1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca' and 'req'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30#################################################################### 31[ ca ] 32default_ca = CA_default # The default ca section 33 34#################################################################### 35[ CA_default ] 36 37dir = ./demoCA # Where everything is kept 38certs = $dir/certs # Where the issued certs are kept 39crl_dir = $dir/crl # Where the issued crl are kept 40database = $dir/index.txt # database index file. 41#unique_subject = no # Set to 'no' to allow creation of 42 # several ctificates with same subject. 43new_certs_dir = $dir/newcerts # default place for new certs. 44 45certificate = $dir/cacert.pem # The CA certificate 46serial = $dir/serial # The current serial number 47crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 49crl = $dir/crl.pem # The current CRL 50private_key = $dir/private/cakey.pem # The private key 51RANDFILE = $dir/private/.rand # private random number file 52 53x509_extensions = usr_cert # The extentions to add to the cert 54 55# Comment out the following two lines for the "traditional" 56# (and highly broken) format. 57name_opt = ca_default # Subject Name options 58cert_opt = ca_default # Certificate field options 59 60# Extension copying option: use with caution. 61# copy_extensions = copy 62 63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64# so this is commented out by default to leave a V1 CRL. 65# crlnumber must also be commented out to leave a V1 CRL. 66# crl_extensions = crl_ext 67 68default_days = 365 # how long to certify for 69default_crl_days= 30 # how long before next CRL 70default_md = sha1 # which md to use. 71preserve = no # keep passed DN ordering 72 73# A few difference way of specifying how similar the request should look 74# For type CA, the listed attributes must be the same, and the optional 75# and supplied fields are just that :-) 76policy = policy_match 77 78# For the CA policy 79[ policy_match ] 80countryName = match 81stateOrProvinceName = match 82organizationName = match 83organizationalUnitName = optional 84commonName = supplied 85emailAddress = optional 86 87# For the 'anything' policy 88# At this point in time, you must list all acceptable 'object' 89# types. 90[ policy_anything ] 91countryName = optional 92stateOrProvinceName = optional 93localityName = optional 94organizationName = optional 95organizationalUnitName = optional 96commonName = supplied 97emailAddress = optional 98 99#################################################################### 100[ req ] 101default_bits = 1024 102default_keyfile = privkey.pem 103distinguished_name = req_distinguished_name 104attributes = req_attributes 105x509_extensions = v3_ca # The extentions to add to the self signed cert 106utf8 = yes 107# Passwords for private keys if not present they will be prompted for 108# input_password = secret 109# output_password = secret 110 111# This sets a mask for permitted string types. There are several options. 112# default: PrintableString, T61String, BMPString. 113# pkix : PrintableString, BMPString. 114# utf8only: only UTF8Strings. 115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 116# MASK:XXXX a literal mask value. 117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 118# so use this option with caution! 119string_mask =pkix 120 121# req_extensions = v3_req # The extensions to add to a certificate request 122 123[ req_distinguished_name ] 124countryName = Country Name (2 letter code) 125countryName_default = DE 126countryName_min = 2 127countryName_max = 2 128 129stateOrProvinceName = State or Province Name (full name) 130stateOrProvinceName_default = Hamburg 131 132localityName = Locality Name (eg, city) 133 1340.organizationName = Organization Name (eg, company) 1350.organizationName_default = OpenOffice.org 136 137# we can do this but it is not needed normally :-) 138#1.organizationName = Second Organization Name (eg, company) 139#1.organizationName_default = World Wide Web Pty Ltd 140 141organizationalUnitName = Organizational Unit Name (eg, section) 142organizationalUnitName_default = Development 143 144commonName = Common Name (eg, YOUR name) 145commonName_max = 64 146commonName_default =User 14 \",middle quote 147 148emailAddress = Email Address 149emailAddress_max = 64 150 151# SET-ex3 = SET extension number 3 152 153[ req_attributes ] 154challengePassword = A challenge password 155challengePassword_min = 4 156challengePassword_max = 20 157 158unstructuredName = An optional company name 159 160[ usr_cert ] 161 162# These extensions are added when 'ca' signs a request. 