1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca' and 'req'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30#################################################################### 31[ ca ] 32default_ca = CA_default # The default ca section 33 34#################################################################### 35[ CA_default ] 36 37dir = ./demoCA # Where everything is kept 38certs = $dir/certs # Where the issued certs are kept 39crl_dir = $dir/crl # Where the issued crl are kept 40database = $dir/index.txt # database index file. 41#unique_subject = no # Set to 'no' to allow creation of 42 # several ctificates with same subject. 43new_certs_dir = $dir/newcerts # default place for new certs. 44 45certificate = $dir/cacert.pem # The CA certificate 46serial = $dir/serial # The current serial number 47crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 49crl = $dir/crl.pem # The current CRL 50private_key = $dir/private/cakey.pem # The private key 51RANDFILE = $dir/private/.rand # private random number file 52 53x509_extensions = usr_cert # The extentions to add to the cert 54 55# Comment out the following two lines for the "traditional" 56# (and highly broken) format. 57name_opt = ca_default # Subject Name options 58cert_opt = ca_default # Certificate field options 59 60# Extension copying option: use with caution. 61# copy_extensions = copy 62 63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64# so this is commented out by default to leave a V1 CRL. 65# crlnumber must also be commented out to leave a V1 CRL. 66# crl_extensions = crl_ext 67 68default_days = 365 # how long to certify for 69default_crl_days= 30 # how long before next CRL 70default_md = sha1 # which md to use. 71preserve = no # keep passed DN ordering 72 73# A few difference way of specifying how similar the request should look 74# For type CA, the listed attributes must be the same, and the optional 75# and supplied fields are just that :-) 76policy = policy_match 77 78# For the CA policy 79[ policy_match ] 80countryName = match 81stateOrProvinceName = match 82organizationName = match 83organizationalUnitName = optional 84commonName = supplied 85emailAddress = optional 86 87# For the 'anything' policy 88# At this point in time, you must list all acceptable 'object' 89# types. 90[ policy_anything ] 91countryName = optional 92stateOrProvinceName = optional 93localityName = optional 94organizationName = optional 95organizationalUnitName = optional 96commonName = supplied 97emailAddress = optional 98 99#################################################################### 100[ req ] 101default_bits = 1024 102default_keyfile = privkey.pem 103distinguished_name = req_distinguished_name 104attributes = req_attributes 105x509_extensions = v3_ca # The extentions to add to the self signed cert 106 107# Passwords for private keys if not present they will be prompted for 108# input_password = secret 109# output_password = secret 110 111# This sets a mask for permitted string types. There are several options. 112# default: PrintableString, T61String, BMPString. 113# pkix : PrintableString, BMPString. 114# utf8only: only UTF8Strings. 115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 116# MASK:XXXX a literal mask value. 117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 118# so use this option with caution! 119string_mask = nombstr 120 121# req_extensions = v3_req # The extensions to add to a certificate request 122 123[ req_distinguished_name ] 124countryName = Country Name (2 letter code) 125countryName_default = DE 126countryName_min = 2 127countryName_max = 2 128 129stateOrProvinceName = State or Province Name (full name) 130stateOrProvinceName_default = Hamburg 131 132localityName = Locality Name (eg, city) 133 1340.organizationName = Organization Name (eg, company) 1350.organizationName_default = OpenOffice.org 136 137# we can do this but it is not needed normally :-) 138#1.organizationName = Second Organization Name (eg, company) 139#1.organizationName_default = World Wide Web Pty Ltd 140 141organizationalUnitName = Organizational Unit Name (eg, section) 142organizationalUnitName_default = Development 143 144commonName = Common Name (eg, YOUR name) 145commonName_max = 64 146 147emailAddress = Email Address 148emailAddress_max = 64 149 150# SET-ex3 = SET extension number 3 151 152[ req_attributes ] 153challengePassword = A challenge password 154challengePassword_min = 4 155challengePassword_max = 20 156 157unstructuredName = An optional company name 158 159[ usr_cert ] 160 161# These extensions are added when 'ca' signs a request. 