1: # 2: # OpenSSL example configuration file. 3: # This is mostly being used for generation of certificate requests. 4: # 5: 6: # This definition stops the following lines choking if HOME isn't 7: # defined. 8: HOME = . 9: RANDFILE = $ENV::HOME/.rnd 10: 11: # Extra OBJECT IDENTIFIER info: 12: #oid_file = $ENV::HOME/.oid 13: oid_section = new_oids 14: 15: # To use this configuration file with the "-extfile" option of the 16: # "openssl x509" utility, name here the section containing the 17: # X.509v3 extensions to use: 18: # extensions = 19: # (Alternatively, use a configuration file that has only 20: # X.509v3 extensions in its main [= default] section.) 21: 22: [ new_oids ] 23: 24: # We can add new OIDs in here for use by 'ca' and 'req'. 25: # Add a simple OID like this: 26: # testoid1=1.2.3.4 27: # Or use config file substitution like this: 28: # testoid2=${testoid1}.5.6 29: 30: #################################################################### 31: [ ca ] 32: default_ca = CA_default # The default ca section 33: 34: #################################################################### 35: [ CA_default ] 36: 37: dir = ./demoCA # Where everything is kept 38: certs = $dir/certs # Where the issued certs are kept 39: crl_dir = $dir/crl # Where the issued crl are kept 40: database = $dir/index.txt # database index file. 41: #unique_subject = no # Set to 'no' to allow creation of 42: # several ctificates with same subject. 43: new_certs_dir = $dir/newcerts # default place for new certs. 44: 45: certificate = $dir/cacert.pem # The CA certificate 46: serial = $dir/serial # The current serial number 47: crlnumber = $dir/crlnumber # the current crl number 48: # must be commented out to leave a V1 CRL 49: crl = $dir/crl.pem # The current CRL 50: private_key = $dir/private/cakey.pem# The private key 51: RANDFILE = $dir/private/.rand # private random number file 52: 53: x509_extensions = usr_cert # The extentions to add to the cert 54: 55: # Comment out the following two lines for the "traditional" 56: # (and highly broken) format. 57: name_opt = ca_default # Subject Name options 58: cert_opt = ca_default # Certificate field options 59: 60: # Extension copying option: use with caution. 61: # copy_extensions = copy 62: 63: # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64: # so this is commented out by default to leave a V1 CRL. 65: # crlnumber must also be commented out to leave a V1 CRL. 66: # crl_extensions = crl_ext 67: 68: default_days = 365 # how long to certify for 69: default_crl_days= 30 # how long before next CRL 70: default_md = sha1 # which md to use. 71: preserve = no # keep passed DN ordering 72: 73: # A few difference way of specifying how similar the request should look 74: # For type CA, the listed attributes must be the same, and the optional 75: # and supplied fields are just that :-) 76: policy = policy_match 77: 78: # For the CA policy 79: [ policy_match ] 80: countryName = match 81: stateOrProvinceName = match 82: organizationName = match 83: organizationalUnitName = optional 84: commonName = supplied 85: emailAddress = optional 86: 87: # For the 'anything' policy 88: # At this point in time, you must list all acceptable 'object' 89: # types. 90: [ policy_anything ] 91: countryName = optional 92: stateOrProvinceName = optional 93: localityName = optional 94: organizationName = optional 95: organizationalUnitName = optional 96: commonName = supplied 97: emailAddress = optional 98: 99: #################################################################### 100: [ req ] 101: default_bits = 1024 102: default_keyfile = privkey.pem 103: distinguished_name = req_distinguished_name 104: attributes = req_attributes 105: x509_extensions = v3_ca # The extentions to add to the self signed cert 106: 107: # Passwords for private keys if not present they will be prompted for 108: # input_password = secret 109: # output_password = secret 110: 111: # This sets a mask for permitted string types. There are several options. 112: # default: PrintableString, T61String, BMPString. 113: # pkix : PrintableString, BMPString. 114: # utf8only: only UTF8Strings. 115: # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 116: # MASK:XXXX a literal mask value. 117: # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 118: # so use this option with caution! 119: string_mask = nombstr 120: 121: # req_extensions = v3_req # The extensions to add to a certificate request 122: 123: [ req_distinguished_name ] 124: countryName = Country Name (2 letter code) 125: countryName_default = AU 126: countryName_min = 2 127: countryName_max = 2 128: 129: stateOrProvinceName = State or Province Name (full name) 130: stateOrProvinceName_default = Some-State 131: 132: localityName = Locality Name (eg, city) 133: 134: 0.organizationName = Organization Name (eg, company) 135: 0.organizationName_default = Internet Widgits Pty Ltd 136: 137: # we can do this but it is not needed normally :-) 138: #1.organizationName = Second Organization Name (eg, company) 139: #1.organizationName_default = World Wide Web Pty Ltd 140: 141: organizationalUnitName = Organizational Unit Name (eg, section) 142: #organizationalUnitName_default = 143: 144: commonName = Common Name (eg, YOUR name) 145: commonName_max = 64 146: 147: emailAddress = Email Address 148: emailAddress_max = 64 149: 150: # SET-ex3 = SET extension number 3 151: 152: [ req_attributes ] 153: challengePassword = A challenge password 154: challengePassword_min = 4 155: challengePassword_max = 20 156: 157: unstructuredName = An optional company name 158: 159: [ usr_cert ] 160: 161: # These extensions are added when 'ca' signs a request. 