1*b1cdbd2cSJim Jagielski############################################################### 2*b1cdbd2cSJim Jagielski# 3*b1cdbd2cSJim Jagielski# Licensed to the Apache Software Foundation (ASF) under one 4*b1cdbd2cSJim Jagielski# or more contributor license agreements. See the NOTICE file 5*b1cdbd2cSJim Jagielski# distributed with this work for additional information 6*b1cdbd2cSJim Jagielski# regarding copyright ownership. The ASF licenses this file 7*b1cdbd2cSJim Jagielski# to you under the Apache License, Version 2.0 (the 8*b1cdbd2cSJim Jagielski# "License"); you may not use this file except in compliance 9*b1cdbd2cSJim Jagielski# with the License. You may obtain a copy of the License at 10*b1cdbd2cSJim Jagielski# 11*b1cdbd2cSJim Jagielski# http://www.apache.org/licenses/LICENSE-2.0 12*b1cdbd2cSJim Jagielski# 13*b1cdbd2cSJim Jagielski# Unless required by applicable law or agreed to in writing, 14*b1cdbd2cSJim Jagielski# software distributed under the License is distributed on an 15*b1cdbd2cSJim Jagielski# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16*b1cdbd2cSJim Jagielski# KIND, either express or implied. See the License for the 17*b1cdbd2cSJim Jagielski# specific language governing permissions and limitations 18*b1cdbd2cSJim Jagielski# under the License. 19*b1cdbd2cSJim Jagielski# 20*b1cdbd2cSJim Jagielski############################################################### 21*b1cdbd2cSJim Jagielski 22*b1cdbd2cSJim Jagielski# 23*b1cdbd2cSJim Jagielski# OpenSSL example configuration file. 24*b1cdbd2cSJim Jagielski# This is mostly being used for generation of certificate requests. 25*b1cdbd2cSJim Jagielski# 26*b1cdbd2cSJim Jagielski 27*b1cdbd2cSJim Jagielski# This definition stops the following lines choking if HOME isn't 28*b1cdbd2cSJim Jagielski# defined. 29*b1cdbd2cSJim JagielskiHOME = . 30*b1cdbd2cSJim JagielskiRANDFILE = $ENV::HOME/.rnd 31*b1cdbd2cSJim Jagielski 32*b1cdbd2cSJim Jagielski# Extra OBJECT IDENTIFIER info: 33*b1cdbd2cSJim Jagielski#oid_file = $ENV::HOME/.oid 34*b1cdbd2cSJim Jagielskioid_section = new_oids 35*b1cdbd2cSJim Jagielski 36*b1cdbd2cSJim Jagielski# To use this configuration file with the "-extfile" option of the 37*b1cdbd2cSJim Jagielski# "openssl x509" utility, name here the section containing the 38*b1cdbd2cSJim Jagielski# X.509v3 extensions to use: 39*b1cdbd2cSJim Jagielski# extensions = 40*b1cdbd2cSJim Jagielski# (Alternatively, use a configuration file that has only 41*b1cdbd2cSJim Jagielski# X.509v3 extensions in its main [= default] section.) 42*b1cdbd2cSJim Jagielski 43*b1cdbd2cSJim Jagielski[ new_oids ] 44*b1cdbd2cSJim Jagielski 45*b1cdbd2cSJim Jagielski# We can add new OIDs in here for use by 'ca' and 'req'. 46*b1cdbd2cSJim Jagielski# Add a simple OID like this: 47*b1cdbd2cSJim Jagielski# testoid1=1.2.3.4 48*b1cdbd2cSJim Jagielski# Or use config file substitution like this: 49*b1cdbd2cSJim Jagielski# testoid2=${testoid1}.5.6 50*b1cdbd2cSJim Jagielski 51*b1cdbd2cSJim Jagielski#################################################################### 52*b1cdbd2cSJim Jagielski[ ca ] 53*b1cdbd2cSJim Jagielskidefault_ca = CA_default # The default ca section 54*b1cdbd2cSJim Jagielski 55*b1cdbd2cSJim Jagielski#################################################################### 56*b1cdbd2cSJim Jagielski[ CA_default ] 57*b1cdbd2cSJim Jagielski 58*b1cdbd2cSJim Jagielskidir = ./demoCA # Where everything is kept 59*b1cdbd2cSJim Jagielskicerts = $dir/certs # Where the issued certs are kept 60*b1cdbd2cSJim Jagielskicrl_dir = $dir/crl # Where the issued crl are kept 61*b1cdbd2cSJim Jagielskidatabase = $dir/index.txt # database index file. 62*b1cdbd2cSJim Jagielski#unique_subject = no # Set to 'no' to allow creation of 63*b1cdbd2cSJim Jagielski # several ctificates with same subject. 