162#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 163 164# This is typical in keyUsage for a client certificate. 165keyUsage = nonRepudiation, digitalSignature, keyEncipherment 166 167# This will be displayed in Netscape's comment listbox. 168nsComment = "OpenSSL Generated Certificate" 169 170# PKIX recommendations harmless if included in all certificates. 171subjectKeyIdentifier=hash 172authorityKeyIdentifier=keyid,issuer 173 174# This stuff is for subjectAltName and issuerAltname. 175# Import the email address. 176# subjectAltName=email:copy 177# An alternative to produce certificates that aren't 178# deprecated according to PKIX. 179# subjectAltName=email:move 180 181# Copy subject details 182# issuerAltName=issuer:copy 183 184 185 186[ v3_req ] 187 188# Extensions to add to a certificate request 189 190basicConstraints = CA:FALSE 191keyUsage = nonRepudiation, digitalSignature, keyEncipherment 192#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 193 194[ v3_ca ] 195 196 197# Extensions for a typical CA 198 199 200# PKIX recommendation. 201 202subjectKeyIdentifier=hash 203 204authorityKeyIdentifier=keyid:always,issuer:always 205 206authorityInfoAccess = OCSP;URI:http://localhost:8888 207#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl 208# This is what PKIX recommends but some broken software chokes on critical 209# extensions. 210#basicConstraints = critical,CA:true 211# So we do this instead. 212basicConstraints = critical, CA:true 213 214# Key usage: this is typical for a CA certificate. However since it will 215# prevent it being used as an test self-signed certificate it is best 216# left out by default. 217# keyUsage = cRLSign, keyCertSign 218 219# Some might want this also 220# nsCertType = sslCA, emailCA 221 222# Include email address in subject alt name: another PKIX recommendation 223# subjectAltName=email:copy 224# Copy issuer details 225# issuerAltName=issuer:copy 226 227# DER hex encoding of an extension: beware experts only! 228# obj=DER:02:03 229# Where 'obj' is a standard or added object 230# You can even override a supported extension: 231# basicConstraints= critical, DER:30:03:01:01:FF 232 233[ crl_ext ] 234 235# CRL extensions. 236# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 237 238# issuerAltName=issuer:copy 239authorityKeyIdentifier=keyid:always,issuer:always 240 241[ proxy_cert_ext ] 242# These extensions should be added when creating a proxy certificate 243 244# This goes against PKIX guidelines but some CAs do it and some software 245# requires this to avoid interpreting an end user certificate as a CA. 246 247basicConstraints=CA:FALSE 248 249# Here are some examples of the usage of nsCertType. If it is omitted 250# the certificate can be used for anything *except* object signing. 251 252# This is OK for an SSL server. 253# nsCertType = server 254 255# For an object signing certificate this would be used. 256# nsCertType = objsign 257 258# For normal client use this is typical 259# nsCertType = client, email 260 261# and for everything including object signing: 262# nsCertType = client, email, objsign 263 264# This is typical in keyUsage for a client certificate. 265# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 266 267# This will be displayed in Netscape's comment listbox. 268nsComment = "OpenSSL Generated Certificate" 269 270# PKIX recommendations harmless if included in all certificates. 271subjectKeyIdentifier=hash 272authorityKeyIdentifier=keyid,issuer:always 273 274# This stuff is for subjectAltName and issuerAltname. 275# Import the email address. 276# subjectAltName=email:copy 277# An alternative to produce certificates that aren't 278# deprecated according to PKIX. 279# subjectAltName=email:move 280 281# Copy subject details 282# issuerAltName=issuer:copy 283 284#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 285#nsBaseUrl 286#nsRevocationUrl 287#nsRenewalUrl 288#nsCaPolicyUrl 289#nsSslServerName 290 291# This really needs to be in place for it to be a proxy certificate. 292proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 293