1# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* 2 3# This definition stops the following lines choking if HOME isn't 4# defined. 5HOME = . 6RANDFILE = $ENV::HOME/.rnd 7openssl_conf = openssl_init 8 9[ openssl_init ] 10# Extra OBJECT IDENTIFIER info: 11#oid_file = $ENV::HOME/.oid 12oid_section = new_oids 13engines = engine_section 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca' and 'req'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30#################################################################### 31[ ca ] 32default_ca = CA_default # The default ca section 33 34#################################################################### 35[ CA_default ] 36 37dir = $ENV::KEY_DIR # Where everything is kept 38certs = $dir # Where the issued certs are kept 39crl_dir = $dir # Where the issued crl are kept 40database = $dir/index.txt # database index file. 41new_certs_dir = $dir # default place for new certs. 42 43certificate = $dir/ca.crt # The CA certificate 44serial = $dir/serial # The current serial number 45crl = $dir/crl.pem # The current CRL 46private_key = $dir/ca.key # The private key 47RANDFILE = $dir/.rand # private random number file 48 49x509_extensions = usr_cert # The extentions to add to the cert 50 51# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 52# so this is commented out by default to leave a V1 CRL. 53# crl_extensions = crl_ext 54 55default_days = 3650 # how long to certify for 56default_crl_days= 30 # how long before next CRL 57default_md = md5 # use public key default MD 58preserve = no # keep passed DN ordering 59 60# A few difference way of specifying how similar the request should look 61# For type CA, the listed attributes must be the same, and the optional 62# and supplied fields are just that :-) 63policy = policy_anything 64 65# For the CA policy 66[ policy_match ] 67countryName = match 68stateOrProvinceName = match 69organizationName = match 70organizationalUnitName = optional 71commonName = supplied 72name = optional 73emailAddress = optional 74 75# For the 'anything' policy 76# At this point in time, you must list all acceptable 'object' 77# types. 78[ policy_anything ] 79countryName = optional 80stateOrProvinceName = optional 81localityName = optional 82organizationName = optional 83organizationalUnitName = optional 84commonName = supplied 85name = optional 86emailAddress = optional 87 88#################################################################### 89[ req ] 90default_bits = $ENV::KEY_SIZE 91default_keyfile = privkey.pem 92distinguished_name = req_distinguished_name 93attributes = req_attributes 94x509_extensions = v3_ca # The extentions to add to the self signed cert 95 96# Passwords for private keys if not present they will be prompted for 97# input_password = secret 98# output_password = secret 99 100# This sets a mask for permitted string types. There are several options. 101# default: PrintableString, T61String, BMPString. 102# pkix : PrintableString, BMPString (PKIX recommendation after 2004). 103# utf8only: only UTF8Strings (PKIX recommendation after 2004). 104# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 105# MASK:XXXX a literal mask value. 106string_mask = nombstr 107 108# req_extensions = v3_req # The extensions to add to a certificate request 109 110[ req_distinguished_name ] 111countryName = Country Name (2 letter code) 112countryName_default = $ENV::KEY_COUNTRY 113countryName_min = 2 114countryName_max = 2 115 116stateOrProvinceName = State or Province Name (full name) 117stateOrProvinceName_default = $ENV::KEY_PROVINCE 118 119localityName = Locality Name (eg, city) 120localityName_default = $ENV::KEY_CITY 121 1220.organizationName = Organization Name (eg, company) 1230.organizationName_default = $ENV::KEY_ORG 124 125# we can do this but it is not needed normally :-) 126#1.organizationName = Second Organization Name (eg, company) 127#1.organizationName_default = World Wide Web Pty Ltd 128 129organizationalUnitName = Organizational Unit Name (eg, section) 130#organizationalUnitName_default = 131 132commonName = Common Name (eg, your name or your server\'s hostname) 133commonName_max = 64 134 135name = Name 136name_max = 64 137 138emailAddress = Email Address 139emailAddress_default = $ENV::KEY_EMAIL 140emailAddress_max = 40 141 142# JY -- added for batch mode 143organizationalUnitName_default = $ENV::KEY_OU 144commonName_default = $ENV::KEY_CN 145name_default = $ENV::KEY_NAME 146 147 148# SET-ex3 = SET extension number 3 149 150[ req_attributes ] 151challengePassword = A challenge password 152challengePassword_min = 4 153challengePassword_max = 20 154 155unstructuredName = An optional company name 156 157[ usr_cert ] 158 159# These extensions are added when 'ca' signs a request. 