1 ############################################################### 2 # 3 # Licensed to the Apache Software Foundation (ASF) under one 4 # or more contributor license agreements. See the NOTICE file 5 # distributed with this work for additional information 6 # regarding copyright ownership. The ASF licenses this file 7 # to you under the Apache License, Version 2.0 (the 8 # "License"); you may not use this file except in compliance 9 # with the License. You may obtain a copy of the License at 10 # 11 # http://www.apache.org/licenses/LICENSE-2.0 12 # 13 # Unless required by applicable law or agreed to in writing, 14 # software distributed under the License is distributed on an 15 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 # KIND, either express or implied. See the License for the 17 # specific language governing permissions and limitations 18 # under the License. 19 # 20 ############################################################### 21 22 # 23 # OpenSSL example configuration file. 24 # This is mostly being used for generation of certificate requests. 25 # 26 27 # This definition stops the following lines choking if HOME isn't 28 # defined. 29 HOME = . 30 RANDFILE = $ENV::HOME/.rnd 31 32 # Extra OBJECT IDENTIFIER info: 33 #oid_file = $ENV::HOME/.oid 34 oid_section = new_oids 35 36 # To use this configuration file with the "-extfile" option of the 37 # "openssl x509" utility, name here the section containing the 38 # X.509v3 extensions to use: 39 # extensions = 40 # (Alternatively, use a configuration file that has only 41 # X.509v3 extensions in its main [= default] section.) 42 43 [ new_oids ] 44 45 # We can add new OIDs in here for use by 'ca' and 'req'. 46 # Add a simple OID like this: 47 # testoid1=1.2.3.4 48 # Or use config file substitution like this: 49 # testoid2=${testoid1}.5.6 50 51 #################################################################### 52 [ ca ] 53 default_ca = CA_default # The default ca section 54 55 #################################################################### 56 [ CA_default ] 57 58 dir = ./demoCA # Where everything is kept 59 certs = $dir/certs # Where the issued certs are kept 60 crl_dir = $dir/crl # Where the issued crl are kept 61 database = $dir/index.txt # database index file. 62 #unique_subject = no # Set to 'no' to allow creation of 63 # several ctificates with same subject. 64 new_certs_dir = $dir/newcerts # default place for new certs. 65 66 certificate = $dir/cacert.pem # The CA certificate 67 serial = $dir/serial # The current serial number 68 crlnumber = $dir/crlnumber # the current crl number 69 # must be commented out to leave a V1 CRL 70 crl = $dir/crl.pem # The current CRL 71 private_key = $dir/private/cakey.pem # The private key 72 RANDFILE = $dir/private/.rand # private random number file 73 74 x509_extensions = usr_cert # The extentions to add to the cert 75 76 # Comment out the following two lines for the "traditional" 77 # (and highly broken) format. 78 name_opt = ca_default # Subject Name options 79 cert_opt = ca_default # Certificate field options 80 81 # Extension copying option: use with caution. 82 # copy_extensions = copy 83 84 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 85 # so this is commented out by default to leave a V1 CRL. 86 # crlnumber must also be commented out to leave a V1 CRL. 87 # crl_extensions = crl_ext 88 89 default_days = 365 # how long to certify for 90 default_crl_days= 30 # how long before next CRL 91 default_md = sha1 # which md to use. 92 preserve = no # keep passed DN ordering 93 94 # A few difference way of specifying how similar the request should look 95 # For type CA, the listed attributes must be the same, and the optional 96 # and supplied fields are just that :-) 97 policy = policy_match 98 99 # For the CA policy 100 [ policy_match ] 101 countryName = match 102 stateOrProvinceName = match 103 organizationName = match 104 organizationalUnitName = optional 105 commonName = supplied 106 emailAddress = optional 107 108 # For the 'anything' policy 109 # At this point in time, you must list all acceptable 'object' 110 # types. 111 [ policy_anything ] 112 countryName = optional 113 stateOrProvinceName = optional 114 localityName = optional 115 organizationName = optional 116 organizationalUnitName = optional 117 commonName = supplied 118 emailAddress = optional 119 120 #################################################################### 121 [ req ] 122 default_bits = 1024 123 default_keyfile = privkey.pem 124 distinguished_name = req_distinguished_name 125 attributes = req_attributes 126 x509_extensions = v3_ca # The extentions to add to the self signed cert 127 128 # Passwords for private keys if not present they will be prompted for 129 # input_password = secret 130 # output_password = secret 131 132 # This sets a mask for permitted string types. There are several options. 133 # default: PrintableString, T61String, BMPString. 134 # pkix : PrintableString, BMPString. 135 # utf8only: only UTF8Strings. 136 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 137 # MASK:XXXX a literal mask value. 138 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 139 # so use this option with caution! 