openssl.cnf revision 256281
1249261Sdim# $FreeBSD: stable/10/crypto/openssl/apps/openssl.cnf 238405 2012-07-12 19:30:53Z jkim $ 2249261Sdim# 3249261Sdim# OpenSSL example configuration file. 4249261Sdim# This is mostly being used for generation of certificate requests. 5249261Sdim# 6249261Sdim 7249261Sdim# This definition stops the following lines choking if HOME isn't 8249261Sdim# defined. 9249261SdimHOME = . 10249261SdimRANDFILE = $ENV::HOME/.rnd 11249261Sdim 12249261Sdim# Extra OBJECT IDENTIFIER info: 13249261Sdim#oid_file = $ENV::HOME/.oid 14249261Sdimoid_section = new_oids 15249261Sdim 16249261Sdim# To use this configuration file with the "-extfile" option of the 17249261Sdim# "openssl x509" utility, name here the section containing the 18249261Sdim# X.509v3 extensions to use: 19249261Sdim# extensions = 20249261Sdim# (Alternatively, use a configuration file that has only 21249261Sdim# X.509v3 extensions in its main [= default] section.) 22249261Sdim 23249261Sdim[ new_oids ] 24249261Sdim 25249261Sdim# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 26249261Sdim# Add a simple OID like this: 27249261Sdim# testoid1=1.2.3.4 28249261Sdim# Or use config file substitution like this: 29263509Sdim# testoid2=${testoid1}.5.6 30249261Sdim 31249261Sdim# Policies used by the TSA examples. 32249261Sdimtsa_policy1 = 1.2.3.4.1 33249261Sdimtsa_policy2 = 1.2.3.4.5.6 34249261Sdimtsa_policy3 = 1.2.3.4.5.7 35249261Sdim 36249261Sdim#################################################################### 37249261Sdim[ ca ] 38249261Sdimdefault_ca = CA_default # The default ca section 39249261Sdim 40249261Sdim#################################################################### 41249261Sdim[ CA_default ] 42249261Sdim 43249261Sdimdir = ./demoCA # Where everything is kept 44249261Sdimcerts = $dir/certs # Where the issued certs are kept 45249261Sdimcrl_dir = $dir/crl # Where the issued crl are kept 46249261Sdimdatabase = $dir/index.txt # database index file. 47249261Sdim#unique_subject = no # Set to 'no' to allow creation of 48249261Sdim # several ctificates with same subject. 49249261Sdimnew_certs_dir = $dir/newcerts # default place for new certs. 50249261Sdim 51249261Sdimcertificate = $dir/cacert.pem # The CA certificate 52249261Sdimserial = $dir/serial # The current serial number 53249261Sdimcrlnumber = $dir/crlnumber # the current crl number 54249261Sdim # must be commented out to leave a V1 CRL 55249261Sdimcrl = $dir/crl.pem # The current CRL 56249261Sdimprivate_key = $dir/private/cakey.pem# The private key 57249261SdimRANDFILE = $dir/private/.rand # private random number file 58249261Sdim 59249261Sdimx509_extensions = usr_cert # The extentions to add to the cert 60249261Sdim 61249261Sdim# Comment out the following two lines for the "traditional" 62249261Sdim# (and highly broken) format. 63249261Sdimname_opt = ca_default # Subject Name options 64249261Sdimcert_opt = ca_default # Certificate field options 65249261Sdim 66249261Sdim# Extension copying option: use with caution. 67249261Sdim# copy_extensions = copy 68249261Sdim 69249261Sdim# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 70249261Sdim# so this is commented out by default to leave a V1 CRL. 71249261Sdim# crlnumber must also be commented out to leave a V1 CRL. 72249261Sdim# crl_extensions = crl_ext 73249261Sdim 74249261Sdimdefault_days = 365 # how long to certify for 75249261Sdimdefault_crl_days= 30 # how long before next CRL 76249261Sdimdefault_md = default # use public key default MD 77249261Sdimpreserve = no # keep passed DN ordering 78249261Sdim 79249261Sdim# A few difference way of specifying how similar the request should look 80249261Sdim# For type CA, the listed attributes must be the same, and the optional 81249261Sdim# and supplied fields are just that :-) 82249261Sdimpolicy = policy_match 83249261Sdim 84249261Sdim# For the CA policy 85249261Sdim[ policy_match ] 86249261SdimcountryName = match 87249261SdimstateOrProvinceName = match 88249261SdimorganizationName = match 89249261SdimorganizationalUnitName = optional 90249261SdimcommonName = supplied 91249261SdimemailAddress = optional 92249261Sdim 93249261Sdim# For the 'anything' policy 94249261Sdim# At this point in time, you must list all acceptable 'object' 95249261Sdim# types. 