Home | History | Annotate | Download | only in tpmtoken_import 
      1 #
      2 # OpenSSL example configuration file.
      3 # This is mostly being used for generation of certificate requests.
      4 #
      5 
      6 # This definition stops the following lines choking if HOME isn't
      7 # defined.
      8 HOME			= .
      9 RANDFILE		= $ENV::HOME/.rnd
     10 
     11 # Extra OBJECT IDENTIFIER info:
     12 #oid_file		= $ENV::HOME/.oid
     13 oid_section		= new_oids
     14 
     15 # To use this configuration file with the "-extfile" option of the
     16 # "openssl x509" utility, name here the section containing the
     17 # X.509v3 extensions to use:
     18 # extensions		=
     19 # (Alternatively, use a configuration file that has only
     20 # X.509v3 extensions in its main [= default] section.)
     21 
     22 [ new_oids ]
     23 
     24 # We can add new OIDs in here for use by 'ca' and 'req'.
     25 # Add a simple OID like this:
     26 # testoid1=1.2.3.4
     27 # Or use config file substitution like this:
     28 # testoid2=${testoid1}.5.6
     29 
     30 ####################################################################
     31 [ ca ]
     32 default_ca	= CA_default		# The default ca section
     33 
     34 ####################################################################
     35 [ CA_default ]
     36 
     37 dir		= /usr/share/ssl/CA	# Where everything is kept
     38 certs		= $dir/certs		# Where the issued certs are kept
     39 crl_dir		= $dir/crl		# Where the issued crl are kept
     40 database	= $dir/index.txt	# database index file.
     41 new_certs_dir	= $dir/newcerts		# default place for new certs.
     42 
     43 certificate	= $dir/cacert.pem 	# The CA certificate
     44 serial		= $dir/serial 		# The current serial number
     45 crl		= $dir/crl.pem 		# The current CRL
     46 private_key	= $dir/private/cakey.pem# The private key
     47 RANDFILE	= $dir/private/.rand	# private random number file
     48 
     49 x509_extensions	= usr_cert		# The extentions to add to the cert
     50 
     51 # Comment out the following two lines for the "traditional"
     52 # (and highly broken) format.
     53 name_opt 	= ca_default		# Subject Name options
     54 cert_opt 	= ca_default		# Certificate field options
     55 
     56 # Extension copying option: use with caution.
     57 # copy_extensions = copy
     58 
     59 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
     60 # so this is commented out by default to leave a V1 CRL.
     61 # crl_extensions	= crl_ext
     62 
     63 default_days	= 365			# how long to certify for
     64 default_crl_days= 30			# how long before next CRL
     65 default_md	= md5			# which md to use.
     66 preserve	= no			# keep passed DN ordering
     67 
     68 # A few difference way of specifying how similar the request should look
     69 # For type CA, the listed attributes must be the same, and the optional
     70 # and supplied fields are just that :-)
     71 policy		= policy_match
     72 
     73 # For the CA policy
     74 [ policy_match ]
     75 countryName		= match
     76 stateOrProvinceName	= match
     77 organizationName	= match
     78 organizationalUnitName	= optional
     79 commonName		= supplied
     80 emailAddress		= optional
     81 
     82 # For the 'anything' policy
     83 # At this point in time, you must list all acceptable 'object'
     84 # types.
     85 [ policy_anything ]
     86 countryName		= optional
     87 stateOrProvinceName	= optional
     88 localityName		= optional
     89 organizationName	= optional
     90 organizationalUnitName	= optional
     91 commonName		= supplied
     92 emailAddress		= optional
     93 
     94 ####################################################################
     95 [ req ]
     96 default_bits		= 1024
     97 default_keyfile 	= privkey.pem
     98 distinguished_name	= req_distinguished_name
     99 attributes		= req_attributes
    100 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
    101 
    102 # Passwords for private keys
    103 #   These passwords need to correspond the passwords
    104 #   set in the testcase script file
    105 input_password = "SSL PWD"
    106 output_password = "SSL PWD"
    107 
    108 # This sets a mask for permitted string types. There are several options.
    109 # default: PrintableString, T61String, BMPString.
    110 # pkix	 : PrintableString, BMPString.
    111 # utf8only: only UTF8Strings.
    112 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    113 # MASK:XXXX a literal mask value.
    114 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
    115 # so use this option with caution!
