| openssl-vms.cnf (1.1.1.3) | openssl-vms.cnf (1.1.1.4) |
|---|---|
| 1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . --- 30 unchanged lines hidden (view full) --- 39#################################################################### 40[ CA_default ] 41 42dir = sys\$disk:[.demoCA # Where everything is kept 43certs = $dir.certs] # Where the issued certs are kept 44crl_dir = $dir.crl] # Where the issued crl are kept 45database = $dir]index.txt # database index file. 46#unique_subject = no # Set to 'no' to allow creation of | 1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . --- 30 unchanged lines hidden (view full) --- 39#################################################################### 40[ CA_default ] 41 42dir = sys\$disk:[.demoCA # Where everything is kept 43certs = $dir.certs] # Where the issued certs are kept 44crl_dir = $dir.crl] # Where the issued crl are kept 45database = $dir]index.txt # database index file. 46#unique_subject = no # Set to 'no' to allow creation of |
| 47 # several ctificates with same subject. | 47 # several certs with same subject. |
| 48new_certs_dir = $dir.newcerts] # default place for new certs. 49 50certificate = $dir]cacert.pem # The CA certificate 51serial = $dir]serial. # The current serial number 52crlnumber = $dir]crlnumber. # the current crl number 53 # must be commented out to leave a V1 CRL 54crl = $dir]crl.pem # The current CRL 55private_key = $dir.private]cakey.pem# The private key 56RANDFILE = $dir.private].rand # private random number file 57 | 48new_certs_dir = $dir.newcerts] # default place for new certs. 49 50certificate = $dir]cacert.pem # The CA certificate 51serial = $dir]serial. # The current serial number 52crlnumber = $dir]crlnumber. # the current crl number 53 # must be commented out to leave a V1 CRL 54crl = $dir]crl.pem # The current CRL 55private_key = $dir.private]cakey.pem# The private key 56RANDFILE = $dir.private].rand # private random number file 57 |
| 58x509_extensions = usr_cert # The extentions to add to the cert | 58x509_extensions = usr_cert # The extensions to add to the cert |
| 59 60# Comment out the following two lines for the "traditional" 61# (and highly broken) format. 62name_opt = ca_default # Subject Name options 63cert_opt = ca_default # Certificate field options 64 65# Extension copying option: use with caution. 66# copy_extensions = copy --- 35 unchanged lines hidden (view full) --- 102emailAddress = optional 103 104#################################################################### 105[ req ] 106default_bits = 2048 107default_keyfile = privkey.pem 108distinguished_name = req_distinguished_name 109attributes = req_attributes | 59 60# Comment out the following two lines for the "traditional" 61# (and highly broken) format. 62name_opt = ca_default # Subject Name options 63cert_opt = ca_default # Certificate field options 64 65# Extension copying option: use with caution. 66# copy_extensions = copy --- 35 unchanged lines hidden (view full) --- 102emailAddress = optional 103 104#################################################################### 105[ req ] 106default_bits = 2048 107default_keyfile = privkey.pem 108distinguished_name = req_distinguished_name 109attributes = req_attributes |
| 110x509_extensions = v3_ca # The extentions to add to the self signed cert | 110x509_extensions = v3_ca # The extensions to add to the self signed cert |
| 111 112# Passwords for private keys if not present they will be prompted for 113# input_password = secret 114# output_password = secret 115 116# This sets a mask for permitted string types. There are several options. 117# default: PrintableString, T61String, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004) --- 109 unchanged lines hidden (view full) --- 228 229 230# PKIX recommendation. 231 232subjectKeyIdentifier=hash 233 234authorityKeyIdentifier=keyid:always,issuer 235 | 111 112# Passwords for private keys if not present they will be prompted for 113# input_password = secret 114# output_password = secret 115 116# This sets a mask for permitted string types. There are several options. 117# default: PrintableString, T61String, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004) --- 109 unchanged lines hidden (view full) --- 228 229 230# PKIX recommendation. 231 232subjectKeyIdentifier=hash 233 234authorityKeyIdentifier=keyid:always,issuer 235 |
| 236# This is what PKIX recommends but some broken software chokes on critical 237# extensions. 238#basicConstraints = critical,CA:true 239# So we do this instead. 240basicConstraints = CA:true | 236basicConstraints = critical,CA:true |
| 241 242# Key usage: this is typical for a CA certificate. However since it will 243# prevent it being used as an test self-signed certificate it is best 244# left out by default. 245# keyUsage = cRLSign, keyCertSign 246 247# Some might want this also 248# nsCertType = sslCA, emailCA --- 81 unchanged lines hidden (view full) --- 330dir = sys\$disk:[.demoCA # TSA root directory 331serial = $dir]tsaserial. # The current serial number (mandatory) 332crypto_device = builtin # OpenSSL engine to use for signing 333signer_cert = $dir/tsacert.pem # The TSA signing certificate 334 # (optional) 335certs = $dir.cacert.pem] # Certificate chain to include in reply 336 # (optional) 337signer_key = $dir/private/tsakey.pem # The TSA private key (optional) | 237 238# Key usage: this is typical for a CA certificate. However since it will 239# prevent it being used as an test self-signed certificate it is best 240# left out by default. 241# keyUsage = cRLSign, keyCertSign 242 243# Some might want this also 244# nsCertType = sslCA, emailCA --- 81 unchanged lines hidden (view full) --- 326dir = sys\$disk:[.demoCA # TSA root directory 327serial = $dir]tsaserial. # The current serial number (mandatory) 328crypto_device = builtin # OpenSSL engine to use for signing 329signer_cert = $dir/tsacert.pem # The TSA signing certificate 330 # (optional) 331certs = $dir.cacert.pem] # Certificate chain to include in reply 332 # (optional) 333signer_key = $dir/private/tsakey.pem # The TSA private key (optional) |
| 338 | 334signer_digest = sha256 # Signing digest to use. (Optional) |
| 339default_policy = tsa_policy1 # Policy if request did not specify it 340 # (optional) 341other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | 335default_policy = tsa_policy1 # Policy if request did not specify it 336 # (optional) 337other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
| 342digests = md5, sha1 # Acceptable message digests (mandatory) | 338digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |
| 343accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 344clock_precision_digits = 0 # number of digits after dot. (optional) 345ordering = yes # Is ordering defined for timestamps? 346 # (optional, default: no) 347tsa_name = yes # Must the TSA name be included in the reply? 348 # (optional, default: no) 349ess_cert_id_chain = no # Must the ESS cert id chain be included? 350 # (optional, default: no) | 339accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 340clock_precision_digits = 0 # number of digits after dot. (optional) 341ordering = yes # Is ordering defined for timestamps? 342 # (optional, default: no) 343tsa_name = yes # Must the TSA name be included in the reply? 344 # (optional, default: no) 345ess_cert_id_chain = no # Must the ESS cert id chain be included? 346 # (optional, default: no) |