1############################################################### 2# 3# Licensed to the Apache Software Foundation (ASF) under one 4# or more contributor license agreements. See the NOTICE file 5# distributed with this work for additional information 6# regarding copyright ownership. The ASF licenses this file 7# to you under the Apache License, Version 2.0 (the 8# "License"); you may not use this file except in compliance 9# with the License. You may obtain a copy of the License at 10# 11# http://www.apache.org/licenses/LICENSE-2.0 12# 13# Unless required by applicable law or agreed to in writing, 14# software distributed under the License is distributed on an 15# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16# KIND, either express or implied. See the License for the 17# specific language governing permissions and limitations 18# under the License. 19# 20############################################################### 21 22# 23# OpenSSL example configuration file. 24# This is mostly being used for generation of certificate requests. 25# 26 27# This definition stops the following lines choking if HOME isn't 28# defined. 29HOME = . 30RANDFILE = $ENV::HOME/.rnd 31 32# Extra OBJECT IDENTIFIER info: 33#oid_file = $ENV::HOME/.oid 34oid_section = new_oids 35 36# To use this configuration file with the "-extfile" option of the 37# "openssl x509" utility, name here the section containing the 38# X.509v3 extensions to use: 39# extensions = 40# (Alternatively, use a configuration file that has only 41# X.509v3 extensions in its main [= default] section.) 42 43[ new_oids ] 44 45# We can add new OIDs in here for use by 'ca' and 'req'. 46# Add a simple OID like this: 47# testoid1=1.2.3.4 48# Or use config file substitution like this: 49# testoid2=${testoid1}.5.6 50 51#################################################################### 52[ ca ] 53default_ca = CA_default # The default ca section 54 55#################################################################### 56[ CA_default ] 57 58dir = ./demoCA # Where everything is kept 59certs = $dir/certs # Where the issued certs are kept 60crl_dir = $dir/crl # Where the issued crl are kept 61database = $dir/index.txt # database index file. 62#unique_subject = no # Set to 'no' to allow creation of 63 # several ctificates with same subject. 64new_certs_dir = $dir/newcerts # default place for new certs. 65 66certificate = $dir/cacert.pem # The CA certificate 67serial = $dir/serial # The current serial number 68crlnumber = $dir/crlnumber # the current crl number 69 # must be commented out to leave a V1 CRL 70crl = $dir/crl.pem # The current CRL 71private_key = $dir/private/cakey.pem # The private key 72RANDFILE = $dir/private/.rand # private random number file 73 74x509_extensions = usr_cert # The extentions to add to the cert 75 76# Comment out the following two lines for the "traditional" 77# (and highly broken) format. 78name_opt = ca_default # Subject Name options 79cert_opt = ca_default # Certificate field options 80 81# Extension copying option: use with caution. 82# copy_extensions = copy 83 84# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 85# so this is commented out by default to leave a V1 CRL. 86# crlnumber must also be commented out to leave a V1 CRL. 87# crl_extensions = crl_ext 88 89default_days = 365 # how long to certify for 90default_crl_days= 30 # how long before next CRL 91default_md = sha1 # which md to use. 92preserve = no # keep passed DN ordering 93 94# A few difference way of specifying how similar the request should look 95# For type CA, the listed attributes must be the same, and the optional 96# and supplied fields are just that :-) 97policy = policy_match 98 99# For the CA policy 100[ policy_match ] 101countryName = match 102stateOrProvinceName = match 103organizationName = match 104organizationalUnitName = optional 105commonName = supplied 106emailAddress = optional 107 108# For the 'anything' policy 109# At this point in time, you must list all acceptable 'object' 110# types. 111[ policy_anything ] 112countryName = optional 113stateOrProvinceName = optional 114localityName = optional 115organizationName = optional 116organizationalUnitName = optional 117commonName = supplied 118emailAddress = optional 119 120#################################################################### 121[ req ] 122default_bits = 1024 123default_keyfile = privkey.pem 124distinguished_name = req_distinguished_name 125attributes = req_attributes 126x509_extensions = v3_ca # The extentions to add to the self signed cert 127 128# Passwords for private keys if not present they will be prompted for 129# input_password = secret 130# output_password = secret 131 132# This sets a mask for permitted string types. There are several options. 133# default: PrintableString, T61String, BMPString. 134# pkix : PrintableString, BMPString. 135# utf8only: only UTF8Strings. 136# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 137# MASK:XXXX a literal mask value. 138# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 139# so use this option with caution! 