1204861Sdes# $FreeBSD$ 298937Sdes# 398937Sdes# OpenSSL example configuration file. 498937Sdes# See doc/man5/config.pod for more info. 598937Sdes# 698937Sdes# This is mostly being used for generation of certificate requests, 798937Sdes# but may be used for auto loading of providers 898937Sdes 998937Sdes# Note that you can include other files from the main configuration 1098937Sdes# file using the .include directive. 1198937Sdes#.include filename 1298937Sdes 1398937Sdes# This definition stops the following lines choking if HOME isn't 14164146Sdes# defined. 1598937SdesHOME = . 1698937Sdes 1798937Sdes # Use this in order to automatically load providers. 1898937Sdesopenssl_conf = openssl_init 1998937Sdes 2098937Sdes# Comment out the next line to ignore configuration errors 2198937Sdesconfig_diagnostics = 1 2298937Sdes 2398937Sdes# Extra OBJECT IDENTIFIER info: 2498937Sdes# oid_file = $ENV::HOME/.oid 2598937Sdesoid_section = new_oids 2698937Sdes 2798937Sdes# To use this configuration file with the "-extfile" option of the 28204861Sdes# "openssl x509" utility, name here the section containing the 2998937Sdes# X.509v3 extensions to use: 3098937Sdes# extensions = 3199060Sdes# (Alternatively, use a configuration file that has only 32113908Sdes# X.509v3 extensions in its main [= default] section.) 3398937Sdes 3498937Sdes[ new_oids ] 3598937Sdes# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 3698937Sdes# Add a simple OID like this: 3798937Sdes# testoid1=1.2.3.4 3898937Sdes# Or use config file substitution like this: 39204861Sdes# testoid2=${testoid1}.5.6 4098937Sdes 4198937Sdes# Policies used by the TSA examples. 4298937Sdestsa_policy1 = 1.2.3.4.1 4398937Sdestsa_policy2 = 1.2.3.4.5.6 4498937Sdestsa_policy3 = 1.2.3.4.5.7 4598937Sdes 4698937Sdes# For FIPS 4798937Sdes# Optionally include a file that is generated by the OpenSSL fipsinstall 4898937Sdes# application. This file contains configuration data required by the OpenSSL 49162852Sdes# fips provider. It contains a named section e.g. [fips_sect] which is 50146998Sdes# referenced from the [provider_sect] below. 5198937Sdes# Refer to the OpenSSL security policy for more information. 52124208Sdes# .include fipsmodule.cnf 5398937Sdes 5498937Sdes[openssl_init] 5598937Sdesproviders = provider_sect 56113908Sdes 5798937Sdes# List of providers to load 5898937Sdes[provider_sect] 5998937Sdesdefault = default_sect 6098937Sdes# The fips section name should match the section name inside the 6198937Sdes# included fipsmodule.cnf. 6298937Sdes# fips = fips_sect 6398937Sdes 6498937Sdes# If no providers are activated explicitly, the default one is activated implicitly. 65204861Sdes# See man 7 OSSL_PROVIDER-default for more details. 6698937Sdes# 67162852Sdes# If you add a section explicitly activating any other provider(s), you most 68126274Sdes# probably need to explicitly activate the default provider, otherwise it 69126274Sdes# becomes unavailable in openssl. As a consequence applications depending on 70126274Sdes# OpenSSL may not work correctly which could lead to significant system 71162852Sdes# problems including inability to remotely access the system. 72180750Sdes[default_sect] 73137015Sdes# activate = 1 74137015Sdes 75204861Sdes 76204861Sdes#################################################################### 77204861Sdes[ ca ] 7898937Sdesdefault_ca = CA_default # The default ca section 79113908Sdes 80197670Sdes#################################################################### 81204861Sdes[ CA_default ] 8298937Sdes 83113908Sdesdir = ./demoCA # Where everything is kept 84137015Sdescerts = $dir/certs # Where the issued certs are kept 85113908Sdescrl_dir = $dir/crl # Where the issued crl are kept 86113908Sdesdatabase = $dir/index.txt # database index file. 87113908Sdes#unique_subject = no # Set to 'no' to allow creation of 88189006Sdes # several certs with same subject. 89137015Sdesnew_certs_dir = $dir/newcerts # default place for new certs. 