagielskidatabase	= $dir/index.txt	# database index file.
62*b1cdbd2cSJim Jagielski#unique_subject	= no			# Set to 'no' to allow creation of
63*b1cdbd2cSJim Jagielski					# several ctificates with same subject.
64*b1cdbd2cSJim Jagielskinew_certs_dir	= $dir/newcerts		# default place for new certs.
65*b1cdbd2cSJim Jagielski
66*b1cdbd2cSJim Jagielskicertificate	= $dir/cacert.pem 	# The CA certificate
67*b1cdbd2cSJim Jagielskiserial		= $dir/serial	# The current serial number
68*b1cdbd2cSJim Jagielskicrlnumber	= $dir/crlnumber	# the current crl number
69*b1cdbd2cSJim Jagielski					# must be commented out to leave a V1 CRL
70*b1cdbd2cSJim Jagielskicrl		= $dir/crl.pem 		# The current CRL
71*b1cdbd2cSJim Jagielskiprivate_key	= $dir/private/cakey.pem 	# The private key
72*b1cdbd2cSJim JagielskiRANDFILE	= $dir/private/.rand	 	# private random number file
73*b1cdbd2cSJim Jagielski
74*b1cdbd2cSJim Jagielskix509_extensions	= usr_cert		# The extentions to add to the cert
75*b1cdbd2cSJim Jagielski
76*b1cdbd2cSJim Jagielski# Comment out the following two lines for the "traditional"
77*b1cdbd2cSJim Jagielski# (and highly broken) format.
78*b1cdbd2cSJim Jagielskiname_opt 	= ca_default		# Subject Name options
79*b1cdbd2cSJim Jagielskicert_opt 	= ca_default		# Certificate field options
80*b1cdbd2cSJim Jagielski
81*b1cdbd2cSJim Jagielski# Extension copying option: use with caution.
82*b1cdbd2cSJim Jagielski# copy_extensions = copy
83*b1cdbd2cSJim Jagielski
84*b1cdbd2cSJim Jagielski# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
85*b1cdbd2cSJim Jagielski# so this is commented out by default to leave a V1 CRL.
86*b1cdbd2cSJim Jagielski# crlnumber must also be commented out to leave a V1 CRL.
87*b1cdbd2cSJim Jagielski# crl_extensions	= crl_ext
88*b1cdbd2cSJim Jagielski
89*b1cdbd2cSJim Jagielskidefault_days	= 365			# how long to certify for
90*b1cdbd2cSJim Jagielskidefault_crl_days= 30			# how long before next CRL
91*b1cdbd2cSJim Jagielskidefault_md	= sha1			# which md to use.
92*b1cdbd2cSJim Jagielskipreserve	= no			# keep passed DN ordering
93*b1cdbd2cSJim Jagielski
94*b1cdbd2cSJim Jagielski# A few difference way of specifying how similar the request should look
95*b1cdbd2cSJim Jagielski# For type CA, the listed attributes must be the same, and the optional
96*b1cdbd2cSJim Jagielski# and supplied fields are just that :-)
97*b1cdbd2cSJim Jagielskipolicy		= policy_match
98*b1cdbd2cSJim Jagielski
99*b1cdbd2cSJim Jagielski# For the CA policy
100*b1cdbd2cSJim Jagielski[ policy_match ]
101*b1cdbd2cSJim JagielskicountryName		= match
102*b1cdbd2cSJim JagielskistateOrProvinceName	= match
103*b1cdbd2cSJim JagielskiorganizationName	= match
104*b1cdbd2cSJim JagielskiorganizationalUnitName	= optional
105*b1cdbd2cSJim JagielskicommonName		= supplied
106*b1cdbd2cSJim JagielskiemailAddress		= optional
107*b1cdbd2cSJim Jagielski
108*b1cdbd2cSJim Jagielski# For the 'anything' policy
109*b1cdbd2cSJim Jagielski# At this point in time, you must list all acceptable 'object'
110*b1cdbd2cSJim Jagielski# types.