160 161# This goes against PKIX guidelines but some CAs do it and some software 162# requires this to avoid interpreting an end user certificate as a CA. 163 164basicConstraints=CA:FALSE 165 166# Here are some examples of the usage of nsCertType. If it is omitted 167# the certificate can be used for anything *except* object signing. 168 169# This is OK for an SSL server. 170# nsCertType = server 171 172# For an object signing certificate this would be used. 173# nsCertType = objsign 174 175# For normal client use this is typical 176# nsCertType = client, email 177 178# and for everything including object signing: 179# nsCertType = client, email, objsign 180 181# This is typical in keyUsage for a client certificate. 182# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 183 184# This will be displayed in Netscape's comment listbox. 185nsComment = "Easy-RSA Generated Certificate" 186 187# PKIX recommendations harmless if included in all certificates. 188subjectKeyIdentifier=hash 189authorityKeyIdentifier=keyid,issuer:always 190extendedKeyUsage=clientAuth 191keyUsage = digitalSignature 192 193 194# This stuff is for subjectAltName and issuerAltname. 195# Import the email address. 196# subjectAltName=email:copy 197 198# Copy subject details 199# issuerAltName=issuer:copy 200 201#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 202#nsBaseUrl 203#nsRevocationUrl 204#nsRenewalUrl 205#nsCaPolicyUrl 206#nsSslServerName 207 208[ server ] 209 210# JY ADDED -- Make a cert with nsCertType set to "server" 211basicConstraints=CA:FALSE 212nsCertType = server 213nsComment = "Easy-RSA Generated Server Certificate" 214subjectKeyIdentifier=hash 215authorityKeyIdentifier=keyid,issuer:always 216extendedKeyUsage=serverAuth 217keyUsage = digitalSignature, keyEncipherment 218 219[ v3_req ] 220 221# Extensions to add to a certificate request 222 223basicConstraints = CA:FALSE 224keyUsage = nonRepudiation, digitalSignature, keyEncipherment 225 226[ v3_ca ] 227 228 229# Extensions for a typical CA 230 231 232# PKIX recommendation. 233 234subjectKeyIdentifier=hash 235 236authorityKeyIdentifier=keyid:always,issuer:always 237 238# This is what PKIX recommends but some broken software chokes on critical 239# extensions. 240#basicConstraints = critical,CA:true 241# So we do this instead. 242basicConstraints = CA:true 243 244# Key usage: this is typical for a CA certificate. However since it will 245# prevent it being used as an test self-signed certificate it is best 246# left out by default. 247# keyUsage = cRLSign, keyCertSign 248 249# Some might want this also 250# nsCertType = sslCA, emailCA 251 252# Include email address in subject alt name: another PKIX recommendation 253# subjectAltName=email:copy 254# Copy issuer details 255# issuerAltName=issuer:copy 256 257# DER hex encoding of an extension: beware experts only! 258# obj=DER:02:03 259# Where 'obj' is a standard or added object 260# You can even override a supported extension: 261# basicConstraints= critical, DER:30:03:01:01:FF 262 263[ crl_ext ] 264 265# CRL extensions. 266# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 267 268# issuerAltName=issuer:copy 269authorityKeyIdentifier=keyid:always,issuer:always 270 271[ engine_section ] 272# 273# If you are using PKCS#11 274# Install engine_pkcs11 of opensc (www.opensc.org) 275# And uncomment the following 276# verify that dynamic_path points to the correct location 277# 278#pkcs11 = pkcs11_section 279 280[ pkcs11_section ] 281engine_id = pkcs11 282dynamic_path = /usr/lib/engines/engine_pkcs11.so 283MODULE_PATH = $ENV::PKCS11_MODULE_PATH 284PIN = $ENV::PKCS11_PIN 285init = 0 286