64*b1cdbd2cSJim Jagielskinew_certs_dir = $dir/newcerts # default place for new certs. 65*b1cdbd2cSJim Jagielski 66*b1cdbd2cSJim Jagielskicertificate = $dir/cacert.pem # The CA certificate 67*b1cdbd2cSJim Jagielskiserial = $dir/serial # The current serial number 68*b1cdbd2cSJim Jagielskicrlnumber = $dir/crlnumber # the current crl number 69*b1cdbd2cSJim Jagielski # must be commented out to leave a V1 CRL 70*b1cdbd2cSJim Jagielskicrl = $dir/crl.pem # The current CRL 71*b1cdbd2cSJim Jagielskiprivate_key = $dir/private/cakey.pem # The private key 72*b1cdbd2cSJim JagielskiRANDFILE = $dir/private/.rand # private random number file 73*b1cdbd2cSJim Jagielski 74*b1cdbd2cSJim Jagielskix509_extensions = usr_cert # The extentions to add to the cert 75*b1cdbd2cSJim Jagielski 76*b1cdbd2cSJim Jagielski# Comment out the following two lines for the "traditional" 77*b1cdbd2cSJim Jagielski# (and highly broken) format. 78*b1cdbd2cSJim Jagielskiname_opt = ca_default # Subject Name options 79*b1cdbd2cSJim Jagielskicert_opt = ca_default # Certificate field options 80*b1cdbd2cSJim Jagielski 81*b1cdbd2cSJim Jagielski# Extension copying option: use with caution. 82*b1cdbd2cSJim Jagielski# copy_extensions = copy 83*b1cdbd2cSJim Jagielski 84*b1cdbd2cSJim Jagielski# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 85*b1cdbd2cSJim Jagielski# so this is commented out by default to leave a V1 CRL. 86*b1cdbd2cSJim Jagielski# crlnumber must also be commented out to leave a V1 CRL. 87*b1cdbd2cSJim Jagielski# crl_extensions = crl_ext 88*b1cdbd2cSJim Jagielski 89*b1cdbd2cSJim Jagielskidefault_days = 365 # how long to certify for 90*b1cdbd2cSJim Jagielskidefault_crl_days= 30 # how long before next CRL 91*b1cdbd2cSJim Jagielskidefault_md = sha1 # which md to use. 92*b1cdbd2cSJim Jagielskipreserve = no # keep passed DN ordering 93*b1cdbd2cSJim Jagielski 94*b1cdbd2cSJim Jagielski# A few difference way of specifying how similar the request should look 95*b1cdbd2cSJim Jagielski# For type CA, the listed attributes must be the same, and the optional 96*b1cdbd2cSJim Jagielski# and supplied fields are just that :-) 97*b1cdbd2cSJim Jagielskipolicy = policy_match 98*b1cdbd2cSJim Jagielski 99*b1cdbd2cSJim Jagielski# For the CA policy 100*b1cdbd2cSJim Jagielski[ policy_match ] 101*b1cdbd2cSJim JagielskicountryName = match 102*b1cdbd2cSJim JagielskistateOrProvinceName = match 103*b1cdbd2cSJim JagielskiorganizationName = match 104*b1cdbd2cSJim JagielskiorganizationalUnitName = optional 105*b1cdbd2cSJim JagielskicommonName = supplied 106*b1cdbd2cSJim JagielskiemailAddress = optional 107*b1cdbd2cSJim Jagielski 108*b1cdbd2cSJim Jagielski# For the 'anything' policy 109*b1cdbd2cSJim Jagielski# At this point in time, you must list all acceptable 'object' 110*b1cdbd2cSJim Jagielski# types. 