1 # 2 # OpenSSL example configuration file. 3 # This is mostly being used for generation of certificate requests. 4 # 5 6 # This definition stops the following lines choking if HOME isn't 7 # defined. 8 HOME = . 9 RANDFILE = $ENV::HOME/.rnd 10 11 # Extra OBJECT IDENTIFIER info: 12 #oid_file = $ENV::HOME/.oid 13 oid_section = new_oids 14 15 # To use this configuration file with the "-extfile" option of the 16 # "openssl x509" utility, name here the section containing the 17 # X.509v3 extensions to use: 18 # extensions = 19 # (Alternatively, use a configuration file that has only 20 # X.509v3 extensions in its main [= default] section.) 21 22 [ new_oids ] 23 24 # We can add new OIDs in here for use by 'ca' and 'req'. 25 # Add a simple OID like this: 26 # testoid1=1.2.3.4 27 # Or use config file substitution like this: 28 # testoid2=${testoid1}.5.6 29 30 #################################################################### 31 [ ca ] 32 default_ca = CA_default # The default ca section 33 34 #################################################################### 35 [ CA_default ] 36 37 dir = /usr/share/ssl/CA # Where everything is kept 38 certs = $dir/certs # Where the issued certs are kept 39 crl_dir = $dir/crl # Where the issued crl are kept 40 database = $dir/index.txt # database index file. 41 new_certs_dir = $dir/newcerts # default place for new certs. 42 43 certificate = $dir/cacert.pem # The CA certificate 44 serial = $dir/serial # The current serial number 45 crl = $dir/crl.pem # The current CRL 46 private_key = $dir/private/cakey.pem# The private key 47 RANDFILE = $dir/private/.rand # private random number file 48 49 x509_extensions = usr_cert # The extentions to add to the cert 50 51 # Comment out the following two lines for the "traditional" 52 # (and highly broken) format. 53 name_opt = ca_default # Subject Name options 54 cert_opt = ca_default # Certificate field options 55 56 # Extension copying option: use with caution. 57 # copy_extensions = copy 58 59 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 60 # so this is commented out by default to leave a V1 CRL. 61 # crl_extensions = crl_ext 62 63 default_days = 365 # how long to certify for 64 default_crl_days= 30 # how long before next CRL 65 default_md = md5 # which md to use. 66 preserve = no # keep passed DN ordering 67 68 # A few difference way of specifying how similar the request should look 69 # For type CA, the listed attributes must be the same, and the optional 70 # and supplied fields are just that :-) 71 policy = policy_match 72 73 # For the CA policy 74 [ policy_match ] 75 countryName = match 76 stateOrProvinceName = match 77 organizationName = match 78 organizationalUnitName = optional 79 commonName = supplied 80 emailAddress = optional 81 82 # For the 'anything' policy 83 # At this point in time, you must list all acceptable 'object' 84 # types. 85 [ policy_anything ] 86 countryName = optional 87 stateOrProvinceName = optional 88 localityName = optional 89 organizationName = optional 90 organizationalUnitName = optional 91 commonName = supplied 92 emailAddress = optional 93 94 #################################################################### 95 [ req ] 96 default_bits = 1024 97 default_keyfile = privkey.pem 98 distinguished_name = req_distinguished_name 99 attributes = req_attributes 100 x509_extensions = v3_ca # The extentions to add to the self signed cert 101 102 # Passwords for private keys 103 # These passwords need to correspond the passwords 104 # set in the testcase script file 105 input_password = "SSL PWD" 106 output_password = "SSL PWD" 107 108 # This sets a mask for permitted string types. There are several options. 109 # default: PrintableString, T61String, BMPString. 110 # pkix : PrintableString, BMPString. 111 # utf8only: only UTF8Strings. 112 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 113 # MASK:XXXX a literal mask value. 114 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 115 # so use this option with caution! 