140 string_mask = nombstr 141 142 # req_extensions = v3_req # The extensions to add to a certificate request 143 144 [ req_distinguished_name ] 145 countryName = Country Name (2 letter code) 146 countryName_default = DE 147 countryName_min = 2 148 countryName_max = 2 149 150 stateOrProvinceName = State or Province Name (full name) 151 stateOrProvinceName_default = Hamburg 152 153 localityName = Locality Name (eg, city) 154 155 0.organizationName = Organization Name (eg, company) 156 0.organizationName_default = OpenOffice.org 157 158 # we can do this but it is not needed normally :-) 159 #1.organizationName = Second Organization Name (eg, company) 160 #1.organizationName_default = World Wide Web Pty Ltd 161 162 organizationalUnitName = Organizational Unit Name (eg, section) 163 organizationalUnitName_default = Development 164 165 commonName = Common Name (eg, YOUR name) 166 commonName_max = 64 167 168 emailAddress = Email Address 169 emailAddress_max = 64 170 171 # SET-ex3 = SET extension number 3 172 173 [ req_attributes ] 174 challengePassword = A challenge password 175 challengePassword_min = 4 176 challengePassword_max = 20 177 178 unstructuredName = An optional company name 179 180 [ usr_cert ] 181 182 # These extensions are added when 'ca' signs a request. 183 #authorityInfoAccess = OCSP;URI:http://localhost:8888/ 184 185 # This is typical in keyUsage for a client certificate. 186 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 187 188 # This will be displayed in Netscape's comment listbox. 189 nsComment = "OpenSSL Generated Certificate" 190 191 # PKIX recommendations harmless if included in all certificates. 192 subjectKeyIdentifier=hash 193 authorityKeyIdentifier=keyid,issuer 194 195 # This stuff is for subjectAltName and issuerAltname. 196 # Import the email address. 197 # subjectAltName=email:copy 198 # An alternative to produce certificates that aren't 199 # deprecated according to PKIX. 200 # subjectAltName=email:move 201 202 # Copy subject details 203 # issuerAltName=issuer:copy 204 205 206 207 [ v3_req ] 208 209 # Extensions to add to a certificate request 210 211 basicConstraints = CA:FALSE 212 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 213 #authorityInfoAccess = OCSP;URI:http://localhost:8888/ 214 215 [ v3_ca ] 216 217 218 # Extensions for a typical CA 219 220 221 # PKIX recommendation. 222 223 subjectKeyIdentifier=hash 224 225 authorityKeyIdentifier=keyid:always,issuer:always 226 227 #authorityInfoAccess = OCSP;URI:http://localhost:8888 228 #crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Test_CA_2009.2.crl 229 # This is what PKIX recommends but some broken software chokes on critical 230 # extensions. 231 #basicConstraints = critical,CA:true 232 # So we do this instead. 233 basicConstraints = critical, CA:true 234 235 # Key usage: this is typical for a CA certificate. However since it will 236 # prevent it being used as an test self-signed certificate it is best 237 # left out by default. 238 # keyUsage = cRLSign, keyCertSign 239 240 # Some might want this also 241 # nsCertType = sslCA, emailCA 242 243 # Include email address in subject alt name: another PKIX recommendation 244 # subjectAltName=email:copy 245 # Copy issuer details 246 # issuerAltName=issuer:copy 247 248 # DER hex encoding of an extension: beware experts only! 249 # obj=DER:02:03 250 # Where 'obj' is a standard or added object 251 # You can even override a supported extension: 252 # basicConstraints= critical, DER:30:03:01:01:FF 253 254 [ crl_ext ] 255 256 # CRL extensions. 257 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258 259 # issuerAltName=issuer:copy 260 authorityKeyIdentifier=keyid:always,issuer:always 261 262 [ proxy_cert_ext ] 263 # These extensions should be added when creating a proxy certificate 264 265 # This goes against PKIX guidelines but some CAs do it and some software 266 # requires this to avoid interpreting an end user certificate as a CA. 267 268 basicConstraints=CA:FALSE 269 270 # Here are some examples of the usage of nsCertType. If it is omitted 271 # the certificate can be used for anything *except* object signing. 272 273 # This is OK for an SSL server. 274 # nsCertType = server 275 276 # For an object signing certificate this would be used. 277 # nsCertType = objsign 278 279 # For normal client use this is typical 280 # nsCertType = client, email 281 282 # and for everything including object signing: 283 # nsCertType = client, email, objsign 284 285 # This is typical in keyUsage for a client certificate. 286 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287 288 # This will be displayed in Netscape's comment listbox. 289 nsComment = "OpenSSL Generated Certificate" 290 291 # PKIX recommendations harmless if included in all certificates. 292 subjectKeyIdentifier=hash 293 authorityKeyIdentifier=keyid,issuer:always 294 295 # This stuff is for subjectAltName and issuerAltname. 296 # Import the email address. 297 # subjectAltName=email:copy 298 # An alternative to produce certificates that aren't 299 # deprecated according to PKIX. 300 # subjectAltName=email:move 301 302 # Copy subject details 303 # issuerAltName=issuer:copy 304 305 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306 #nsBaseUrl 307 #nsRevocationUrl 308 #nsRenewalUrl 309 #nsCaPolicyUrl 310 #nsSslServerName 311 312 # This really needs to be in place for it to be a proxy certificate. 313 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 314