163#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 164 165# This is typical in keyUsage for a client certificate. 166keyUsage = nonRepudiation, digitalSignature, keyEncipherment 167 168# This will be displayed in Netscape's comment listbox. 169#nsComment = "OpenSSL Generated Certificate" 170 171# PKIX recommendations harmless if included in all certificates. 172subjectKeyIdentifier=hash 173authorityKeyIdentifier=keyid,issuer 174 175# This stuff is for subjectAltName and issuerAltname. 176# Import the email address. 177# subjectAltName=email:copy 178# An alternative to produce certificates that aren't 179# deprecated according to PKIX. 180# subjectAltName=email:move 181subjectAltName=DNS:alt.openoffice.org,IP:192.168.7.1,IP:13::17,email:my@other.address,RID:1.2.3.4,otherName:1.2.3.4;UTF8:some other identifier,dirName:dir_sect,URI:http://my.url.here/ 182# Copy subject details 183# issuerAltName=issuer:copy 184 185 186[dir_sect] 187C=DE 188O=OpenOffice.org 189OU=Development 190CN=User 32 Root 11 191 192[ v3_req ] 193 194# Extensions to add to a certificate request 195 196basicConstraints = CA:FALSE 197keyUsage = nonRepudiation, digitalSignature, keyEncipherment 198#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 199 200[ v3_ca ] 201 202 203# Extensions for a typical CA 204 205 206# PKIX recommendation. 207 208subjectKeyIdentifier=hash 209 210authorityKeyIdentifier=keyid:always,issuer:always 211 212#authorityInfoAccess = OCSP;URI:http://localhost:8888 213#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl 214# This is what PKIX recommends but some broken software chokes on critical 215# extensions. 216#basicConstraints = critical,CA:true 217# So we do this instead. 218basicConstraints = critical, CA:true 219 220# Key usage: this is typical for a CA certificate. However since it will 221# prevent it being used as an test self-signed certificate it is best 222# left out by default. 223# keyUsage = cRLSign, keyCertSign 224 225# Some might want this also 226# nsCertType = sslCA, emailCA 227 228# Include email address in subject alt name: another PKIX recommendation 229# subjectAltName=email:copy 230# Copy issuer details 231# issuerAltName=issuer:copy 232 233# DER hex encoding of an extension: beware experts only! 234# obj=DER:02:03 235# Where 'obj' is a standard or added object 236# You can even override a supported extension: 237# basicConstraints= critical, DER:30:03:01:01:FF 238 239[ crl_ext ] 240 241# CRL extensions. 242# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 243 244# issuerAltName=issuer:copy 245authorityKeyIdentifier=keyid:always,issuer:always 246 247[ proxy_cert_ext ] 248# These extensions should be added when creating a proxy certificate 249 250# This goes against PKIX guidelines but some CAs do it and some software 251# requires this to avoid interpreting an end user certificate as a CA. 252 253basicConstraints=CA:FALSE 254 255# Here are some examples of the usage of nsCertType. If it is omitted 256# the certificate can be used for anything *except* object signing. 257 258# This is OK for an SSL server. 259# nsCertType = server 260 261# For an object signing certificate this would be used. 262# nsCertType = objsign 263 264# For normal client use this is typical 265# nsCertType = client, email 266 267# and for everything including object signing: 268# nsCertType = client, email, objsign 269 270# This is typical in keyUsage for a client certificate. 271# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 272 273# This will be displayed in Netscape's comment listbox. 274nsComment = "OpenSSL Generated Certificate" 275 276# PKIX recommendations harmless if included in all certificates. 277subjectKeyIdentifier=hash 278authorityKeyIdentifier=keyid,issuer:always 279 280# This stuff is for subjectAltName and issuerAltname. 281# Import the email address. 282# subjectAltName=email:copy 283# An alternative to produce certificates that aren't 284# deprecated according to PKIX. 285# subjectAltName=email:move 286 287# Copy subject details 288# issuerAltName=issuer:copy 289 290#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 291#nsBaseUrl 292#nsRevocationUrl 293#nsRenewalUrl 294#nsCaPolicyUrl 295#nsSslServerName 296 297# This really needs to be in place for it to be a proxy certificate. 298proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 299