140string_mask = nombstr 141 142# req_extensions = v3_req # The extensions to add to a certificate request 143 144[ req_distinguished_name ] 145countryName = Country Name (2 letter code) 146countryName_default = DE 147countryName_min = 2 148countryName_max = 2 149 150stateOrProvinceName = State or Province Name (full name) 151stateOrProvinceName_default = Hamburg 152 153localityName = Locality Name (eg, city) 154 1550.organizationName = Organization Name (eg, company) 1560.organizationName_default = OpenOffice.org 157 158# we can do this but it is not needed normally :-) 159#1.organizationName = Second Organization Name (eg, company) 160#1.organizationName_default = World Wide Web Pty Ltd 161 162organizationalUnitName = Organizational Unit Name (eg, section) 163organizationalUnitName_default = Development 164 165commonName = Common Name (eg, YOUR name) 166commonName_max = 64 167 168emailAddress = Email Address 169emailAddress_max = 64 170 171# SET-ex3 = SET extension number 3 172 173[ req_attributes ] 174challengePassword = A challenge password 175challengePassword_min = 4 176challengePassword_max = 20 177 178unstructuredName = An optional company name 179 180[ usr_cert ] 181 182# These extensions are added when 'ca' signs a request. 183#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 184 185# This is typical in keyUsage for a client certificate. 186keyUsage = nonRepudiation, digitalSignature, keyEncipherment 187 188# This will be displayed in Netscape's comment listbox. 189nsComment = "OpenSSL Generated Certificate" 190 191# PKIX recommendations harmless if included in all certificates. 192subjectKeyIdentifier=hash 193authorityKeyIdentifier=keyid,issuer 194 195# This stuff is for subjectAltName and issuerAltname. 196# Import the email address. 197# subjectAltName=email:copy 198# An alternative to produce certificates that aren't 199# deprecated according to PKIX. 200# subjectAltName=email:move 201 202# Copy subject details 203# issuerAltName=issuer:copy 204 205 206 207[ v3_req ] 208 209# Extensions to add to a certificate request 210 211basicConstraints = CA:FALSE 212keyUsage = nonRepudiation, digitalSignature, keyEncipherment 213#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 214 215[ v3_ca ] 216 217 218# Extensions for a typical CA 219 220 221# PKIX recommendation. 222 223subjectKeyIdentifier=hash 224 225authorityKeyIdentifier=keyid:always,issuer:always 226 227#authorityInfoAccess = OCSP;URI:http://localhost:8888 228crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl 229# This is what PKIX recommends but some broken software chokes on critical 230# extensions. 231#basicConstraints = critical,CA:true 232# So we do this instead. 233basicConstraints = critical, CA:true 234 235# Key usage: this is typical for a CA certificate. However since it will 236# prevent it being used as an test self-signed certificate it is best 237# left out by default. 238# keyUsage = cRLSign, keyCertSign 239 240# Some might want this also 241# nsCertType = sslCA, emailCA 242 243# Include email address in subject alt name: another PKIX recommendation 244# subjectAltName=email:copy 245# Copy issuer details 246# issuerAltName=issuer:copy 247 248# DER hex encoding of an extension: beware experts only! 249# obj=DER:02:03 250# Where 'obj' is a standard or added object 251# You can even override a supported extension: 252# basicConstraints= critical, DER:30:03:01:01:FF 253 254[ crl_ext ] 255 256# CRL extensions. 257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258 259# issuerAltName=issuer:copy 260authorityKeyIdentifier=keyid:always,issuer:always 261 262[ proxy_cert_ext ] 263# These extensions should be added when creating a proxy certificate 264 265# This goes against PKIX guidelines but some CAs do it and some software 266# requires this to avoid interpreting an end user certificate as a CA. 267 268basicConstraints=CA:FALSE 269 270# Here are some examples of the usage of nsCertType. If it is omitted 271# the certificate can be used for anything *except* object signing. 272 273# This is OK for an SSL server. 274# nsCertType = server 275 276# For an object signing certificate this would be used. 277# nsCertType = objsign 278 279# For normal client use this is typical 280# nsCertType = client, email 281 282# and for everything including object signing: 283# nsCertType = client, email, objsign 284 285# This is typical in keyUsage for a client certificate. 286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287 288# This will be displayed in Netscape's comment listbox. 289nsComment = "OpenSSL Generated Certificate" 290 291# PKIX recommendations harmless if included in all certificates. 292subjectKeyIdentifier=hash 293authorityKeyIdentifier=keyid,issuer:always 294 295# This stuff is for subjectAltName and issuerAltname. 296# Import the email address. 297# subjectAltName=email:copy 298# An alternative to produce certificates that aren't 299# deprecated according to PKIX. 300# subjectAltName=email:move 301 302# Copy subject details 303# issuerAltName=issuer:copy 304 305#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306#nsBaseUrl 307#nsRevocationUrl 308#nsRenewalUrl 309#nsCaPolicyUrl 310#nsSslServerName 311 312# This really needs to be in place for it to be a proxy certificate. 313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 314