96249261Sdim[ policy_anything ] 97249261SdimcountryName = optional 98249261SdimstateOrProvinceName = optional 99249261SdimlocalityName = optional 100249261SdimorganizationName = optional 101249261SdimorganizationalUnitName = optional 102249261SdimcommonName = supplied 103249261SdimemailAddress = optional 104249261Sdim 105249261Sdim#################################################################### 106249261Sdim[ req ] 107249261Sdimdefault_bits = 1024 108249261Sdimdefault_keyfile = privkey.pem 109249261Sdimdistinguished_name = req_distinguished_name 110249261Sdimattributes = req_attributes 111249261Sdimx509_extensions = v3_ca # The extentions to add to the self signed cert 112249261Sdim 113249261Sdim# Passwords for private keys if not present they will be prompted for 114249261Sdim# input_password = secret 115249261Sdim# output_password = secret 116249261Sdim 117249261Sdim# This sets a mask for permitted string types. There are several options. 118249261Sdim# default: PrintableString, T61String, BMPString. 119249261Sdim# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 120249261Sdim# utf8only: only UTF8Strings (PKIX recommendation after 2004). 121249261Sdim# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 122249261Sdim# MASK:XXXX a literal mask value. 123249261Sdim# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 124249261Sdimstring_mask = utf8only 125249261Sdim 126249261Sdim# req_extensions = v3_req # The extensions to add to a certificate request 127249261Sdim 128249261Sdim[ req_distinguished_name ] 129249261SdimcountryName = Country Name (2 letter code) 130249261SdimcountryName_default = AU 131249261SdimcountryName_min = 2 132249261SdimcountryName_max = 2 133249261Sdim 134249261SdimstateOrProvinceName = State or Province Name (full name) 135249261SdimstateOrProvinceName_default = Some-State 136249261Sdim 137249261SdimlocalityName = Locality Name (eg, city) 138249261Sdim 139249261Sdim0.organizationName = Organization Name (eg, company) 140249261Sdim0.organizationName_default = Internet Widgits Pty Ltd 141249261Sdim 142249261Sdim# we can do this but it is not needed normally :-) 143249261Sdim#1.organizationName = Second Organization Name (eg, company) 144249261Sdim#1.organizationName_default = World Wide Web Pty Ltd 145249261Sdim 146249261SdimorganizationalUnitName = Organizational Unit Name (eg, section) 147249261Sdim#organizationalUnitName_default = 148249261Sdim 149249261SdimcommonName = Common Name (e.g. server FQDN or YOUR name) 150249261SdimcommonName_max = 64 151249261Sdim 152249261SdimemailAddress = Email Address 153249261SdimemailAddress_max = 64 154249261Sdim 155249261Sdim# SET-ex3 = SET extension number 3 156249261Sdim 157249261Sdim[ req_attributes ] 158249261SdimchallengePassword = A challenge password 159249261SdimchallengePassword_min = 4 160249261SdimchallengePassword_max = 20 161249261Sdim 162249261SdimunstructuredName = An optional company name 163249261Sdim 164249261Sdim[ usr_cert ] 165249261Sdim 166249261Sdim# These extensions are added when 'ca' signs a request. 167249261Sdim 168249261Sdim# This goes against PKIX guidelines but some CAs do it and some software 169249261Sdim# requires this to avoid interpreting an end user certificate as a CA. 170249261Sdim 171249261SdimbasicConstraints=CA:FALSE 172249261Sdim 173249261Sdim# Here are some examples of the usage of nsCertType. If it is omitted 174249261Sdim# the certificate can be used for anything *except* object signing. 