1 ###############################################################
2 #
3 #  Licensed to the Apache Software Foundation (ASF) under one
4 #  or more contributor license agreements.  See the NOTICE file
5 #  distributed with this work for additional information
6 #  regarding copyright ownership.  The ASF licenses this file
7 #  to you under the Apache License, Version 2.0 (the
8 #  "License"); you may not use this file except in compliance
9 #  with the License.  You may obtain a copy of the License at
10 #
11 #    http://www.apache.org/licenses/LICENSE-2.0
12 #
13 #  Unless required by applicable law or agreed to in writing,
14 #  software distributed under the License is distributed on an
15 #  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16 #  KIND, either express or implied.  See the License for the
17 #  specific language governing permissions and limitations
18 #  under the License.
19 #
20 ###############################################################
21 
22 #
23 # OpenSSL example configuration file.
24 # This is mostly being used for generation of certificate requests.
25 #
26 
27 # This definition stops the following lines choking if HOME isn't
28 # defined.
29 HOME			= .
30 RANDFILE		= $ENV::HOME/.rnd
31 
32 # Extra OBJECT IDENTIFIER info:
33 #oid_file		= $ENV::HOME/.oid
34 oid_section		= new_oids
35 
36 # To use this configuration file with the "-extfile" option of the
37 # "openssl x509" utility, name here the section containing the
38 # X.509v3 extensions to use:
39 # extensions		=
40 # (Alternatively, use a configuration file that has only
41 # X.509v3 extensions in its main [= default] section.)
42 
43 [ new_oids ]
44 
45 # We can add new OIDs in here for use by 'ca' and 'req'.
46 # Add a simple OID like this:
47 # testoid1=1.2.3.4
48 # Or use config file substitution like this:
49 # testoid2=${testoid1}.5.6
50 
51 ####################################################################
52 [ ca ]
53 default_ca	= CA_default		# The default ca section
54 
55 ####################################################################
56 [ CA_default ]
57 
58 dir		= ./demoCA		# Where everything is kept
59 certs		= $dir/certs		# Where the issued certs are kept
60 crl_dir		= $dir/crl		# Where the issued crl are kept
61 database	= $dir/index.txt	# database index file.
62 #unique_subject	= no			# Set to 'no' to allow creation of
63 					# several ctificates with same subject.
64 new_certs_dir	= $dir/newcerts		# default place for new certs.
65 
66 certificate	= $dir/cacert.pem 	# The CA certificate
67 serial		= $dir/serial	# The current serial number
68 crlnumber	= $dir/crlnumber	# the current crl number
69 					# must be commented out to leave a V1 CRL
70 crl		= $dir/crl.pem 		# The current CRL
71 private_key	= $dir/private/cakey.pem 	# The private key
72 RANDFILE	= $dir/private/.rand	 	# private random number file
73 
74 x509_extensions	= usr_cert		# The extentions to add to the cert
75 
76 # Comment out the following two lines for the "traditional"
77 # (and highly broken) format.
78 name_opt 	= ca_default		# Subject Name options
79 cert_opt 	= ca_default		# Certificate field options
80 
81 # Extension copying option: use with caution.
82 # copy_extensions = copy
83 
84 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
85 # so this is commented out by default to leave a V1 CRL.
86 # crlnumber must also be commented out to leave a V1 CRL.
87 # crl_extensions	= crl_ext
88 
89 default_days	= 365			# how long to certify for
90 default_crl_days= 30			# how long before next CRL
91 default_md	= sha1			# which md to use.
92 preserve	= no			# keep passed DN ordering
93 
94 # A few difference way of specifying how similar the request should look
95 # For type CA, the listed attributes must be the same, and the optional
96 # and supplied fields are just that :-)
97 policy		= policy_match
98 
99 # For the CA policy
100 [ policy_match ]
101 countryName		= match
102 stateOrProvinceName	= match
103 organizationName	= match
104 organizationalUnitName	= optional
105 commonName		= supplied
106 emailAddress		= optional
107 
108 # For the 'anything' policy
109 # At this point in time, you must list all acceptable 'object'
110 # types.
111 [ policy_anything ]
112 countryName		= optional
113 stateOrProvinceName	= optional
114 localityName		= optional
115 organizationName	= optional
116 organizationalUnitName	= optional
117 commonName		= supplied
118 emailAddress		= optional
119 
120 ####################################################################
121 [ req ]
122 default_bits		= 1024
123 default_keyfile 	= privkey.pem
124 distinguished_name	= req_distinguished_name
125 attributes		= req_attributes
126 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
127 
128 # Passwords for private keys if not present they will be prompted for
129 # input_password = secret
130 # output_password = secret
131 
132 # This sets a mask for permitted string types. There are several options.
133 # default: PrintableString, T61String, BMPString.
134 # pkix	 : PrintableString, BMPString.
135 # utf8only: only UTF8Strings.
136 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
137 # MASK:XXXX a literal mask value.
138 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
139 # so use this option with caution!
