Blame - apps/openssl.cnf - third_party/openssl

blob: dbe8cbefe0eaff39e0abd55754878cd48c7beb18 [file] [log] [blame]

Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	1	#
Ralf S. Engelschall	06d5b16	1999-01-02 12:59:33 +0000	[diff] [blame]	2	# OpenSSL example configuration file.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	3	# This is mostly being used for generation of certificate requests.
				4	#
				5
Dr. Stephen Henson	36217a9	1999-12-24 23:53:57 +0000	[diff] [blame]	6	# This definition stops the following lines choking if HOME isn't
				7	# defined.
				8	HOME = .
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	9	RANDFILE = $ENV::HOME/.rnd
Dr. Stephen Henson	20432ea	2000-01-01 16:42:49 +0000	[diff] [blame]	10
				11	# Extra OBJECT IDENTIFIER info:
				12	#oid_file = $ENV::HOME/.oid
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	13	oid_section = new_oids
				14
Bodo Möller	3f45ed8	1999-05-17 08:28:37 +0000	[diff] [blame]	15	# To use this configuration file with the "-extfile" option of the
Bodo Möller	e186bf9	1999-05-16 12:17:20 +0000	[diff] [blame]	16	# "openssl x509" utility, name here the section containing the
				17	# X.509v3 extensions to use:
				18	# extensions =
				19	# (Alternatively, use a configuration file that has only
				20	# X.509v3 extensions in its main [= default] section.)
				21
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	22	[ new_oids ]
				23
				24	# We can add new OIDs in here for use by 'ca' and 'req'.
				25	# Add a simple OID like this:
				26	# testoid1=1.2.3.4
				27	# Or use config file substitution like this:
				28	# testoid2=${testoid1}.5.6
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	29
				30	####################################################################
				31	[ ca ]
				32	default_ca = CA_default # The default ca section
				33
				34	####################################################################
				35	[ CA_default ]
				36
				37	dir = ./demoCA # Where everything is kept
				38	certs = $dir/certs # Where the issued certs are kept
				39	crl_dir = $dir/crl # Where the issued crl are kept
				40	database = $dir/index.txt # database index file.
				41	new_certs_dir = $dir/newcerts # default place for new certs.
				42
				43	certificate = $dir/cacert.pem # The CA certificate
				44	serial = $dir/serial # The current serial number
				45	crl = $dir/crl.pem # The current CRL
				46	private_key = $dir/private/cakey.pem# The private key
				47	RANDFILE = $dir/private/.rand # private random number file
				48
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	49	x509_extensions = usr_cert # The extentions to add to the cert
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	50
				51	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
				52	# so this is commented out by default to leave a V1 CRL.
				53	# crl_extensions = crl_ext
				54
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	55	default_days = 365 # how long to certify for
				56	default_crl_days= 30 # how long before next CRL
				57	default_md = md5 # which md to use.
				58	preserve = no # keep passed DN ordering
				59
				60	# A few difference way of specifying how similar the request should look
				61	# For type CA, the listed attributes must be the same, and the optional
				62	# and supplied fields are just that :-)
				63	policy = policy_match
				64
				65	# For the CA policy
				66	[ policy_match ]
				67	countryName = match
				68	stateOrProvinceName = match
				69	organizationName = match
				70	organizationalUnitName = optional
				71	commonName = supplied
				72	emailAddress = optional
				73
				74	# For the 'anything' policy
				75	# At this point in time, you must list all acceptable 'object'
				76	# types.
				77	[ policy_anything ]
				78	countryName = optional
				79	stateOrProvinceName = optional
				80	localityName = optional
				81	organizationName = optional
				82	organizationalUnitName = optional
				83	commonName = supplied
				84	emailAddress = optional
				85
				86	####################################################################
				87	[ req ]
				88	default_bits = 1024
				89	default_keyfile = privkey.pem
				90	distinguished_name = req_distinguished_name
				91	attributes = req_attributes
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	92	x509_extensions = v3_ca # The extentions to add to the self signed cert
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	93
Dr. Stephen Henson	36217a9	1999-12-24 23:53:57 +0000	[diff] [blame]	94	# Passwords for private keys if not present they will be prompted for
				95	# input_password = secret
				96	# output_password = secret
				97
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	98	# This sets a mask for permitted string types. There are several options.
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	99	# default: PrintableString, T61String, BMPString.
				100	# pkix : PrintableString, BMPString.
				101	# utf8only: only UTF8Strings.
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	102	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	103	# MASK:XXXX a literal mask value.
				104	# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
				105	# so use this option with caution!