    116 string_mask = nombstr
    117 
    118 # req_extensions = v3_req # The extensions to add to a certificate request
    119 
    120 [ req_distinguished_name ]
    121 countryName			= Country Name (2 letter code)
    122 countryName_default		= US
    123 countryName_min			= 2
    124 countryName_max			= 2
    125 
    126 stateOrProvinceName		= State or Province Name (full name)
    127 stateOrProvinceName_default	= Texas
    128 
    129 localityName			= Locality Name (eg, city)
    130 localityName_default		= Austin
    131 
    132 0.organizationName		= Organization Name (eg, company)
    133 0.organizationName_default	= LTP Tests
    134 
    135 # we can do this but it is not needed normally :-)
    136 #1.organizationName		= Second Organization Name (eg, company)
    137 #1.organizationName_default	= World Wide Web Pty Ltd
    138 
    139 organizationalUnitName		= Organizational Unit Name (eg, section)
    140 #organizationalUnitName_default	=
    141 
    142 commonName			= Common Name (eg, your name or your server\'s hostname)
    143 commonName_max			= 64
    144 
    145 emailAddress			= Email Address
    146 emailAddress_max		= 64
    147 
    148 # SET-ex3			= SET extension number 3
    149 
    150 [ req_attributes ]
    151 challengePassword		= A challenge password
    152 challengePassword_min		= 4
    153 challengePassword_max		= 20
    154 
    155 unstructuredName		= An optional company name
    156 
    157 [ usr_cert ]
    158 
    159 # These extensions are added when 'ca' signs a request.
    160 
    161 # This goes against PKIX guidelines but some CAs do it and some software
    162 # requires this to avoid interpreting an end user certificate as a CA.
    163 
    164 basicConstraints=CA:FALSE
    165 
    166 # Here are some examples of the usage of nsCertType. If it is omitted
    167 # the certificate can be used for anything *except* object signing.
    168 
    169 # This is OK for an SSL server.
    170 # nsCertType			= server
    171 
    172 # For an object signing certificate this would be used.
    173 # nsCertType = objsign
    174 
    175 # For normal client use this is typical
    176 # nsCertType = client, email
    177 
    178 # and for everything including object signing:
    179 # nsCertType = client, email, objsign
    180 
    181 # This is typical in keyUsage for a client certificate.
    182 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    183 
    184 # This will be displayed in Netscape's comment listbox.
    185 nsComment			= "OpenSSL Generated Certificate"
    186 
    187 # PKIX recommendations harmless if included in all certificates.
    188 subjectKeyIdentifier=hash
    189 authorityKeyIdentifier=keyid,issuer:always
    190 
    191 # This stuff is for subjectAltName and issuerAltname.
    192 # Import the email address.
    193 # subjectAltName=email:copy
    194 # An alternative to produce certificates that aren't
    195 # deprecated according to PKIX.
    196 # subjectAltName=email:move
    197 
    198 # Copy subject details
    199 # issuerAltName=issuer:copy
    200 
    201 #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
    202 #nsBaseUrl
    203 #nsRevocationUrl
    204 #nsRenewalUrl
    205 #nsCaPolicyUrl
    206 #nsSslServerName
    207 
    208 [ v3_req ]
    209 
    210 # Extensions to add to a certificate request
    211 
    212 basicConstraints = CA:FALSE
    213 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    214 
    215 [ v3_ca ]
    216 
    217 
    218 # Extensions for a typical CA
    219 
    220 
    221 # PKIX recommendation.
    222 
    223 subjectKeyIdentifier=hash
    224 
    225 authorityKeyIdentifier=keyid:always,issuer:always
    226 
    227 # This is what PKIX recommends but some broken software chokes on critical
    228 # extensions.
    229 #basicConstraints = critical,CA:true
    230 # So we do this instead.
    231 basicConstraints = CA:true
    232 
    233 # Key usage: this is typical for a CA certificate. However since it will
    234 # prevent it being used as an test self-signed certificate it is best
    235 # left out by default.
    236 # keyUsage = cRLSign, keyCertSign
    237 
    238 # Some might want this also
    239 # nsCertType = sslCA, emailCA
    240 
    241 # Include email address in subject alt name: another PKIX recommendation
    242 # subjectAltName=email:copy
    243 # Copy issuer details
    244 # issuerAltName=issuer:copy
    245 
    246 # DER hex encoding of an extension: beware experts only!
    247 # obj=DER:02:03
    248 # Where 'obj' is a standard or added object
    249 # You can even override a supported extension:
    250 # basicConstraints= critical, DER:30:03:01:01:FF
    251 
    252 [ crl_ext ]
    253 
    254 # CRL extensions.
    255 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    256 
    257 # issuerAltName=issuer:copy
    258 authorityKeyIdentifier=keyid:always,issuer:always
    259