175249261Sdim 176249261Sdim# This is OK for an SSL server. 177249261Sdim# nsCertType = server 178249261Sdim 179249261Sdim# For an object signing certificate this would be used. 180249261Sdim# nsCertType = objsign 181249261Sdim 182249261Sdim# For normal client use this is typical 183249261Sdim# nsCertType = client, email 184249261Sdim 185249261Sdim# and for everything including object signing: 186249261Sdim# nsCertType = client, email, objsign 187249261Sdim 188249261Sdim# This is typical in keyUsage for a client certificate. 189249261Sdim# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 190249261Sdim 191249261Sdim# This will be displayed in Netscape's comment listbox. 192249261SdimnsComment = "OpenSSL Generated Certificate" 193249261Sdim 194249261Sdim# PKIX recommendations harmless if included in all certificates. 195249261SdimsubjectKeyIdentifier=hash 196249261SdimauthorityKeyIdentifier=keyid,issuer 197249261Sdim 198249261Sdim# This stuff is for subjectAltName and issuerAltname. 199249261Sdim# Import the email address. 200249261Sdim# subjectAltName=email:copy 201249261Sdim# An alternative to produce certificates that aren't 202249261Sdim# deprecated according to PKIX. 203249261Sdim# subjectAltName=email:move 204249261Sdim 205249261Sdim# Copy subject details 206249261Sdim# issuerAltName=issuer:copy 207249261Sdim 208249261Sdim#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 209249261Sdim#nsBaseUrl 210249261Sdim#nsRevocationUrl 211249261Sdim#nsRenewalUrl 212249261Sdim#nsCaPolicyUrl 213249261Sdim#nsSslServerName 214249261Sdim 215249261Sdim# This is required for TSA certificates. 216249261Sdim# extendedKeyUsage = critical,timeStamping 217249261Sdim 218249261Sdim[ v3_req ] 219249261Sdim 220249261Sdim# Extensions to add to a certificate request 221249261Sdim 222249261SdimbasicConstraints = CA:FALSE 223249261SdimkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 224249261Sdim 225249261Sdim[ v3_ca ] 226249261Sdim 227249261Sdim 228249261Sdim# Extensions for a typical CA 229249261Sdim 230249261Sdim 231249261Sdim# PKIX recommendation. 232263509Sdim 233263509SdimsubjectKeyIdentifier=hash 234249261Sdim 235249261SdimauthorityKeyIdentifier=keyid:always,issuer 236249261Sdim 237249261Sdim# This is what PKIX recommends but some broken software chokes on critical 238249261Sdim# extensions. 239249261Sdim#basicConstraints = critical,CA:true 240249261Sdim# So we do this instead. 241249261SdimbasicConstraints = CA:true 242249261Sdim 243249261Sdim# Key usage: this is typical for a CA certificate. However since it will 244249261Sdim# prevent it being used as an test self-signed certificate it is best 245249261Sdim# left out by default. 246249261Sdim# keyUsage = cRLSign, keyCertSign 247249261Sdim 248249261Sdim# Some might want this also 249249261Sdim# nsCertType = sslCA, emailCA 250249261Sdim 251249261Sdim# Include email address in subject alt name: another PKIX recommendation 252249261Sdim# subjectAltName=email:copy 253249261Sdim# Copy issuer details 254249261Sdim# issuerAltName=issuer:copy 255249261Sdim 256249261Sdim# DER hex encoding of an extension: beware experts only! 257249261Sdim# obj=DER:02:03 258249261Sdim# Where 'obj' is a standard or added object 259249261Sdim# You can even override a supported extension: 260249261Sdim# basicConstraints= critical, DER:30:03:01:01:FF 261249261Sdim 262249261Sdim[ crl_ext ] 263249261Sdim 264249261Sdim# CRL extensions. 