openssl.cnf (142428) | openssl.cnf (160817) |
---|---|
1# $FreeBSD: head/crypto/openssl/apps/openssl.cnf 142428 2005-02-25 05:49:44Z nectar $ | 1# $FreeBSD: head/crypto/openssl/apps/openssl.cnf 160817 2006-07-29 19:14:51Z simon $ |
2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# This definition stops the following lines choking if HOME isn't 8# defined. 9HOME = . --- 30 unchanged lines hidden (view full) --- 40crl_dir = $dir/crl # Where the issued crl are kept 41database = $dir/index.txt # database index file. 42#unique_subject = no # Set to 'no' to allow creation of 43 # several ctificates with same subject. 44new_certs_dir = $dir/newcerts # default place for new certs. 45 46certificate = $dir/cacert.pem # The CA certificate 47serial = $dir/serial # The current serial number | 2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# This definition stops the following lines choking if HOME isn't 8# defined. 9HOME = . --- 30 unchanged lines hidden (view full) --- 40crl_dir = $dir/crl # Where the issued crl are kept 41database = $dir/index.txt # database index file. 42#unique_subject = no # Set to 'no' to allow creation of 43 # several ctificates with same subject. 44new_certs_dir = $dir/newcerts # default place for new certs. 45 46certificate = $dir/cacert.pem # The CA certificate 47serial = $dir/serial # The current serial number |
48#crlnumber = $dir/crlnumber # the current crl number must be 49 # commented out to leave a V1 CRL | 48crlnumber = $dir/crlnumber # the current crl number 49 # must be commented out to leave a V1 CRL |
50crl = $dir/crl.pem # The current CRL 51private_key = $dir/private/cakey.pem# The private key 52RANDFILE = $dir/private/.rand # private random number file 53 54x509_extensions = usr_cert # The extentions to add to the cert 55 56# Comment out the following two lines for the "traditional" 57# (and highly broken) format. --- 5 unchanged lines hidden (view full) --- 63 64# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 65# so this is commented out by default to leave a V1 CRL. 66# crlnumber must also be commented out to leave a V1 CRL. 67# crl_extensions = crl_ext 68 69default_days = 365 # how long to certify for 70default_crl_days= 30 # how long before next CRL | 50crl = $dir/crl.pem # The current CRL 51private_key = $dir/private/cakey.pem# The private key 52RANDFILE = $dir/private/.rand # private random number file 53 54x509_extensions = usr_cert # The extentions to add to the cert 55 56# Comment out the following two lines for the "traditional" 57# (and highly broken) format. --- 5 unchanged lines hidden (view full) --- 63 64# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 65# so this is commented out by default to leave a V1 CRL. 66# crlnumber must also be commented out to leave a V1 CRL. 67# crl_extensions = crl_ext 68 69default_days = 365 # how long to certify for 70default_crl_days= 30 # how long before next CRL |
71default_md = md5 # which md to use. | 71default_md = sha1 # which md to use. |
72preserve = no # keep passed DN ordering 73 74# A few difference way of specifying how similar the request should look 75# For type CA, the listed attributes must be the same, and the optional 76# and supplied fields are just that :-) 77policy = policy_match 78 79# For the CA policy --- 104 unchanged lines hidden (view full) --- 184# This is typical in keyUsage for a client certificate. 185# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 186 187# This will be displayed in Netscape's comment listbox. 188nsComment = "OpenSSL Generated Certificate" 189 190# PKIX recommendations harmless if included in all certificates. 191subjectKeyIdentifier=hash | 72preserve = no # keep passed DN ordering 73 74# A few difference way of specifying how similar the request should look 75# For type CA, the listed attributes must be the same, and the optional 76# and supplied fields are just that :-) 77policy = policy_match 78 79# For the CA policy --- 104 unchanged lines hidden (view full) --- 184# This is typical in keyUsage for a client certificate. 185# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 186 187# This will be displayed in Netscape's comment listbox. 188nsComment = "OpenSSL Generated Certificate" 189 190# PKIX recommendations harmless if included in all certificates. 191subjectKeyIdentifier=hash |
192authorityKeyIdentifier=keyid,issuer:always | 192authorityKeyIdentifier=keyid,issuer |
193 194# This stuff is for subjectAltName and issuerAltname. 195# Import the email address. 196# subjectAltName=email:copy 197# An alternative to produce certificates that aren't 198# deprecated according to PKIX. 199# subjectAltName=email:move 200 --- 53 unchanged lines hidden (view full) --- 254 255[ crl_ext ] 256 257# CRL extensions. 258# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 259 260# issuerAltName=issuer:copy 261authorityKeyIdentifier=keyid:always,issuer:always | 193 194# This stuff is for subjectAltName and issuerAltname. 195# Import the email address. 196# subjectAltName=email:copy 197# An alternative to produce certificates that aren't 198# deprecated according to PKIX. 199# subjectAltName=email:move 200 --- 53 unchanged lines hidden (view full) --- 254 255[ crl_ext ] 256 257# CRL extensions. 258# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 259 260# issuerAltName=issuer:copy 261authorityKeyIdentifier=keyid:always,issuer:always |
262 263[ proxy_cert_ext ] 264# These extensions should be added when creating a proxy certificate 265 266# This goes against PKIX guidelines but some CAs do it and some software 267# requires this to avoid interpreting an end user certificate as a CA. 268 269basicConstraints=CA:FALSE 270 271# Here are some examples of the usage of nsCertType. If it is omitted 272# the certificate can be used for anything *except* object signing. 273 274# This is OK for an SSL server. 275# nsCertType = server 276 277# For an object signing certificate this would be used. 278# nsCertType = objsign 279 280# For normal client use this is typical 281# nsCertType = client, email 282 283# and for everything including object signing: 284# nsCertType = client, email, objsign 285 286# This is typical in keyUsage for a client certificate. 287# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 288 289# This will be displayed in Netscape's comment listbox. 290nsComment = "OpenSSL Generated Certificate" 291 292# PKIX recommendations harmless if included in all certificates. 293subjectKeyIdentifier=hash 294authorityKeyIdentifier=keyid,issuer:always 295 296# This stuff is for subjectAltName and issuerAltname. 297# Import the email address. 298# subjectAltName=email:copy 299# An alternative to produce certificates that aren't 300# deprecated according to PKIX. 301# subjectAltName=email:move 302 303# Copy subject details 304# issuerAltName=issuer:copy 305 306#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 307#nsBaseUrl 308#nsRevocationUrl 309#nsRenewalUrl 310#nsCaPolicyUrl 311#nsSslServerName 312 313# This really needs to be in place for it to be a proxy certificate. 314proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
|