90124208Sdes 91124208Sdescertificate = $dir/cacert.pem # The CA certificate 92146998Sdesserial = $dir/serial # The current serial number 93197670Sdescrlnumber = $dir/crlnumber # the current crl number 94204861Sdes # must be commented out to leave a V1 CRL 9598937Sdescrl = $dir/crl.pem # The current CRL 96204861Sdesprivate_key = $dir/private/cakey.pem# The private key 97204861Sdes 9898937Sdesx509_extensions = usr_cert # The extensions to add to the cert 9998937Sdes 10098937Sdes# Comment out the following two lines for the "traditional" 10198937Sdes# (and highly broken) format. 10298937Sdesname_opt = ca_default # Subject Name options 10398937Sdescert_opt = ca_default # Certificate field options 104113908Sdes 105113908Sdes# Extension copying option: use with caution. 106113908Sdes# copy_extensions = copy 107113908Sdes 108113908Sdes# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 109113908Sdes# so this is commented out by default to leave a V1 CRL. 110113908Sdes# crlnumber must also be commented out to leave a V1 CRL. 111113908Sdes# crl_extensions = crl_ext 112113908Sdes 113113908Sdesdefault_days = 365 # how long to certify for 114180750Sdesdefault_crl_days= 30 # how long before next CRL 115113908Sdesdefault_md = default # use public key default MD 116162852Sdespreserve = no # keep passed DN ordering 117113908Sdes 118113908Sdes# A few difference way of specifying how similar the request should look 119113908Sdes# For type CA, the listed attributes must be the same, and the optional 12098937Sdes# and supplied fields are just that :-) 121113908Sdespolicy = policy_match 12298937Sdes 123124208Sdes# For the CA policy 12498937Sdes[ policy_match ] 125124208SdescountryName = match 126124208SdesstateOrProvinceName = match 127124208SdesorganizationName = match 12898937SdesorganizationalUnitName = optional 12998937SdescommonName = supplied 13098937SdesemailAddress = optional 13198937Sdes 13298937Sdes# For the 'anything' policy 13398937Sdes# At this point in time, you must list all acceptable 'object' 13498937Sdes# types. 13598937Sdes[ policy_anything ] 13698937SdescountryName = optional 13798937SdesstateOrProvinceName = optional 13898937SdeslocalityName = optional 13998937SdesorganizationName = optional 14098937SdesorganizationalUnitName = optional 14198937SdescommonName = supplied 14298937SdesemailAddress = optional 14398937Sdes 14498937Sdes#################################################################### 145180744Sdes[ req ] 14698937Sdesdefault_bits = 2048 147113908Sdesdefault_keyfile = privkey.pem 148157016Sdesdistinguished_name = req_distinguished_name 14998937Sdesattributes = req_attributes 15098937Sdesx509_extensions = v3_ca # The extensions to add to the self signed cert 151126274Sdes 15298937Sdes# Passwords for private keys if not present they will be prompted for 153204861Sdes# input_password = secret 154204861Sdes# output_password = secret 15598937Sdes 15698937Sdes# This sets a mask for permitted string types. There are several options. 157126274Sdes# default: PrintableString, T61String, BMPString. 15898937Sdes# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 159204861Sdes# utf8only: only UTF8Strings (PKIX recommendation after 2004). 160197670Sdes# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 16198937Sdes# MASK:XXXX a literal mask value. 162204861Sdes# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 163204861Sdesstring_mask = utf8only 164204861Sdes 165197670Sdes# req_extensions = v3_req # The extensions to add to a certificate request 166197670Sdes 16798937Sdes[ req_distinguished_name ] 168180746SdescountryName = Country Name (2 letter code) 169180746SdescountryName_default = AU 17098937SdescountryName_min = 2 171126274SdescountryName_max = 2 172146998Sdes 17398937SdesstateOrProvinceName = State or Province Name (full name) 17498937SdesstateOrProvinceName_default = Some-State 17598937Sdes 17698937SdeslocalityName = Locality Name (eg, city) 17798937Sdes 17898937Sdes0.organizationName = Organization Name (eg, company) 17998937Sdes0.organizationName_default = Internet Widgits Pty Ltd 18098937Sdes 18198937Sdes# we can do this but it is not needed normally :-) 18298937Sdes#1.organizationName = Second Organization Name (eg, company) 18398937Sdes#1.organizationName_default = World Wide Web Pty Ltd 18498937Sdes 18598937SdesorganizationalUnitName = Organizational Unit Name (eg, section) 18698937Sdes#organizationalUnitName_default = 18798937Sdes 188124208SdescommonName = Common Name (e.g. server FQDN or YOUR name) 18998937SdescommonName_max = 64 19098937Sdes 19198937SdesemailAddress = Email Address 19298937SdesemailAddress_max = 64 19398937Sdes 19498937Sdes# SET-ex3 = SET extension number 3 19598937Sdes 19698937Sdes[ req_attributes ] 197124208SdeschallengePassword = A challenge password 198124208SdeschallengePassword_min = 4 199124208SdeschallengePassword_max = 20 200124208Sdes 201124208SdesunstructuredName = An optional company name 202149749Sdes 203124208Sdes[ usr_cert ] 204124208Sdes 205124208Sdes# These extensions are added when 'ca' signs a request. 206124208Sdes 207126274Sdes# This goes against PKIX guidelines but some CAs do it and some software 208146998Sdes# requires this to avoid interpreting an end user certificate as a CA. 20998937Sdes 21098937SdesbasicConstraints=CA:FALSE 211124208Sdes 212126274Sdes# This is typical in keyUsage for a client certificate. 213162852Sdes# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 214162852Sdes 215162852Sdes# PKIX recommendations harmless if included in all certificates. 21698937SdessubjectKeyIdentifier=hash 21798937SdesauthorityKeyIdentifier=keyid,issuer 218137015Sdes 219137015Sdes# This stuff is for subjectAltName and issuerAltname. 220137015Sdes# Import the email address. 22198937Sdes# subjectAltName=email:copy 222124208Sdes# An alternative to produce certificates that aren't 22398937Sdes# deprecated according to PKIX. 22498937Sdes# subjectAltName=email:move 225124208Sdes 22698937Sdes# Copy subject details 227124208Sdes# issuerAltName=issuer:copy 228124208Sdes 22998937Sdes# This is required for TSA certificates. 23098937Sdes# extendedKeyUsage = critical,timeStamping 23198937Sdes 23298937Sdes[ v3_req ] 23398937Sdes 23498937Sdes# Extensions to add to a certificate request 23598937Sdes 23698937SdesbasicConstraints = CA:FALSE 23798937SdeskeyUsage = nonRepudiation, digitalSignature, keyEncipherment 23898937Sdes 239126274Sdes[ v3_ca ] 24098937Sdes 241146998Sdes 242146998Sdes# Extensions for a typical CA 243146998Sdes 24498937Sdes 245106121Sdes# PKIX recommendation. 246106121Sdes 24799060SdessubjectKeyIdentifier=hash 248204861Sdes 24998937SdesauthorityKeyIdentifier=keyid:always,issuer 25098937Sdes 25198937SdesbasicConstraints = critical,CA:true 25298937Sdes 25398937Sdes# Key usage: this is typical for a CA certificate. However since it will 25498937Sdes# prevent it being used as an test self-signed certificate it is best 25598937Sdes# left out by default. 25698937Sdes# keyUsage = cRLSign, keyCertSign 257106121Sdes 258113908Sdes# Include email address in subject alt name: another PKIX recommendation 259113908Sdes# subjectAltName=email:copy 260113908Sdes# Copy issuer details 261113908Sdes# issuerAltName=issuer:copy 262113908Sdes 263113908Sdes# DER hex encoding of an extension: beware experts only! 264113908Sdes# obj=DER:02:03 26598937Sdes# Where 'obj' is a standard or added object 266113908Sdes# You can even override a supported extension: 26798937Sdes# basicConstraints= critical, DER:30:03:01:01:FF 268113908Sdes 269204861Sdes[ crl_ext ] 270113908Sdes 271113908Sdes# CRL extensions. 27298937Sdes# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 27398937Sdes 27498937Sdes# issuerAltName=issuer:copy 27598937SdesauthorityKeyIdentifier=keyid:always 27698937Sdes 27798937Sdes[ proxy_cert_ext ] 278180750Sdes# These extensions should be added when creating a proxy certificate 27998937Sdes 28098937Sdes# This goes against PKIX guidelines but some CAs do it and some software 28198937Sdes# requires this to avoid interpreting an end user certificate as a CA. 28299060Sdes 28398937SdesbasicConstraints=CA:FALSE 28498937Sdes 285113908Sdes# This is typical in keyUsage for a client certificate. 286113908Sdes# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 28798937Sdes 288204861Sdes# PKIX recommendations harmless if included in all certificates. 28998937SdessubjectKeyIdentifier=hash 290106121SdesauthorityKeyIdentifier=keyid,issuer 29198937Sdes 292106121Sdes# This stuff is for subjectAltName and issuerAltname. 293146998Sdes# Import the email address. 