140 string_mask = nombstr
141 
142 # req_extensions = v3_req # The extensions to add to a certificate request
143 
144 [ req_distinguished_name ]
145 countryName			= Country Name (2 letter code)
146 countryName_default		= DE
147 countryName_min			= 2
148 countryName_max			= 2
149 
150 stateOrProvinceName		= State or Province Name (full name)
151 stateOrProvinceName_default	= Hamburg
152 
153 localityName			= Locality Name (eg, city)
154 
155 0.organizationName		= Organization Name (eg, company)
156 0.organizationName_default	= OpenOffice.org
157 
158 # we can do this but it is not needed normally :-)
159 #1.organizationName		= Second Organization Name (eg, company)
160 #1.organizationName_default	= World Wide Web Pty Ltd
161 
162 organizationalUnitName		= Organizational Unit Name (eg, section)
163 organizationalUnitName_default	= Development
164 
165 commonName			= Common Name (eg, YOUR name)
166 commonName_max			= 64
167 
168 emailAddress			= Email Address
169 emailAddress_max		= 64
170 
171 # SET-ex3			= SET extension number 3
172 
173 [ req_attributes ]
174 challengePassword		= A challenge password
175 challengePassword_min		= 4
176 challengePassword_max		= 20
177 
178 unstructuredName		= An optional company name
179 
180 [ usr_cert ]
181 
182 # These extensions are added when 'ca' signs a request.
183 #authorityInfoAccess = OCSP;URI:http://localhost:8888/
184 
185 # This is typical in keyUsage for a client certificate.
186 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
187 
188 # This will be displayed in Netscape's comment listbox.
189 nsComment			= "OpenSSL Generated Certificate"
190 
191 # PKIX recommendations harmless if included in all certificates.
192 subjectKeyIdentifier=hash
193 authorityKeyIdentifier=keyid,issuer
194 
195 # This stuff is for subjectAltName and issuerAltname.
196 # Import the email address.
197 # subjectAltName=email:copy
198 # An alternative to produce certificates that aren't
199 # deprecated according to PKIX.
200 # subjectAltName=email:move
201 
202 # Copy subject details
203 # issuerAltName=issuer:copy
204 
205 
206 
207 [ v3_req ]
208 
209 # Extensions to add to a certificate request
210 
211 basicConstraints = CA:FALSE
212 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
213 #authorityInfoAccess = OCSP;URI:http://localhost:8888/
214 
215 [ v3_ca ]
216 
217 
218 # Extensions for a typical CA
219 
220 
221 # PKIX recommendation.
222 
223 subjectKeyIdentifier=hash
224 
225 authorityKeyIdentifier=keyid:always,issuer:always
226 
227 #authorityInfoAccess = OCSP;URI:http://localhost:8888
228 #crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Test_CA_2009.2.crl
229 # This is what PKIX recommends but some broken software chokes on critical
230 # extensions.
231 #basicConstraints = critical,CA:true
232 # So we do this instead.
233 basicConstraints = critical, CA:true
234 
235 # Key usage: this is typical for a CA certificate. However since it will
236 # prevent it being used as an test self-signed certificate it is best
237 # left out by default.
238 # keyUsage = cRLSign, keyCertSign
239 
240 # Some might want this also
241 # nsCertType = sslCA, emailCA
242 
243 # Include email address in subject alt name: another PKIX recommendation
244 # subjectAltName=email:copy
245 # Copy issuer details
246 # issuerAltName=issuer:copy
247 
248 # DER hex encoding of an extension: beware experts only!
249 # obj=DER:02:03
250 # Where 'obj' is a standard or added object
251 # You can even override a supported extension:
252 # basicConstraints= critical, DER:30:03:01:01:FF
253 
254 [ crl_ext ]
255 
256 # CRL extensions.
257 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258 
259 # issuerAltName=issuer:copy
260 authorityKeyIdentifier=keyid:always,issuer:always
261 
262 [ proxy_cert_ext ]
263 # These extensions should be added when creating a proxy certificate
264 
265 # This goes against PKIX guidelines but some CAs do it and some software
266 # requires this to avoid interpreting an end user certificate as a CA.
267 
268 basicConstraints=CA:FALSE
269 
270 # Here are some examples of the usage of nsCertType. If it is omitted
271 # the certificate can be used for anything *except* object signing.
272 
273 # This is OK for an SSL server.
274 # nsCertType			= server
275 
276 # For an object signing certificate this would be used.
277 # nsCertType = objsign
278 
279 # For normal client use this is typical
280 # nsCertType = client, email
281 
282 # and for everything including object signing:
283 # nsCertType = client, email, objsign
284 
285 # This is typical in keyUsage for a client certificate.
286 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287 
288 # This will be displayed in Netscape's comment listbox.
289 nsComment			= "OpenSSL Generated Certificate"
290 
291 # PKIX recommendations harmless if included in all certificates.
292 subjectKeyIdentifier=hash
293 authorityKeyIdentifier=keyid,issuer:always
294 
295 # This stuff is for subjectAltName and issuerAltname.
296 # Import the email address.
297 # subjectAltName=email:copy
298 # An alternative to produce certificates that aren't
299 # deprecated according to PKIX.
300 # subjectAltName=email:move
301 
302 # Copy subject details
303 # issuerAltName=issuer:copy
304 
305 #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
306 #nsBaseUrl
307 #nsRevocationUrl
308 #nsRenewalUrl
309 #nsCaPolicyUrl
310 #nsSslServerName
311 
312 # This really needs to be in place for it to be a proxy certificate.
313 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
314