111*b1cdbd2cSJim Jagielski[ policy_anything ] 112*b1cdbd2cSJim JagielskicountryName = optional 113*b1cdbd2cSJim JagielskistateOrProvinceName = optional 114*b1cdbd2cSJim JagielskilocalityName = optional 115*b1cdbd2cSJim JagielskiorganizationName = optional 116*b1cdbd2cSJim JagielskiorganizationalUnitName = optional 117*b1cdbd2cSJim JagielskicommonName = supplied 118*b1cdbd2cSJim JagielskiemailAddress = optional 119*b1cdbd2cSJim Jagielski 120*b1cdbd2cSJim Jagielski#################################################################### 121*b1cdbd2cSJim Jagielski[ req ] 122*b1cdbd2cSJim Jagielskidefault_bits = 1024 123*b1cdbd2cSJim Jagielskidefault_keyfile = privkey.pem 124*b1cdbd2cSJim Jagielskidistinguished_name = req_distinguished_name 125*b1cdbd2cSJim Jagielskiattributes = req_attributes 126*b1cdbd2cSJim Jagielskix509_extensions = v3_ca # The extentions to add to the self signed cert 127*b1cdbd2cSJim Jagielski 128*b1cdbd2cSJim Jagielski# Passwords for private keys if not present they will be prompted for 129*b1cdbd2cSJim Jagielski# input_password = secret 130*b1cdbd2cSJim Jagielski# output_password = secret 131*b1cdbd2cSJim Jagielski 132*b1cdbd2cSJim Jagielski# This sets a mask for permitted string types. There are several options. 133*b1cdbd2cSJim Jagielski# default: PrintableString, T61String, BMPString. 134*b1cdbd2cSJim Jagielski# pkix : PrintableString, BMPString. 135*b1cdbd2cSJim Jagielski# utf8only: only UTF8Strings. 136*b1cdbd2cSJim Jagielski# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 137*b1cdbd2cSJim Jagielski# MASK:XXXX a literal mask value. 138*b1cdbd2cSJim Jagielski# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 139*b1cdbd2cSJim Jagielski# so use this option with caution! 140*b1cdbd2cSJim Jagielskistring_mask = nombstr 141*b1cdbd2cSJim Jagielski 142*b1cdbd2cSJim Jagielski# req_extensions = v3_req # The extensions to add to a certificate request 143*b1cdbd2cSJim Jagielski 144*b1cdbd2cSJim Jagielski[ req_distinguished_name ] 145*b1cdbd2cSJim JagielskicountryName = Country Name (2 letter code) 146*b1cdbd2cSJim JagielskicountryName_default = DE 147*b1cdbd2cSJim JagielskicountryName_min = 2 148*b1cdbd2cSJim JagielskicountryName_max = 2 149*b1cdbd2cSJim Jagielski 150*b1cdbd2cSJim JagielskistateOrProvinceName = State or Province Name (full name) 151*b1cdbd2cSJim JagielskistateOrProvinceName_default = Hamburg 152*b1cdbd2cSJim Jagielski 153*b1cdbd2cSJim JagielskilocalityName = Locality Name (eg, city) 154*b1cdbd2cSJim Jagielski 155*b1cdbd2cSJim Jagielski0.organizationName = Organization Name (eg, company) 156*b1cdbd2cSJim Jagielski0.organizationName_default = OpenOffice.org 157*b1cdbd2cSJim Jagielski 158*b1cdbd2cSJim Jagielski# we can do this but it is not needed normally :-) 159*b1cdbd2cSJim Jagielski#1.organizationName = Second Organization Name (eg, company) 160*b1cdbd2cSJim Jagielski#1.organizationName_default = World Wide Web Pty Ltd 161*b1cdbd2cSJim Jagielski 162*b1cdbd2cSJim JagielskiorganizationalUnitName = Organizational Unit Name (eg, section) 163*b1cdbd2cSJim JagielskiorganizationalUnitName_default = Development 164*b1cdbd2cSJim Jagielski 165*b1cdbd2cSJim JagielskicommonName = Common Name (eg, YOUR name) 166*b1cdbd2cSJim JagielskicommonName_max = 64 167*b1cdbd2cSJim Jagielski 168*b1cdbd2cSJim JagielskiemailAddress = Email Address 169*b1cdbd2cSJim JagielskiemailAddress_max = 64 170*b1cdbd2cSJim Jagielski 171*b1cdbd2cSJim Jagielski# SET-ex3 = SET extension number 3 172*b1cdbd2cSJim Jagielski 173*b1cdbd2cSJim Jagielski[ req_attributes ] 174*b1cdbd2cSJim JagielskichallengePassword = A challenge password 175*b1cdbd2cSJim JagielskichallengePassword_min = 4 176*b1cdbd2cSJim JagielskichallengePassword_max = 20 177*b1cdbd2cSJim Jagielski 178*b1cdbd2cSJim JagielskiunstructuredName = An optional company name 179*b1cdbd2cSJim Jagielski 180*b1cdbd2cSJim Jagielski[ usr_cert ] 181*b1cdbd2cSJim Jagielski 182*b1cdbd2cSJim Jagielski# These extensions are added when 'ca' signs a request. 