116 string_mask = nombstr 117 118 # req_extensions = v3_req # The extensions to add to a certificate request 119 120 [ req_distinguished_name ] 121 countryName = Country Name (2 letter code) 122 countryName_default = US 123 countryName_min = 2 124 countryName_max = 2 125 126 stateOrProvinceName = State or Province Name (full name) 127 stateOrProvinceName_default = Texas 128 129 localityName = Locality Name (eg, city) 130 localityName_default = Austin 131 132 0.organizationName = Organization Name (eg, company) 133 0.organizationName_default = LTP Tests 134 135 # we can do this but it is not needed normally :-) 136 #1.organizationName = Second Organization Name (eg, company) 137 #1.organizationName_default = World Wide Web Pty Ltd 138 139 organizationalUnitName = Organizational Unit Name (eg, section) 140 #organizationalUnitName_default = 141 142 commonName = Common Name (eg, your name or your server\'s hostname) 143 commonName_max = 64 144 145 emailAddress = Email Address 146 emailAddress_max = 64 147 148 # SET-ex3 = SET extension number 3 149 150 [ req_attributes ] 151 challengePassword = A challenge password 152 challengePassword_min = 4 153 challengePassword_max = 20 154 155 unstructuredName = An optional company name 156 157 [ usr_cert ] 158 159 # These extensions are added when 'ca' signs a request. 160 161 # This goes against PKIX guidelines but some CAs do it and some software 162 # requires this to avoid interpreting an end user certificate as a CA. 163 164 basicConstraints=CA:FALSE 165 166 # Here are some examples of the usage of nsCertType. If it is omitted 167 # the certificate can be used for anything *except* object signing. 168 169 # This is OK for an SSL server. 170 # nsCertType = server 171 172 # For an object signing certificate this would be used. 173 # nsCertType = objsign 174 175 # For normal client use this is typical 176 # nsCertType = client, email 177 178 # and for everything including object signing: 179 # nsCertType = client, email, objsign 180 181 # This is typical in keyUsage for a client certificate. 182 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 183 184 # This will be displayed in Netscape's comment listbox. 185 nsComment = "OpenSSL Generated Certificate" 186 187 # PKIX recommendations harmless if included in all certificates. 188 subjectKeyIdentifier=hash 189 authorityKeyIdentifier=keyid,issuer:always 190 191 # This stuff is for subjectAltName and issuerAltname. 192 # Import the email address. 193 # subjectAltName=email:copy 194 # An alternative to produce certificates that aren't 195 # deprecated according to PKIX. 196 # subjectAltName=email:move 197 198 # Copy subject details 199 # issuerAltName=issuer:copy 200 201 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 202 #nsBaseUrl 203 #nsRevocationUrl 204 #nsRenewalUrl 205 #nsCaPolicyUrl 206 #nsSslServerName 207 208 [ v3_req ] 209 210 # Extensions to add to a certificate request 211 212 basicConstraints = CA:FALSE 213 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 214 215 [ v3_ca ] 216 217 218 # Extensions for a typical CA 219 220 221 # PKIX recommendation. 222 223 subjectKeyIdentifier=hash 224 225 authorityKeyIdentifier=keyid:always,issuer:always 226 227 # This is what PKIX recommends but some broken software chokes on critical 228 # extensions. 229 #basicConstraints = critical,CA:true 230 # So we do this instead. 231 basicConstraints = CA:true 232 233 # Key usage: this is typical for a CA certificate. However since it will 234 # prevent it being used as an test self-signed certificate it is best 235 # left out by default. 236 # keyUsage = cRLSign, keyCertSign 237 238 # Some might want this also 239 # nsCertType = sslCA, emailCA 240 241 # Include email address in subject alt name: another PKIX recommendation 242 # subjectAltName=email:copy 243 # Copy issuer details 244 # issuerAltName=issuer:copy 245 246 # DER hex encoding of an extension: beware experts only! 247 # obj=DER:02:03 248 # Where 'obj' is a standard or added object 249 # You can even override a supported extension: 250 # basicConstraints= critical, DER:30:03:01:01:FF 251 252 [ crl_ext ] 253 254 # CRL extensions. 255 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 256 257 # issuerAltName=issuer:copy 258 authorityKeyIdentifier=keyid:always,issuer:always 259