| # |
| # OpenSSL example configuration file. |
| # This is mostly being used for generation of certificate requests. |
| # |
| |
| RANDFILE = $ENV::HOME/.rnd |
| oid_file = $ENV::HOME/.oid |
| oid_section = new_oids |
| |
| [ new_oids ] |
| |
| # We can add new OIDs in here for use by 'ca' and 'req'. |
| # Add a simple OID like this: |
| # testoid1=1.2.3.4 |
| # Or use config file substitution like this: |
| # testoid2=${testoid1}.5.6 |
| |
| #################################################################### |
| [ ca ] |
| default_ca = CA_default # The default ca section |
| |
| #################################################################### |
| [ CA_default ] |
| |
| dir = ./demoCA # Where everything is kept |
| certs = $dir/certs # Where the issued certs are kept |
| crl_dir = $dir/crl # Where the issued crl are kept |
| database = $dir/index.txt # database index file. |
| new_certs_dir = $dir/newcerts # default place for new certs. |
| |
| certificate = $dir/cacert.pem # The CA certificate |
| serial = $dir/serial # The current serial number |
| crl = $dir/crl.pem # The current CRL |
| private_key = $dir/private/cakey.pem# The private key |
| RANDFILE = $dir/private/.rand # private random number file |
| |
| x509_extensions = usr_cert # The extentions to add to the cert |
| crl_extensions = crl_ext # Extensions to add to CRL |
| default_days = 365 # how long to certify for |
| default_crl_days= 30 # how long before next CRL |
| default_md = md5 # which md to use. |
| preserve = no # keep passed DN ordering |
| |
| # A few difference way of specifying how similar the request should look |
| # For type CA, the listed attributes must be the same, and the optional |
| # and supplied fields are just that :-) |
| policy = policy_match |
| |
| # For the CA policy |
| [ policy_match ] |
| countryName = match |
| stateOrProvinceName = match |
| organizationName = match |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| # For the 'anything' policy |
| # At this point in time, you must list all acceptable 'object' |
| # types. |
| [ policy_anything ] |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| #################################################################### |
| [ req ] |
| default_bits = 1024 |
| default_keyfile = privkey.pem |
| distinguished_name = req_distinguished_name |
| attributes = req_attributes |
| x509_extensions = v3_ca # The extentions to add to the self signed cert |
| |
| [ req_distinguished_name ] |
| countryName = Country Name (2 letter code) |
| countryName_default = AU |
| countryName_min = 2 |
| countryName_max = 2 |
| |
| stateOrProvinceName = State or Province Name (full name) |
| stateOrProvinceName_default = Some-State |
| |
| localityName = Locality Name (eg, city) |
| |
| 0.organizationName = Organization Name (eg, company) |
| 0.organizationName_default = Internet Widgits Pty Ltd |
| |
| # we can do this but it is not needed normally :-) |
| #1.organizationName = Second Organization Name (eg, company) |
| #1.organizationName_default = World Wide Web Pty Ltd |
| |
| organizationalUnitName = Organizational Unit Name (eg, section) |
| #organizationalUnitName_default = |
| |
| commonName = Common Name (eg, YOUR name) |
| commonName_max = 64 |
| |
| emailAddress = Email Address |
| emailAddress_max = 40 |
| |
| # SET-ex3 = SET extension number 3 |
| |
| [ req_attributes ] |
| challengePassword = A challenge password |
| challengePassword_min = 4 |
| challengePassword_max = 20 |
| |
| unstructuredName = An optional company name |
| |
| [ usr_cert ] |
| |
| # These extensions are added when 'ca' signs a request. |
| |
| # This goes against PKIX guidelines but some CAs do it and some software |
| # requires this to avoid interpreting an end user certificate as a CA. |
| |
| basicConstraints=CA:FALSE |
| |
| # Here are some examples of the usage of nsCertType. If it is omitted |
| # the certificate can be used for anything *except* object signing. |
| |
| # This is OK for an SSL server. |
| #nsCertType = server |
| |
| # For an object signing certificate this would be used. |
| #nsCertType = objsign |
| |
| # For normal client use this is typical |
| #nsCertType = client, email |
| |
| # This is typical also |
| |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| |
| nsComment = "OpenSSL Generated Certificate" |
| |
| # PKIX recommendations |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid,issuer:always |
| |
| # Import the email address. |
| |
| subjectAltName=email:copy |
| |
| # Copy subject details |
| |
| issuerAltName=issuer:copy |
| |
| #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
| #nsBaseUrl |
| #nsRevocationUrl |
| #nsRenewalUrl |
| #nsCaPolicyUrl |
| #nsSslServerName |
| |
| [ v3_ca] |
| |
| # Extensions for a typical CA |
| |
| # It's a CA certificate |
| basicConstraints = CA:true |
| |
| # PKIX recommendation. |
| |
| subjectKeyIdentifier=hash |
| |
| authorityKeyIdentifier=keyid:always,issuer:always |
| |
| # This is what PKIX recommends but some broken software chokes on critical |
| # extensions. |
| #basicConstraints = critical,CA:true |
| |
| # Key usage: again this should really be critical. |
| keyUsage = cRLSign, keyCertSign |
| |
| # Some might want this also |
| #nsCertType = sslCA, emailCA |
| |
| # Include email address in subject alt name: another PKIX recommendation |
| subjectAltName=email:copy |
| # Copy issuer details |
| issuerAltName=issuer:copy |
| |
| # RAW DER hex encoding of an extension: beware experts only! |
| # 1.2.3.5=RAW:02:03 |
| # You can even override a supported extension: |
| # basicConstraints= critical, RAW:30:03:01:01:FF |
| |
| [ crl_ext ] |
| |
| # CRL extensions. |
| # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
| |
| issuerAltName=issuer:copy |
| authorityKeyIdentifier=keyid:always,issuer:always |