183*b1cdbd2cSJim Jagielski#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 184*b1cdbd2cSJim Jagielski 185*b1cdbd2cSJim Jagielski# This is typical in keyUsage for a client certificate. 186*b1cdbd2cSJim JagielskikeyUsage = nonRepudiation, digitalSignature, keyEncipherment 187*b1cdbd2cSJim Jagielski 188*b1cdbd2cSJim Jagielski# This will be displayed in Netscape's comment listbox. 189*b1cdbd2cSJim JagielskinsComment = "OpenSSL Generated Certificate" 190*b1cdbd2cSJim Jagielski 191*b1cdbd2cSJim Jagielski# PKIX recommendations harmless if included in all certificates. 192*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash 193*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid,issuer 194*b1cdbd2cSJim Jagielski 195*b1cdbd2cSJim Jagielski# This stuff is for subjectAltName and issuerAltname. 196*b1cdbd2cSJim Jagielski# Import the email address. 197*b1cdbd2cSJim Jagielski# subjectAltName=email:copy 198*b1cdbd2cSJim Jagielski# An alternative to produce certificates that aren't 199*b1cdbd2cSJim Jagielski# deprecated according to PKIX. 200*b1cdbd2cSJim Jagielski# subjectAltName=email:move 201*b1cdbd2cSJim Jagielski 202*b1cdbd2cSJim Jagielski# Copy subject details 203*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy 204*b1cdbd2cSJim Jagielski 205*b1cdbd2cSJim Jagielski 206*b1cdbd2cSJim Jagielski 207*b1cdbd2cSJim Jagielski[ v3_req ] 208*b1cdbd2cSJim Jagielski 209*b1cdbd2cSJim Jagielski# Extensions to add to a certificate request 210*b1cdbd2cSJim Jagielski 211*b1cdbd2cSJim JagielskibasicConstraints = CA:FALSE 212*b1cdbd2cSJim JagielskikeyUsage = nonRepudiation, digitalSignature, keyEncipherment 213*b1cdbd2cSJim Jagielski#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 214*b1cdbd2cSJim Jagielski 215*b1cdbd2cSJim Jagielski[ v3_ca ] 216*b1cdbd2cSJim Jagielski 217*b1cdbd2cSJim Jagielski 218*b1cdbd2cSJim Jagielski# Extensions for a typical CA 219*b1cdbd2cSJim Jagielski 220*b1cdbd2cSJim Jagielski 221*b1cdbd2cSJim Jagielski# PKIX recommendation. 222*b1cdbd2cSJim Jagielski 223*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash 224*b1cdbd2cSJim Jagielski 225*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid:always,issuer:always 226*b1cdbd2cSJim Jagielski 227*b1cdbd2cSJim JagielskiauthorityInfoAccess = OCSP;URI:http://localhost:8888 228*b1cdbd2cSJim Jagielski#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl 229*b1cdbd2cSJim Jagielski# This is what PKIX recommends but some broken software chokes on critical 230*b1cdbd2cSJim Jagielski# extensions. 231*b1cdbd2cSJim Jagielski#basicConstraints = critical,CA:true 232*b1cdbd2cSJim Jagielski# So we do this instead. 233*b1cdbd2cSJim JagielskibasicConstraints = critical, CA:true 234*b1cdbd2cSJim Jagielski 235*b1cdbd2cSJim Jagielski# Key usage: this is typical for a CA certificate. However since it will 236*b1cdbd2cSJim Jagielski# prevent it being used as an test self-signed certificate it is best 237*b1cdbd2cSJim Jagielski# left out by default. 238*b1cdbd2cSJim Jagielski# keyUsage = cRLSign, keyCertSign 239*b1cdbd2cSJim Jagielski 240*b1cdbd2cSJim Jagielski# Some might want this also 241*b1cdbd2cSJim Jagielski# nsCertType = sslCA, emailCA 242*b1cdbd2cSJim Jagielski 243*b1cdbd2cSJim Jagielski# Include email address in subject alt name: another PKIX recommendation 244*b1cdbd2cSJim Jagielski# subjectAltName=email:copy 245*b1cdbd2cSJim Jagielski# Copy issuer details 246*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy 247*b1cdbd2cSJim Jagielski 248*b1cdbd2cSJim Jagielski# DER hex encoding of an extension: beware experts only! 249*b1cdbd2cSJim Jagielski# obj=DER:02:03 250*b1cdbd2cSJim Jagielski# Where 'obj' is a standard or added object 251*b1cdbd2cSJim Jagielski# You can even override a supported extension: 252*b1cdbd2cSJim Jagielski# basicConstraints= critical, DER:30:03:01:01:FF 253*b1cdbd2cSJim Jagielski 254*b1cdbd2cSJim Jagielski[ crl_ext ] 255*b1cdbd2cSJim Jagielski 256*b1cdbd2cSJim Jagielski# CRL extensions. 