265249261Sdim# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 266249261Sdim 267249261Sdim# issuerAltName=issuer:copy 268249261SdimauthorityKeyIdentifier=keyid:always 269249261Sdim 270249261Sdim[ proxy_cert_ext ] 271249261Sdim# These extensions should be added when creating a proxy certificate 272249261Sdim 273249261Sdim# This goes against PKIX guidelines but some CAs do it and some software 274249261Sdim# requires this to avoid interpreting an end user certificate as a CA. 275249261Sdim 276249261SdimbasicConstraints=CA:FALSE 277249261Sdim 278249261Sdim# Here are some examples of the usage of nsCertType. If it is omitted 279249261Sdim# the certificate can be used for anything *except* object signing. 280249261Sdim 281249261Sdim# This is OK for an SSL server. 282249261Sdim# nsCertType = server 283249261Sdim 284249261Sdim# For an object signing certificate this would be used. 285249261Sdim# nsCertType = objsign 286249261Sdim 287249261Sdim# For normal client use this is typical 288249261Sdim# nsCertType = client, email 289249261Sdim 290249261Sdim# and for everything including object signing: 291249261Sdim# nsCertType = client, email, objsign 292249261Sdim 293249261Sdim# This is typical in keyUsage for a client certificate. 294249261Sdim# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 295249261Sdim 296249261Sdim# This will be displayed in Netscape's comment listbox. 297249261SdimnsComment = "OpenSSL Generated Certificate" 298249261Sdim 299249261Sdim# PKIX recommendations harmless if included in all certificates. 300249261SdimsubjectKeyIdentifier=hash 301249261SdimauthorityKeyIdentifier=keyid,issuer 302249261Sdim 303249261Sdim# This stuff is for subjectAltName and issuerAltname. 304249261Sdim# Import the email address. 305249261Sdim# subjectAltName=email:copy 306249261Sdim# An alternative to produce certificates that aren't 307249261Sdim# deprecated according to PKIX. 308249261Sdim# subjectAltName=email:move 309249261Sdim 310249261Sdim# Copy subject details 311249261Sdim# issuerAltName=issuer:copy 312249261Sdim 313249261Sdim#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 314249261Sdim#nsBaseUrl 315249261Sdim#nsRevocationUrl 316249261Sdim#nsRenewalUrl 317249261Sdim#nsCaPolicyUrl 318249261Sdim#nsSslServerName 319249261Sdim 320249261Sdim# This really needs to be in place for it to be a proxy certificate. 321249261SdimproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 322249261Sdim 323249261Sdim#################################################################### 324249261Sdim[ tsa ] 325249261Sdim 326249261Sdimdefault_tsa = tsa_config1 # the default TSA section 327249261Sdim 328249261Sdim[ tsa_config1 ] 329249261Sdim 330249261Sdim# These are used by the TSA reply generation only. 331249261Sdimdir = ./demoCA # TSA root directory 332249261Sdimserial = $dir/tsaserial # The current serial number (mandatory) 333249261Sdimcrypto_device = builtin # OpenSSL engine to use for signing 334249261Sdimsigner_cert = $dir/tsacert.pem # The TSA signing certificate 335249261Sdim # (optional) 336249261Sdimcerts = $dir/cacert.pem # Certificate chain to include in reply 337249261Sdim # (optional) 338249261Sdimsigner_key = $dir/private/tsakey.pem # The TSA private key (optional) 339249261Sdim 340249261Sdimdefault_policy = tsa_policy1 # Policy if request did not specify it 341249261Sdim # (optional) 342249261Sdimother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 343249261Sdimdigests = md5, sha1 # Acceptable message digests (mandatory) 344249261Sdimaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 345249261Sdimclock_precision_digits = 0 # number of digits after dot. (optional) 346249261Sdimordering = yes # Is ordering defined for timestamps? 347249261Sdim # (optional, default: no) 348249261Sdimtsa_name = yes # Must the TSA name be included in the reply? 349249261Sdim # (optional, default: no) 350249261Sdimess_cert_id_chain = no # Must the ESS cert id chain be included? 351249261Sdim # (optional, default: no) 352249261Sdim