111*b1cdbd2cSJim Jagielski[ policy_anything ]
112*b1cdbd2cSJim JagielskicountryName		= optional
113*b1cdbd2cSJim JagielskistateOrProvinceName	= optional
114*b1cdbd2cSJim JagielskilocalityName		= optional
115*b1cdbd2cSJim JagielskiorganizationName	= optional
116*b1cdbd2cSJim JagielskiorganizationalUnitName	= optional
117*b1cdbd2cSJim JagielskicommonName		= supplied
118*b1cdbd2cSJim JagielskiemailAddress		= optional
119*b1cdbd2cSJim Jagielski
120*b1cdbd2cSJim Jagielski####################################################################
121*b1cdbd2cSJim Jagielski[ req ]
122*b1cdbd2cSJim Jagielskidefault_bits		= 1024
123*b1cdbd2cSJim Jagielskidefault_keyfile 	= privkey.pem
124*b1cdbd2cSJim Jagielskidistinguished_name	= req_distinguished_name
125*b1cdbd2cSJim Jagielskiattributes		= req_attributes
126*b1cdbd2cSJim Jagielskix509_extensions	= v3_ca	# The extentions to add to the self signed cert
127*b1cdbd2cSJim Jagielski
128*b1cdbd2cSJim Jagielski# Passwords for private keys if not present they will be prompted for
129*b1cdbd2cSJim Jagielski# input_password = secret
130*b1cdbd2cSJim Jagielski# output_password = secret
131*b1cdbd2cSJim Jagielski
132*b1cdbd2cSJim Jagielski# This sets a mask for permitted string types. There are several options.
133*b1cdbd2cSJim Jagielski# default: PrintableString, T61String, BMPString.
134*b1cdbd2cSJim Jagielski# pkix	 : PrintableString, BMPString.
135*b1cdbd2cSJim Jagielski# utf8only: only UTF8Strings.
136*b1cdbd2cSJim Jagielski# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
137*b1cdbd2cSJim Jagielski# MASK:XXXX a literal mask value.
138*b1cdbd2cSJim Jagielski# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
139*b1cdbd2cSJim Jagielski# so use this option with caution!
140*b1cdbd2cSJim Jagielskistring_mask = nombstr
141*b1cdbd2cSJim Jagielski
142*b1cdbd2cSJim Jagielski# req_extensions = v3_req # The extensions to add to a certificate request
143*b1cdbd2cSJim Jagielski
144*b1cdbd2cSJim Jagielski[ req_distinguished_name ]
145*b1cdbd2cSJim JagielskicountryName			= Country Name (2 letter code)
146*b1cdbd2cSJim JagielskicountryName_default		= DE
147*b1cdbd2cSJim JagielskicountryName_min			= 2
148*b1cdbd2cSJim JagielskicountryName_max			= 2
149*b1cdbd2cSJim Jagielski
150*b1cdbd2cSJim JagielskistateOrProvinceName		= State or Province Name (full name)
151*b1cdbd2cSJim JagielskistateOrProvinceName_default	= Hamburg
152*b1cdbd2cSJim Jagielski
153*b1cdbd2cSJim JagielskilocalityName			= Locality Name (eg, city)
154*b1cdbd2cSJim Jagielski
155*b1cdbd2cSJim Jagielski0.organizationName		= Organization Name (eg, company)
156*b1cdbd2cSJim Jagielski0.organizationName_default	= OpenOffice.org
157*b1cdbd2cSJim Jagielski
158*b1cdbd2cSJim Jagielski# we can do this but it is not needed normally :-)
159*b1cdbd2cSJim Jagielski#1.organizationName		= Second Organization Name (eg, company)
160*b1cdbd2cSJim Jagielski#1.organizationName_default	= World Wide Web Pty Ltd
161*b1cdbd2cSJim Jagielski
162*b1cdbd2cSJim JagielskiorganizationalUnitName		= Organizational Unit Name (eg, section)
163*b1cdbd2cSJim JagielskiorganizationalUnitName_default	= Development
164*b1cdbd2cSJim Jagielski
165*b1cdbd2cSJim JagielskicommonName			= Common Name (eg, YOUR name)
166*b1cdbd2cSJim JagielskicommonName_max			= 64
167*b1cdbd2cSJim Jagielski
168*b1cdbd2cSJim JagielskiemailAddress			= Email Address
169*b1cdbd2cSJim JagielskiemailAddress_max		= 64
170*b1cdbd2cSJim Jagielski
171*b1cdbd2cSJim Jagielski# SET-ex3			= SET extension number 3
172*b1cdbd2cSJim Jagielski
173*b1cdbd2cSJim Jagielski[ req_attributes ]
174*b1cdbd2cSJim JagielskichallengePassword		= A challenge password
175*b1cdbd2cSJim JagielskichallengePassword_min		= 4
176*b1cdbd2cSJim JagielskichallengePassword_max		= 20
177*b1cdbd2cSJim Jagielski
178*b1cdbd2cSJim JagielskiunstructuredName		= An optional company name
179*b1cdbd2cSJim Jagielski
180*b1cdbd2cSJim Jagielski[ usr_cert ]
181*b1cdbd2cSJim Jagielski
182*b1cdbd2cSJim Jagielski# These extensions are added when 'ca' signs a request.