257*b1cdbd2cSJim Jagielski# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258*b1cdbd2cSJim Jagielski 259*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy 260*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid:always,issuer:always 261*b1cdbd2cSJim Jagielski 262*b1cdbd2cSJim Jagielski[ proxy_cert_ext ] 263*b1cdbd2cSJim Jagielski# These extensions should be added when creating a proxy certificate 264*b1cdbd2cSJim Jagielski 265*b1cdbd2cSJim Jagielski# This goes against PKIX guidelines but some CAs do it and some software 266*b1cdbd2cSJim Jagielski# requires this to avoid interpreting an end user certificate as a CA. 267*b1cdbd2cSJim Jagielski 268*b1cdbd2cSJim JagielskibasicConstraints=CA:FALSE 269*b1cdbd2cSJim Jagielski 270*b1cdbd2cSJim Jagielski# Here are some examples of the usage of nsCertType. If it is omitted 271*b1cdbd2cSJim Jagielski# the certificate can be used for anything *except* object signing. 272*b1cdbd2cSJim Jagielski 273*b1cdbd2cSJim Jagielski# This is OK for an SSL server. 274*b1cdbd2cSJim Jagielski# nsCertType = server 275*b1cdbd2cSJim Jagielski 276*b1cdbd2cSJim Jagielski# For an object signing certificate this would be used. 277*b1cdbd2cSJim Jagielski# nsCertType = objsign 278*b1cdbd2cSJim Jagielski 279*b1cdbd2cSJim Jagielski# For normal client use this is typical 280*b1cdbd2cSJim Jagielski# nsCertType = client, email 281*b1cdbd2cSJim Jagielski 282*b1cdbd2cSJim Jagielski# and for everything including object signing: 283*b1cdbd2cSJim Jagielski# nsCertType = client, email, objsign 284*b1cdbd2cSJim Jagielski 285*b1cdbd2cSJim Jagielski# This is typical in keyUsage for a client certificate. 286*b1cdbd2cSJim Jagielski# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287*b1cdbd2cSJim Jagielski 288*b1cdbd2cSJim Jagielski# This will be displayed in Netscape's comment listbox. 289*b1cdbd2cSJim JagielskinsComment = "OpenSSL Generated Certificate" 290*b1cdbd2cSJim Jagielski 291*b1cdbd2cSJim Jagielski# PKIX recommendations harmless if included in all certificates. 292*b1cdbd2cSJim JagielskisubjectKeyIdentifier=hash 293*b1cdbd2cSJim JagielskiauthorityKeyIdentifier=keyid,issuer:always 294*b1cdbd2cSJim Jagielski 295*b1cdbd2cSJim Jagielski# This stuff is for subjectAltName and issuerAltname. 296*b1cdbd2cSJim Jagielski# Import the email address. 297*b1cdbd2cSJim Jagielski# subjectAltName=email:copy 298*b1cdbd2cSJim Jagielski# An alternative to produce certificates that aren't 299*b1cdbd2cSJim Jagielski# deprecated according to PKIX. 300*b1cdbd2cSJim Jagielski# subjectAltName=email:move 301*b1cdbd2cSJim Jagielski 302*b1cdbd2cSJim Jagielski# Copy subject details 303*b1cdbd2cSJim Jagielski# issuerAltName=issuer:copy 304*b1cdbd2cSJim Jagielski 305*b1cdbd2cSJim Jagielski#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306*b1cdbd2cSJim Jagielski#nsBaseUrl 307*b1cdbd2cSJim Jagielski#nsRevocationUrl 308*b1cdbd2cSJim Jagielski#nsRenewalUrl 309*b1cdbd2cSJim Jagielski#nsCaPolicyUrl 310*b1cdbd2cSJim Jagielski#nsSslServerName 311*b1cdbd2cSJim Jagielski 312*b1cdbd2cSJim Jagielski# This really needs to be in place for it to be a proxy certificate. 313*b1cdbd2cSJim JagielskiproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 314