294146998Sdes# subjectAltName=email:copy 29598937Sdes# An alternative to produce certificates that aren't 29698937Sdes# deprecated according to PKIX. 29798937Sdes# subjectAltName=email:move 298106121Sdes 29998937Sdes# Copy subject details 30098937Sdes# issuerAltName=issuer:copy 30198937Sdes 30298937Sdes# This really needs to be in place for it to be a proxy certificate. 303106121SdesproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 30498937Sdes 30598937Sdes#################################################################### 30698937Sdes[ tsa ] 30798937Sdes 308146998Sdesdefault_tsa = tsa_config1 # the default TSA section 30998937Sdes 31098937Sdes[ tsa_config1 ] 31198937Sdes 31298937Sdes# These are used by the TSA reply generation only. 31398937Sdesdir = ./demoCA # TSA root directory 31498937Sdesserial = $dir/tsaserial # The current serial number (mandatory) 315106121Sdescrypto_device = builtin # OpenSSL engine to use for signing 31698937Sdessigner_cert = $dir/tsacert.pem # The TSA signing certificate 31798937Sdes # (optional) 31898937Sdescerts = $dir/cacert.pem # Certificate chain to include in reply 31998937Sdes # (optional) 32098937Sdessigner_key = $dir/private/tsakey.pem # The TSA private key (optional) 32198937Sdessigner_digest = sha256 # Signing digest to use. (Optional) 32298937Sdesdefault_policy = tsa_policy1 # Policy if request did not specify it 32398937Sdes # (optional) 32498937Sdesother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 32598937Sdesdigests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 32698937Sdesaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 327106121Sdesclock_precision_digits = 0 # number of digits after dot. (optional) 32898937Sdesordering = yes # Is ordering defined for timestamps? 32998937Sdes # (optional, default: no) 33098937Sdestsa_name = yes # Must the TSA name be included in the reply? 33198937Sdes # (optional, default: no) 33298937Sdesess_cert_id_chain = no # Must the ESS cert id chain be included? 33398937Sdes # (optional, default: no) 33498937Sdesess_cert_id_alg = sha1 # algorithm to compute certificate 33598937Sdes # identifier (optional, default: sha1) 33698937Sdes 33798937Sdes[insta] # CMP using Insta Demo CA 33898937Sdes# Message transfer 33998937Sdesserver = pki.certificate.fi:8700 34098937Sdes# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 34198937Sdes# tls_use = 0 34298937Sdespath = pkix/ 34398937Sdes 34498937Sdes# Server authentication 34598937Sdesrecipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer 34698937Sdesignore_keyusage = 1 # potentially needed quirk 34798937Sdesunprotected_errors = 1 # potentially needed quirk 34898937Sdesextracertsout = insta.extracerts.pem 34998937Sdes 35098937Sdes# Client authentication 35198937Sdesref = 3078 # user identification 35298937Sdessecret = pass:insta # can be used for both client and server side 35398937Sdes 35498937Sdes# Generic message options 35598937Sdescmd = ir # default operation, can be overridden on cmd line with, e.g., kur 35698937Sdes 35798937Sdes# Certificate enrollment 35898937Sdessubject = "/CN=openssl-cmp-test" 35998937Sdesnewkey = insta.priv.pem 36098937Sdesout_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature 36198937Sdescertout = insta.cert.pem 362126274Sdes 36398937Sdes[pbm] # Password-based protection for Insta CA 36498937Sdes# Server and client authentication 36598937Sdesref = $insta::ref # 3078 36698937Sdessecret = $insta::secret # pass:insta 36798937Sdes 36898937Sdes[signature] # Signature-based protection for Insta CA 36998937Sdes# Server authentication 37098937Sdestrusted = $insta::out_trusted # apps/insta.ca.crt 37198937Sdes 37298937Sdes# Client authentication 37398937Sdessecret = # disable PBM 374204861Sdeskey = $insta::newkey # insta.priv.pem 37598937Sdescert = $insta::certout # insta.cert.pem 37698937Sdes 37798937Sdes[ir] 37898937Sdescmd = ir 37998937Sdes 38098937Sdes[cr] 38198937Sdescmd = cr 38298937Sdes 38398937Sdes[kur] 38498937Sdes# Certificate update 38598937Sdescmd = kur 38698937Sdesoldcert = $insta::certout # insta.cert.pem 387204861Sdes 38898937Sdes[rr] 389124208Sdes# Certificate revocation 390180746Sdescmd = rr 391124208Sdesoldcert = $insta::certout # insta.cert.pem 392124208Sdes