1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30# Policies used by the TSA examples. 31tsa_policy1 = 1.2.3.4.1 32tsa_policy2 = 1.2.3.4.5.6 33tsa_policy3 = 1.2.3.4.5.7 34 35#################################################################### 36[ ca ] 37default_ca = CA_default # The default ca section 38 39#################################################################### 40[ CA_default ] 41 42dir = ./demoCA # Where everything is kept 43certs = $dir/certs # Where the issued certs are kept 44crl_dir = $dir/crl # Where the issued crl are kept 45database = $dir/index.txt # database index file. 46#unique_subject = no # Set to 'no' to allow creation of 47 # several ctificates with same subject. 48new_certs_dir = $dir/newcerts # default place for new certs. 49 50certificate = $dir/cacert.pem # The CA certificate 51serial = $dir/serial # The current serial number 52crlnumber = $dir/crlnumber # the current crl number 53 # must be commented out to leave a V1 CRL 54crl = $dir/crl.pem # The current CRL 55private_key = $dir/private/cakey.pem# The private key 56RANDFILE = $dir/private/.rand # private random number file 57 58x509_extensions = usr_cert # The extentions to add to the cert 59 60# Comment out the following two lines for the "traditional" 61# (and highly broken) format. 62name_opt = ca_default # Subject Name options 63cert_opt = ca_default # Certificate field options 64 65# Extension copying option: use with caution. 66# copy_extensions = copy 67 68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69# so this is commented out by default to leave a V1 CRL. 70# crlnumber must also be commented out to leave a V1 CRL. 71# crl_extensions = crl_ext 72 73default_days = 365 # how long to certify for 74default_crl_days= 30 # how long before next CRL 75default_md = default # use public key default MD 76preserve = no # keep passed DN ordering 77 78# A few difference way of specifying how similar the request should look 79# For type CA, the listed attributes must be the same, and the optional 80# and supplied fields are just that :-) 81policy = policy_match 82 83# For the CA policy 84[ policy_match ] 85countryName = match 86stateOrProvinceName = match 87organizationName = match 88organizationalUnitName = optional 89commonName = supplied 90emailAddress = optional 91 92# For the 'anything' policy 93# At this point in time, you must list all acceptable 'object' 94# types. 95[ policy_anything ] 96countryName = optional 97stateOrProvinceName = optional 98localityName = optional 99organizationName = optional 100organizationalUnitName = optional 101commonName = supplied 102emailAddress = optional 103 104#################################################################### 105[ req ] 106default_bits = 2048 107default_keyfile = privkey.pem 108distinguished_name = req_distinguished_name 109attributes = req_attributes 110x509_extensions = v3_ca # The extentions to add to the self signed cert 111 112# Passwords for private keys if not present they will be prompted for 113# input_password = secret 114# output_password = secret 115 116# This sets a mask for permitted string types. There are several options. 117# default: PrintableString, T61String, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 119# utf8only: only UTF8Strings (PKIX recommendation after 2004). 120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 121# MASK:XXXX a literal mask value. 122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 123string_mask = utf8only 124 125# req_extensions = v3_req # The extensions to add to a certificate request 126 127[ req_distinguished_name ] 128countryName = Country Name (2 letter code) 129countryName_default = AU 130countryName_min = 2 131countryName_max = 2 132 133stateOrProvinceName = State or Province Name (full name) 134stateOrProvinceName_default = Some-State 135 136localityName = Locality Name (eg, city) 137 1380.organizationName = Organization Name (eg, company) 1390.organizationName_default = Internet Widgits Pty Ltd 140 141# we can do this but it is not needed normally :-) 142#1.organizationName = Second Organization Name (eg, company) 143#1.organizationName_default = World Wide Web Pty Ltd 144 145organizationalUnitName = Organizational Unit Name (eg, section) 146#organizationalUnitName_default = 147 148commonName = Common Name (e.g. server FQDN or YOUR name) 149commonName_max = 64 150 151emailAddress = Email Address 152emailAddress_max = 64 153 154# SET-ex3 = SET extension number 3 155 156[ req_attributes ] 157challengePassword = A challenge password 158challengePassword_min = 4 159challengePassword_max = 20 160 161unstructuredName = An optional company name 162 163[ usr_cert ] 164 165# These extensions are added when 'ca' signs a request. 166 167# This goes against PKIX guidelines but some CAs do it and some software 168# requires this to avoid interpreting an end user certificate as a CA. 169 170basicConstraints=CA:FALSE 171 172# Here are some examples of the usage of nsCertType. If it is omitted 173# the certificate can be used for anything *except* object signing. 174 175# This is OK for an SSL server. 176# nsCertType = server 177 178# For an object signing certificate this would be used. 179# nsCertType = objsign 180 181# For normal client use this is typical 182# nsCertType = client, email 183 184# and for everything including object signing: 185# nsCertType = client, email, objsign 186 187# This is typical in keyUsage for a client certificate. 188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 189 190# This will be displayed in Netscape's comment listbox. 191nsComment = "OpenSSL Generated Certificate" 192 193# PKIX recommendations harmless if included in all certificates. 194subjectKeyIdentifier=hash 195authorityKeyIdentifier=keyid,issuer 196 197# This stuff is for subjectAltName and issuerAltname. 198# Import the email address. 199# subjectAltName=email:copy 200# An alternative to produce certificates that aren't 201# deprecated according to PKIX. 202# subjectAltName=email:move 203 204# Copy subject details 205# issuerAltName=issuer:copy 206 207#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 208#nsBaseUrl 209#nsRevocationUrl 210#nsRenewalUrl 211#nsCaPolicyUrl 212#nsSslServerName 213 214# This is required for TSA certificates. 215# extendedKeyUsage = critical,timeStamping 216 217[ v3_req ] 218 219# Extensions to add to a certificate request 220 221basicConstraints = CA:FALSE 222keyUsage = nonRepudiation, digitalSignature, keyEncipherment 223 224[ v3_ca ] 225 226 227# Extensions for a typical CA 228 229 230# PKIX recommendation. 231 232subjectKeyIdentifier=hash 233 234authorityKeyIdentifier=keyid:always,issuer 235 236# This is what PKIX recommends but some broken software chokes on critical 237# extensions. 238#basicConstraints = critical,CA:true 239# So we do this instead. 240basicConstraints = CA:true 241 242# Key usage: this is typical for a CA certificate. However since it will 243# prevent it being used as an test self-signed certificate it is best 244# left out by default. 245# keyUsage = cRLSign, keyCertSign 246 247# Some might want this also 248# nsCertType = sslCA, emailCA 249 250# Include email address in subject alt name: another PKIX recommendation 251# subjectAltName=email:copy 252# Copy issuer details 253# issuerAltName=issuer:copy 254 255# DER hex encoding of an extension: beware experts only! 256# obj=DER:02:03 257# Where 'obj' is a standard or added object 258# You can even override a supported extension: 259# basicConstraints= critical, DER:30:03:01:01:FF 260 261[ crl_ext ] 262 263# CRL extensions. 264# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 265 266# issuerAltName=issuer:copy 267authorityKeyIdentifier=keyid:always 268 269[ proxy_cert_ext ] 270# These extensions should be added when creating a proxy certificate 271 272# This goes against PKIX guidelines but some CAs do it and some software 273# requires this to avoid interpreting an end user certificate as a CA. 274 275basicConstraints=CA:FALSE 276 277# Here are some examples of the usage of nsCertType. If it is omitted 278# the certificate can be used for anything *except* object signing. 279 280# This is OK for an SSL server. 281# nsCertType = server 282 283# For an object signing certificate this would be used. 284# nsCertType = objsign 285 286# For normal client use this is typical 287# nsCertType = client, email 288 289# and for everything including object signing: 290# nsCertType = client, email, objsign 291 292# This is typical in keyUsage for a client certificate. 293# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 294 295# This will be displayed in Netscape's comment listbox. 296nsComment = "OpenSSL Generated Certificate" 297 298# PKIX recommendations harmless if included in all certificates. 299subjectKeyIdentifier=hash 300authorityKeyIdentifier=keyid,issuer 301 302# This stuff is for subjectAltName and issuerAltname. 303# Import the email address. 304# subjectAltName=email:copy 305# An alternative to produce certificates that aren't 306# deprecated according to PKIX. 307# subjectAltName=email:move 308 309# Copy subject details 310# issuerAltName=issuer:copy 311 312#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 313#nsBaseUrl 314#nsRevocationUrl 315#nsRenewalUrl 316#nsCaPolicyUrl 317#nsSslServerName 318 319# This really needs to be in place for it to be a proxy certificate. 320proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 321 322#################################################################### 323[ tsa ] 324 325default_tsa = tsa_config1 # the default TSA section 326 327[ tsa_config1 ] 328 329# These are used by the TSA reply generation only. 330dir = ./demoCA # TSA root directory 331serial = $dir/tsaserial # The current serial number (mandatory) 332crypto_device = builtin # OpenSSL engine to use for signing 333signer_cert = $dir/tsacert.pem # The TSA signing certificate 334 # (optional) 335certs = $dir/cacert.pem # Certificate chain to include in reply 336 # (optional) 337signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 338 339default_policy = tsa_policy1 # Policy if request did not specify it 340 # (optional) 341other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 342digests = md5, sha1 # Acceptable message digests (mandatory) 343accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 344clock_precision_digits = 0 # number of digits after dot. (optional) 345ordering = yes # Is ordering defined for timestamps? 346 # (optional, default: no) 347tsa_name = yes # Must the TSA name be included in the reply? 348 # (optional, default: no) 349ess_cert_id_chain = no # Must the ESS cert id chain be included? 350 # (optional, default: no) 351