make update
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index d449871..05663c9 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -3,8 +3,13 @@
# This is mostly being used for generation of certificate requests.
#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
RANDFILE = $ENV::HOME/.rnd
-oid_file = $ENV::HOME/.oid
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
@@ -29,22 +34,35 @@
####################################################################
[ CA_default ]
-dir = sys\$disk:[.demoCA # Where everything is kept
+dir = sys\$disk:[.demoCA # Where everything is kept
certs = $dir.certs] # Where the issued certs are kept
crl_dir = $dir.crl] # Where the issued crl are kept
database = $dir]index.txt # database index file.
-new_certs_dir = $dir.newcerts] # default place for new certs.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
certificate = $dir]cacert.pem # The CA certificate
-serial = $dir]serial. # The current serial number
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
crl = $dir]crl.pem # The current CRL
private_key = $dir.private]cakey.pem# The private key
RANDFILE = $dir.private].rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
@@ -86,16 +104,19 @@
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
-# This sets the permitted types in a DirectoryString. There are several
-# options.
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
-# nobmp : PrintableString, T61String (no BMPStrings).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
-dirstring_type = nobmp
+string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
@@ -124,7 +145,7 @@
commonName_max = 64
emailAddress = Email Address
-emailAddress_max = 40
+emailAddress_max = 64
# SET-ex3 = SET extension number 3
@@ -172,6 +193,9 @@
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