183*b1cdbd2cSJim Jagielski#authorityInfoAccess = OCSP;URI:http://localhost:8888/
184*b1cdbd2cSJim Jagielski
185*b1cdbd2cSJim Jagielski# This is typical in keyUsage for a client certificate.
186*b1cdbd2cSJim JagielskikeyUsage = nonRepudiation, digitalSignature, keyEncipherment
187*b1cdbd2cSJim Jagielski
188*b1cdbd2cSJim Jagielski# This will be displayed in Netscape's comment listbox.
189*b1cdbd2cSJim JagielskinsComment			= "OpenSSL Generated Certificate"
190*b1cdbd2cSJim Jagielski
191*b1cdbd2cSJim Jagielski# PKIX recommendations harmless if included in all certificates.
192*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash
193*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid,issuer
194*b1cdbd2cSJim Jagielski
195*b1cdbd2cSJim Jagielski# This stuff is for subjectAltName and issuerAltname.
196*b1cdbd2cSJim Jagielski# Import the email address.
197*b1cdbd2cSJim Jagielski# subjectAltName=email:copy
198*b1cdbd2cSJim Jagielski# An alternative to produce certificates that aren't
199*b1cdbd2cSJim Jagielski# deprecated according to PKIX.
200*b1cdbd2cSJim Jagielski# subjectAltName=email:move
201*b1cdbd2cSJim Jagielski
202*b1cdbd2cSJim Jagielski# Copy subject details
203*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy
204*b1cdbd2cSJim Jagielski
205*b1cdbd2cSJim Jagielski
206*b1cdbd2cSJim Jagielski
207*b1cdbd2cSJim Jagielski[ v3_req ]
208*b1cdbd2cSJim Jagielski
209*b1cdbd2cSJim Jagielski# Extensions to add to a certificate request
210*b1cdbd2cSJim Jagielski
211*b1cdbd2cSJim JagielskibasicConstraints = CA:FALSE
212*b1cdbd2cSJim JagielskikeyUsage = nonRepudiation, digitalSignature, keyEncipherment
213*b1cdbd2cSJim Jagielski#authorityInfoAccess = OCSP;URI:http://localhost:8888/
214*b1cdbd2cSJim Jagielski
215*b1cdbd2cSJim Jagielski[ v3_ca ]
216*b1cdbd2cSJim Jagielski
217*b1cdbd2cSJim Jagielski
218*b1cdbd2cSJim Jagielski# Extensions for a typical CA
219*b1cdbd2cSJim Jagielski
220*b1cdbd2cSJim Jagielski
221*b1cdbd2cSJim Jagielski# PKIX recommendation.
222*b1cdbd2cSJim Jagielski
223*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash
224*b1cdbd2cSJim Jagielski
225*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid:always,issuer:always
226*b1cdbd2cSJim Jagielski
227*b1cdbd2cSJim Jagielski#authorityInfoAccess = OCSP;URI:http://localhost:8888
228*b1cdbd2cSJim Jagielski#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl
229*b1cdbd2cSJim Jagielski# This is what PKIX recommends but some broken software chokes on critical
230*b1cdbd2cSJim Jagielski# extensions.
231*b1cdbd2cSJim Jagielski#basicConstraints = critical,CA:true
232*b1cdbd2cSJim Jagielski# So we do this instead.
233*b1cdbd2cSJim JagielskibasicConstraints = critical, CA:true
234*b1cdbd2cSJim Jagielski
235*b1cdbd2cSJim Jagielski# Key usage: this is typical for a CA certificate. However since it will
236*b1cdbd2cSJim Jagielski# prevent it being used as an test self-signed certificate it is best
237*b1cdbd2cSJim Jagielski# left out by default.
238*b1cdbd2cSJim Jagielski# keyUsage = cRLSign, keyCertSign
239*b1cdbd2cSJim Jagielski
240*b1cdbd2cSJim Jagielski# Some might want this also
241*b1cdbd2cSJim Jagielski# nsCertType = sslCA, emailCA
242*b1cdbd2cSJim Jagielski
243*b1cdbd2cSJim Jagielski# Include email address in subject alt name: another PKIX recommendation
244*b1cdbd2cSJim Jagielski# subjectAltName=email:copy
245*b1cdbd2cSJim Jagielski# Copy issuer details
246*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy
247*b1cdbd2cSJim Jagielski
248*b1cdbd2cSJim Jagielski# DER hex encoding of an extension: beware experts only!