162: 163: # This goes against PKIX guidelines but some CAs do it and some software 164: # requires this to avoid interpreting an end user certificate as a CA. 165: 166: basicConstraints=CA:FALSE 167: 168: # Here are some examples of the usage of nsCertType. If it is omitted 169: # the certificate can be used for anything *except* object signing. 170: 171: # This is OK for an SSL server. 172: # nsCertType = server 173: 174: # For an object signing certificate this would be used. 175: # nsCertType = objsign 176: 177: # For normal client use this is typical 178: # nsCertType = client, email 179: 180: # and for everything including object signing: 181: # nsCertType = client, email, objsign 182: 183: # This is typical in keyUsage for a client certificate. 184: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 185: 186: # This will be displayed in Netscape's comment listbox. 187: nsComment = "OpenSSL Generated Certificate" 188: 189: # PKIX recommendations harmless if included in all certificates. 190: subjectKeyIdentifier=hash 191: authorityKeyIdentifier=keyid,issuer 192: 193: # This stuff is for subjectAltName and issuerAltname. 194: # Import the email address. 195: # subjectAltName=email:copy 196: # An alternative to produce certificates that aren't 197: # deprecated according to PKIX. 198: # subjectAltName=email:move 199: 200: # Copy subject details 201: # issuerAltName=issuer:copy 202: 203: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 204: #nsBaseUrl 205: #nsRevocationUrl 206: #nsRenewalUrl 207: #nsCaPolicyUrl 208: #nsSslServerName 209: 210: [ v3_req ] 211: 212: # Extensions to add to a certificate request 213: 214: basicConstraints = CA:FALSE 215: keyUsage = nonRepudiation, digitalSignature, keyEncipherment 216: 217: [ v3_ca ] 218: 219: 220: # Extensions for a typical CA 221: 222: 223: # PKIX recommendation. 224: 225: subjectKeyIdentifier=hash 226: 227: authorityKeyIdentifier=keyid:always,issuer:always 228: 229: # This is what PKIX recommends but some broken software chokes on critical 230: # extensions. 231: #basicConstraints = critical,CA:true 232: # So we do this instead. 233: basicConstraints = CA:true 234: 235: # Key usage: this is typical for a CA certificate. However since it will 236: # prevent it being used as an test self-signed certificate it is best 237: # left out by default. 238: # keyUsage = cRLSign, keyCertSign 239: 240: # Some might want this also 241: # nsCertType = sslCA, emailCA 242: 243: # Include email address in subject alt name: another PKIX recommendation 244: # subjectAltName=email:copy 245: # Copy issuer details 246: # issuerAltName=issuer:copy 247: 248: # DER hex encoding of an extension: beware experts only! 249: # obj=DER:02:03 250: # Where 'obj' is a standard or added object 251: # You can even override a supported extension: 252: # basicConstraints= critical, DER:30:03:01:01:FF 253: 254: [ crl_ext ] 255: 256: # CRL extensions. 257: # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258: 259: # issuerAltName=issuer:copy 260: authorityKeyIdentifier=keyid:always,issuer:always 261: 262: [ proxy_cert_ext ] 263: # These extensions should be added when creating a proxy certificate 264: 265: # This goes against PKIX guidelines but some CAs do it and some software 266: # requires this to avoid interpreting an end user certificate as a CA. 267: 268: basicConstraints=CA:FALSE 269: 270: # Here are some examples of the usage of nsCertType. If it is omitted 271: # the certificate can be used for anything *except* object signing. 272: 273: # This is OK for an SSL server. 274: # nsCertType = server 275: 276: # For an object signing certificate this would be used. 277: # nsCertType = objsign 278: 279: # For normal client use this is typical 280: # nsCertType = client, email 281: 282: # and for everything including object signing: 283: # nsCertType = client, email, objsign 284: 285: # This is typical in keyUsage for a client certificate. 286: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287: 288: # This will be displayed in Netscape's comment listbox. 289: nsComment = "OpenSSL Generated Certificate" 290: 291: # PKIX recommendations harmless if included in all certificates. 292: subjectKeyIdentifier=hash 293: authorityKeyIdentifier=keyid,issuer:always 294: 295: # This stuff is for subjectAltName and issuerAltname. 296: # Import the email address. 297: # subjectAltName=email:copy 298: # An alternative to produce certificates that aren't 299: # deprecated according to PKIX. 300: # subjectAltName=email:move 301: 302: # Copy subject details 303: # issuerAltName=issuer:copy 304: 305: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306: #nsBaseUrl 307: #nsRevocationUrl 308: #nsRenewalUrl 309: #nsCaPolicyUrl 310: #nsSslServerName 311: 312: # This really needs to be in place for it to be a proxy certificate. 313: proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo