1205137Ssimon# $FreeBSD$ 255714Skris# 355714Skris# OpenSSL example configuration file. 455714Skris# This is mostly being used for generation of certificate requests. 555714Skris# 655714Skris 759191Skris# This definition stops the following lines choking if HOME isn't 859191Skris# defined. 959191SkrisHOME = . 1055714SkrisRANDFILE = $ENV::HOME/.rnd 1159191Skris 1259191Skris# Extra OBJECT IDENTIFIER info: 1359191Skris#oid_file = $ENV::HOME/.oid 1455714Skrisoid_section = new_oids 1555714Skris 1655714Skris# To use this configuration file with the "-extfile" option of the 1755714Skris# "openssl x509" utility, name here the section containing the 1855714Skris# X.509v3 extensions to use: 1955714Skris# extensions = 2055714Skris# (Alternatively, use a configuration file that has only 2155714Skris# X.509v3 extensions in its main [= default] section.) 2255714Skris 2355714Skris[ new_oids ] 2455714Skris 25238405Sjkim# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 2655714Skris# Add a simple OID like this: 2755714Skris# testoid1=1.2.3.4 2855714Skris# Or use config file substitution like this: 2955714Skris# testoid2=${testoid1}.5.6 3055714Skris 31238405Sjkim# Policies used by the TSA examples. 32238405Sjkimtsa_policy1 = 1.2.3.4.1 33238405Sjkimtsa_policy2 = 1.2.3.4.5.6 34238405Sjkimtsa_policy3 = 1.2.3.4.5.7 35238405Sjkim 3655714Skris#################################################################### 3755714Skris[ ca ] 3855714Skrisdefault_ca = CA_default # The default ca section 3955714Skris 4055714Skris#################################################################### 4155714Skris[ CA_default ] 4255714Skris 4355714Skrisdir = ./demoCA # Where everything is kept 4455714Skriscerts = $dir/certs # Where the issued certs are kept 4555714Skriscrl_dir = $dir/crl # Where the issued crl are kept 4655714Skrisdatabase = $dir/index.txt # database index file. 47127134Snectar#unique_subject = no # Set to 'no' to allow creation of 48127134Snectar # several ctificates with same subject. 4955714Skrisnew_certs_dir = $dir/newcerts # default place for new certs. 5055714Skris 5155714Skriscertificate = $dir/cacert.pem # The CA certificate 5255714Skrisserial = $dir/serial # The current serial number 53160817Ssimoncrlnumber = $dir/crlnumber # the current crl number 54160817Ssimon # must be commented out to leave a V1 CRL 5555714Skriscrl = $dir/crl.pem # The current CRL 5655714Skrisprivate_key = $dir/private/cakey.pem# The private key 5755714SkrisRANDFILE = $dir/private/.rand # private random number file 5855714Skris 5955714Skrisx509_extensions = usr_cert # The extentions to add to the cert 6055714Skris 61110007Smarkm# Comment out the following two lines for the "traditional" 62110007Smarkm# (and highly broken) format. 63110007Smarkmname_opt = ca_default # Subject Name options 64110007Smarkmcert_opt = ca_default # Certificate field options 65110007Smarkm 66110007Smarkm# Extension copying option: use with caution. 67110007Smarkm# copy_extensions = copy 68110007Smarkm 6955714Skris# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 7055714Skris# so this is commented out by default to leave a V1 CRL. 71127134Snectar# crlnumber must also be commented out to leave a V1 CRL. 7255714Skris# crl_extensions = crl_ext 7355714Skris 7455714Skrisdefault_days = 365 # how long to certify for 7555714Skrisdefault_crl_days= 30 # how long before next CRL 76238405Sjkimdefault_md = default # use public key default MD 7755714Skrispreserve = no # keep passed DN ordering 7855714Skris 7955714Skris# A few difference way of specifying how similar the request should look 8055714Skris# For type CA, the listed attributes must be the same, and the optional 8155714Skris# and supplied fields are just that :-) 8255714Skrispolicy = policy_match 8355714Skris 8455714Skris# For the CA policy 8555714Skris[ policy_match ] 8655714SkriscountryName = match 8755714SkrisstateOrProvinceName = match 8855714SkrisorganizationName = match 8955714SkrisorganizationalUnitName = optional 9055714SkriscommonName = supplied 9155714SkrisemailAddress = optional 9255714Skris 9355714Skris# For the 'anything' policy 9455714Skris# At this point in time, you must list all acceptable 'object' 9555714Skris# types. 9655714Skris[ policy_anything ] 9755714SkriscountryName = optional 9855714SkrisstateOrProvinceName = optional 9955714SkrislocalityName = optional 10055714SkrisorganizationName = optional 10155714SkrisorganizationalUnitName = optional 10255714SkriscommonName = supplied 10355714SkrisemailAddress = optional 10455714Skris 10555714Skris#################################################################### 10655714Skris[ req ] 10755714Skrisdefault_bits = 1024 10855714Skrisdefault_keyfile = privkey.pem 10955714Skrisdistinguished_name = req_distinguished_name 11055714Skrisattributes = req_attributes 11155714Skrisx509_extensions = v3_ca # The extentions to add to the self signed cert 11255714Skris 11359191Skris# Passwords for private keys if not present they will be prompted for 11459191Skris# input_password = secret 11559191Skris# output_password = secret 11659191Skris 11759191Skris# This sets a mask for permitted string types. There are several options. 11859191Skris# default: PrintableString, T61String, BMPString. 119238405Sjkim# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 120238405Sjkim# utf8only: only UTF8Strings (PKIX recommendation after 2004). 12159191Skris# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 12259191Skris# MASK:XXXX a literal mask value. 123238405Sjkim# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 124238405Sjkimstring_mask = utf8only 12559191Skris 12659191Skris# req_extensions = v3_req # The extensions to add to a certificate request 12759191Skris 12855714Skris[ req_distinguished_name ] 12955714SkriscountryName = Country Name (2 letter code) 13055714SkriscountryName_default = AU 13155714SkriscountryName_min = 2 13255714SkriscountryName_max = 2 13355714Skris 13455714SkrisstateOrProvinceName = State or Province Name (full name) 13555714SkrisstateOrProvinceName_default = Some-State 13655714Skris 13755714SkrislocalityName = Locality Name (eg, city) 13855714Skris 13955714Skris0.organizationName = Organization Name (eg, company) 14055714Skris0.organizationName_default = Internet Widgits Pty Ltd 14155714Skris 14255714Skris# we can do this but it is not needed normally :-) 14355714Skris#1.organizationName = Second Organization Name (eg, company) 14455714Skris#1.organizationName_default = World Wide Web Pty Ltd 14555714Skris 14655714SkrisorganizationalUnitName = Organizational Unit Name (eg, section) 14755714Skris#organizationalUnitName_default = 14855714Skris 149237657SjkimcommonName = Common Name (e.g. server FQDN or YOUR name) 15055714SkriscommonName_max = 64 15155714Skris 15255714SkrisemailAddress = Email Address 153110007SmarkmemailAddress_max = 64 15455714Skris 15555714Skris# SET-ex3 = SET extension number 3 15655714Skris 15755714Skris[ req_attributes ] 15855714SkrischallengePassword = A challenge password 15955714SkrischallengePassword_min = 4 16055714SkrischallengePassword_max = 20 16155714Skris 16255714SkrisunstructuredName = An optional company name 16355714Skris 16455714Skris[ usr_cert ] 16555714Skris 16655714Skris# These extensions are added when 'ca' signs a request. 16755714Skris 16855714Skris# This goes against PKIX guidelines but some CAs do it and some software 16955714Skris# requires this to avoid interpreting an end user certificate as a CA. 17055714Skris 17155714SkrisbasicConstraints=CA:FALSE 17255714Skris 17355714Skris# Here are some examples of the usage of nsCertType. If it is omitted 17455714Skris# the certificate can be used for anything *except* object signing. 17555714Skris 17655714Skris# This is OK for an SSL server. 17755714Skris# nsCertType = server 17855714Skris 17955714Skris# For an object signing certificate this would be used. 18055714Skris# nsCertType = objsign 18155714Skris 18255714Skris# For normal client use this is typical 18355714Skris# nsCertType = client, email 18455714Skris 18555714Skris# and for everything including object signing: 18655714Skris# nsCertType = client, email, objsign 18755714Skris 18855714Skris# This is typical in keyUsage for a client certificate. 18955714Skris# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 19055714Skris 19155714Skris# This will be displayed in Netscape's comment listbox. 19255714SkrisnsComment = "OpenSSL Generated Certificate" 19355714Skris 19455714Skris# PKIX recommendations harmless if included in all certificates. 19555714SkrissubjectKeyIdentifier=hash 196160817SsimonauthorityKeyIdentifier=keyid,issuer 19755714Skris 19855714Skris# This stuff is for subjectAltName and issuerAltname. 19955714Skris# Import the email address. 20055714Skris# subjectAltName=email:copy 201110007Smarkm# An alternative to produce certificates that aren't 202110007Smarkm# deprecated according to PKIX. 203110007Smarkm# subjectAltName=email:move 20455714Skris 20555714Skris# Copy subject details 20655714Skris# issuerAltName=issuer:copy 20755714Skris 20855714Skris#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 20955714Skris#nsBaseUrl 21055714Skris#nsRevocationUrl 21155714Skris#nsRenewalUrl 21255714Skris#nsCaPolicyUrl 21355714Skris#nsSslServerName 21455714Skris 215238405Sjkim# This is required for TSA certificates. 216238405Sjkim# extendedKeyUsage = critical,timeStamping 217238405Sjkim 21859191Skris[ v3_req ] 21959191Skris 22059191Skris# Extensions to add to a certificate request 22159191Skris 22259191SkrisbasicConstraints = CA:FALSE 22359191SkriskeyUsage = nonRepudiation, digitalSignature, keyEncipherment 22459191Skris 22555714Skris[ v3_ca ] 22655714Skris 22759191Skris 22855714Skris# Extensions for a typical CA 22955714Skris 23055714Skris 23155714Skris# PKIX recommendation. 23255714Skris 23355714SkrissubjectKeyIdentifier=hash 23455714Skris 235238405SjkimauthorityKeyIdentifier=keyid:always,issuer 23655714Skris 23755714Skris# This is what PKIX recommends but some broken software chokes on critical 23855714Skris# extensions. 23955714Skris#basicConstraints = critical,CA:true 24055714Skris# So we do this instead. 24155714SkrisbasicConstraints = CA:true 24255714Skris 24355714Skris# Key usage: this is typical for a CA certificate. However since it will 24455714Skris# prevent it being used as an test self-signed certificate it is best 24555714Skris# left out by default. 24655714Skris# keyUsage = cRLSign, keyCertSign 24755714Skris 24855714Skris# Some might want this also 24955714Skris# nsCertType = sslCA, emailCA 25055714Skris 25155714Skris# Include email address in subject alt name: another PKIX recommendation 25255714Skris# subjectAltName=email:copy 25355714Skris# Copy issuer details 25455714Skris# issuerAltName=issuer:copy 25555714Skris 25659191Skris# DER hex encoding of an extension: beware experts only! 25759191Skris# obj=DER:02:03 25859191Skris# Where 'obj' is a standard or added object 25955714Skris# You can even override a supported extension: 26059191Skris# basicConstraints= critical, DER:30:03:01:01:FF 26155714Skris 26255714Skris[ crl_ext ] 26355714Skris 26455714Skris# CRL extensions. 26555714Skris# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 26655714Skris 26755714Skris# issuerAltName=issuer:copy 268238405SjkimauthorityKeyIdentifier=keyid:always 269160817Ssimon 270160817Ssimon[ proxy_cert_ext ] 271160817Ssimon# These extensions should be added when creating a proxy certificate 272160817Ssimon 273160817Ssimon# This goes against PKIX guidelines but some CAs do it and some software 274160817Ssimon# requires this to avoid interpreting an end user certificate as a CA. 275160817Ssimon 276160817SsimonbasicConstraints=CA:FALSE 277160817Ssimon 278160817Ssimon# Here are some examples of the usage of nsCertType. If it is omitted 279160817Ssimon# the certificate can be used for anything *except* object signing. 280160817Ssimon 281160817Ssimon# This is OK for an SSL server. 282160817Ssimon# nsCertType = server 283160817Ssimon 284160817Ssimon# For an object signing certificate this would be used. 285160817Ssimon# nsCertType = objsign 286160817Ssimon 287160817Ssimon# For normal client use this is typical 288160817Ssimon# nsCertType = client, email 289160817Ssimon 290160817Ssimon# and for everything including object signing: 291160817Ssimon# nsCertType = client, email, objsign 292160817Ssimon 293160817Ssimon# This is typical in keyUsage for a client certificate. 294160817Ssimon# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 295160817Ssimon 296160817Ssimon# This will be displayed in Netscape's comment listbox. 297160817SsimonnsComment = "OpenSSL Generated Certificate" 298160817Ssimon 299160817Ssimon# PKIX recommendations harmless if included in all certificates. 300160817SsimonsubjectKeyIdentifier=hash 301238405SjkimauthorityKeyIdentifier=keyid,issuer 302160817Ssimon 303160817Ssimon# This stuff is for subjectAltName and issuerAltname. 304160817Ssimon# Import the email address. 305160817Ssimon# subjectAltName=email:copy 306160817Ssimon# An alternative to produce certificates that aren't 307160817Ssimon# deprecated according to PKIX. 308160817Ssimon# subjectAltName=email:move 309160817Ssimon 310160817Ssimon# Copy subject details 311160817Ssimon# issuerAltName=issuer:copy 312160817Ssimon 313160817Ssimon#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 314160817Ssimon#nsBaseUrl 315160817Ssimon#nsRevocationUrl 316160817Ssimon#nsRenewalUrl 317160817Ssimon#nsCaPolicyUrl 318160817Ssimon#nsSslServerName 319160817Ssimon 320160817Ssimon# This really needs to be in place for it to be a proxy certificate. 321160817SsimonproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 322238405Sjkim 323238405Sjkim#################################################################### 324238405Sjkim[ tsa ] 325238405Sjkim 326238405Sjkimdefault_tsa = tsa_config1 # the default TSA section 327238405Sjkim 328238405Sjkim[ tsa_config1 ] 329238405Sjkim 330238405Sjkim# These are used by the TSA reply generation only. 331238405Sjkimdir = ./demoCA # TSA root directory 332238405Sjkimserial = $dir/tsaserial # The current serial number (mandatory) 333238405Sjkimcrypto_device = builtin # OpenSSL engine to use for signing 334238405Sjkimsigner_cert = $dir/tsacert.pem # The TSA signing certificate 335238405Sjkim # (optional) 336238405Sjkimcerts = $dir/cacert.pem # Certificate chain to include in reply 337238405Sjkim # (optional) 338238405Sjkimsigner_key = $dir/private/tsakey.pem # The TSA private key (optional) 339238405Sjkim 340238405Sjkimdefault_policy = tsa_policy1 # Policy if request did not specify it 341238405Sjkim # (optional) 342238405Sjkimother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 343238405Sjkimdigests = md5, sha1 # Acceptable message digests (mandatory) 344238405Sjkimaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 345238405Sjkimclock_precision_digits = 0 # number of digits after dot. (optional) 346238405Sjkimordering = yes # Is ordering defined for timestamps? 347238405Sjkim # (optional, default: no) 348238405Sjkimtsa_name = yes # Must the TSA name be included in the reply? 349238405Sjkim # (optional, default: no) 350238405Sjkimess_cert_id_chain = no # Must the ESS cert id chain be included? 351238405Sjkim # (optional, default: no) 352