249*b1cdbd2cSJim Jagielski# obj=DER:02:03
250*b1cdbd2cSJim Jagielski# Where 'obj' is a standard or added object
251*b1cdbd2cSJim Jagielski# You can even override a supported extension:
252*b1cdbd2cSJim Jagielski# basicConstraints= critical, DER:30:03:01:01:FF
253*b1cdbd2cSJim Jagielski
254*b1cdbd2cSJim Jagielski[ crl_ext ]
255*b1cdbd2cSJim Jagielski
256*b1cdbd2cSJim Jagielski# CRL extensions.
257*b1cdbd2cSJim Jagielski# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258*b1cdbd2cSJim Jagielski
259*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy
260*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid:always,issuer:always
261*b1cdbd2cSJim Jagielski
262*b1cdbd2cSJim Jagielski[ proxy_cert_ext ]
263*b1cdbd2cSJim Jagielski# These extensions should be added when creating a proxy certificate
264*b1cdbd2cSJim Jagielski
265*b1cdbd2cSJim Jagielski# This goes against PKIX guidelines but some CAs do it and some software
266*b1cdbd2cSJim Jagielski# requires this to avoid interpreting an end user certificate as a CA.
267*b1cdbd2cSJim Jagielski
268*b1cdbd2cSJim JagielskibasicConstraints=CA:FALSE
269*b1cdbd2cSJim Jagielski
270*b1cdbd2cSJim Jagielski# Here are some examples of the usage of nsCertType. If it is omitted
271*b1cdbd2cSJim Jagielski# the certificate can be used for anything *except* object signing.
272*b1cdbd2cSJim Jagielski
273*b1cdbd2cSJim Jagielski# This is OK for an SSL server.
274*b1cdbd2cSJim Jagielski# nsCertType			= server
275*b1cdbd2cSJim Jagielski
276*b1cdbd2cSJim Jagielski# For an object signing certificate this would be used.
277*b1cdbd2cSJim Jagielski# nsCertType = objsign
278*b1cdbd2cSJim Jagielski
279*b1cdbd2cSJim Jagielski# For normal client use this is typical
280*b1cdbd2cSJim Jagielski# nsCertType = client, email
281*b1cdbd2cSJim Jagielski
282*b1cdbd2cSJim Jagielski# and for everything including object signing:
283*b1cdbd2cSJim Jagielski# nsCertType = client, email, objsign
284*b1cdbd2cSJim Jagielski
285*b1cdbd2cSJim Jagielski# This is typical in keyUsage for a client certificate.
286*b1cdbd2cSJim Jagielski# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287*b1cdbd2cSJim Jagielski
288*b1cdbd2cSJim Jagielski# This will be displayed in Netscape's comment listbox.
289*b1cdbd2cSJim JagielskinsComment			= "OpenSSL Generated Certificate"
290*b1cdbd2cSJim Jagielski
291*b1cdbd2cSJim Jagielski# PKIX recommendations harmless if included in all certificates.
292*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash
293*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid,issuer:always
294*b1cdbd2cSJim Jagielski
295*b1cdbd2cSJim Jagielski# This stuff is for subjectAltName and issuerAltname.
296*b1cdbd2cSJim Jagielski# Import the email address.
297*b1cdbd2cSJim Jagielski# subjectAltName=email:copy
298*b1cdbd2cSJim Jagielski# An alternative to produce certificates that aren't
299*b1cdbd2cSJim Jagielski# deprecated according to PKIX.
300*b1cdbd2cSJim Jagielski# subjectAltName=email:move
301*b1cdbd2cSJim Jagielski
302*b1cdbd2cSJim Jagielski# Copy subject details
303*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy
304*b1cdbd2cSJim Jagielski
305*b1cdbd2cSJim Jagielski#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
306*b1cdbd2cSJim Jagielski#nsBaseUrl
307*b1cdbd2cSJim Jagielski#nsRevocationUrl
308*b1cdbd2cSJim Jagielski#nsRenewalUrl
309*b1cdbd2cSJim Jagielski#nsCaPolicyUrl
310*b1cdbd2cSJim Jagielski#nsSslServerName
311*b1cdbd2cSJim Jagielski
312*b1cdbd2cSJim Jagielski# This really needs to be in place for it to be a proxy certificate.
313*b1cdbd2cSJim JagielskiproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
314