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	106	string_mask = nombstr
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	107
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	108	# req_extensions = v3_req # The extensions to add to a certificate request
				109
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	110	[ req_distinguished_name ]
				111	countryName = Country Name (2 letter code)
				112	countryName_default = AU
				113	countryName_min = 2
				114	countryName_max = 2
				115
				116	stateOrProvinceName = State or Province Name (full name)
				117	stateOrProvinceName_default = Some-State
				118
				119	localityName = Locality Name (eg, city)
				120
				121	0.organizationName = Organization Name (eg, company)
				122	0.organizationName_default = Internet Widgits Pty Ltd
				123
				124	# we can do this but it is not needed normally :-)
				125	#1.organizationName = Second Organization Name (eg, company)
Ralf S. Engelschall	06d5b16	1999-01-02 12:59:33 +0000	[diff] [blame]	126	#1.organizationName_default = World Wide Web Pty Ltd
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	127
				128	organizationalUnitName = Organizational Unit Name (eg, section)
				129	#organizationalUnitName_default =
				130
				131	commonName = Common Name (eg, YOUR name)
				132	commonName_max = 64
				133
				134	emailAddress = Email Address
				135	emailAddress_max = 40
				136
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	137	# SET-ex3 = SET extension number 3
Ralf S. Engelschall	dfeab06	1998-12-21 11:00:56 +0000	[diff] [blame]	138
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	139	[ req_attributes ]
				140	challengePassword = A challenge password
				141	challengePassword_min = 4
				142	challengePassword_max = 20
				143
				144	unstructuredName = An optional company name
				145
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	146	[ usr_cert ]
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	147
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	148	# These extensions are added when 'ca' signs a request.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	149
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	150	# This goes against PKIX guidelines but some CAs do it and some software
				151	# requires this to avoid interpreting an end user certificate as a CA.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	152
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	153	basicConstraints=CA:FALSE
				154
				155	# Here are some examples of the usage of nsCertType. If it is omitted
				156	# the certificate can be used for anything except object signing.
				157
				158	# This is OK for an SSL server.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	159	# nsCertType = server
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	160
				161	# For an object signing certificate this would be used.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	162	# nsCertType = objsign
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	163
				164	# For normal client use this is typical
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	165	# nsCertType = client, email
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	166
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	167	# and for everything including object signing:
				168	# nsCertType = client, email, objsign
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	169
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	170	# This is typical in keyUsage for a client certificate.
				171	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	172
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	173	# This will be displayed in Netscape's comment listbox.
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	174	nsComment = "OpenSSL Generated Certificate"
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	175
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	176	# PKIX recommendations harmless if included in all certificates.
Dr. Stephen Henson	175b094	1999-02-10 01:12:59 +0000	[diff] [blame]	177	subjectKeyIdentifier=hash
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	178	authorityKeyIdentifier=keyid,issuer:always
				179
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	180	# This stuff is for subjectAltName and issuerAltname.
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	181	# Import the email address.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	182	# subjectAltName=email:copy
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	183
				184	# Copy subject details
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	185	# issuerAltName=issuer:copy
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	186
				187	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	188	#nsBaseUrl
				189	#nsRevocationUrl
				190	#nsRenewalUrl
				191	#nsCaPolicyUrl
				192	#nsSslServerName
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	193
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	194	[ v3_req ]
				195
				196	# Extensions to add to a certificate request
				197
				198	basicConstraints = CA:FALSE
				199	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
				200
Ralf S. Engelschall	5a97a0b	1999-08-08 09:39:43 +0000	[diff] [blame]	201	[ v3_ca ]
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	202
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	203
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	204	# Extensions for a typical CA
				205
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	206
Dr. Stephen Henson	175b094	1999-02-10 01:12:59 +0000	[diff] [blame]	207	# PKIX recommendation.
				208
				209	subjectKeyIdentifier=hash
				210
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	211	authorityKeyIdentifier=keyid:always,issuer:always
				212
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	213	# This is what PKIX recommends but some broken software chokes on critical
				214	# extensions.
				215	#basicConstraints = critical,CA:true
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	216	# So we do this instead.
				217	basicConstraints = CA:true
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	218
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	219	# Key usage: this is typical for a CA certificate. However since it will
				220	# prevent it being used as an test self-signed certificate it is best
				221	# left out by default.
				222	# keyUsage = cRLSign, keyCertSign
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	223
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	224	# Some might want this also
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	225	# nsCertType = sslCA, emailCA
Dr. Stephen Henson	388ff0b	1999-02-14 16:48:22 +0000	[diff] [blame]	226
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	227	# Include email address in subject alt name: another PKIX recommendation
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	228	# subjectAltName=email:copy
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	229	# Copy issuer details
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	230	# issuerAltName=issuer:copy
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	231
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	232	# DER hex encoding of an extension: beware experts only!
				233	# obj=DER:02:03
				234	# Where 'obj' is a standard or added object
Dr. Stephen Henson	388ff0b	1999-02-14 16:48:22 +0000	[diff] [blame]	235	# You can even override a supported extension:
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	236	# basicConstraints= critical, DER:30:03:01:01:FF
Dr. Stephen Henson	1756d40	1999-03-06 19:33:29 +0000	[diff] [blame]	237
				238	[ crl_ext ]
				239
				240	# CRL extensions.
				241	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
				242
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	243	# issuerAltName=issuer:copy
Dr. Stephen Henson	1756d40	1999-03-06 19:33:29 +0000	[diff] [blame]	244	authorityKeyIdentifier=keyid:always,issuer:always