Google Git
Sign in
flutter / third_party / openssl / aa066b9e6e44297a00e641e200bf48b5728ae5c3 / . / apps / openssl.cnf
blob: 7dee6432a8df128bf8ed8c63afe896cd7fbf3ea8 [file] [log] [blame]
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1#
Ralf S. Engelschall06d5b161999-01-02 12:59:33 +0000[diff] [blame]2# OpenSSL example configuration file.
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = $ENV::HOME/.rnd
Ralf S. Engelschalldfeab061998-12-21 11:00:56 +0000[diff] [blame]7oid_file = $ENV::HOME/.oid
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]8
9####################################################################
10[ ca ]
11default_ca = CA_default # The default ca section
12
13####################################################################
14[ CA_default ]
15
16dir = ./demoCA # Where everything is kept
17certs = $dir/certs # Where the issued certs are kept
18crl_dir = $dir/crl # Where the issued crl are kept
19database = $dir/index.txt # database index file.
20new_certs_dir = $dir/newcerts # default place for new certs.
21
22certificate = $dir/cacert.pem # The CA certificate
23serial = $dir/serial # The current serial number
24crl = $dir/crl.pem # The current CRL
25private_key = $dir/private/cakey.pem# The private key
26RANDFILE = $dir/private/.rand # private random number file
27
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]28x509_extensions = usr_cert # The extentions to add to the cert
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]29default_days = 365 # how long to certify for
30default_crl_days= 30 # how long before next CRL
31default_md = md5 # which md to use.
32preserve = no # keep passed DN ordering
33
34# A few difference way of specifying how similar the request should look
35# For type CA, the listed attributes must be the same, and the optional
36# and supplied fields are just that :-)
37policy = policy_match
38
39# For the CA policy
40[ policy_match ]
41countryName = match
42stateOrProvinceName = match
43organizationName = match
44organizationalUnitName = optional
45commonName = supplied
46emailAddress = optional
47
48# For the 'anything' policy
49# At this point in time, you must list all acceptable 'object'
50# types.
51[ policy_anything ]
52countryName = optional
53stateOrProvinceName = optional
54localityName = optional
55organizationName = optional
56organizationalUnitName = optional
57commonName = supplied
58emailAddress = optional
59
60####################################################################
61[ req ]
62default_bits = 1024
63default_keyfile = privkey.pem
64distinguished_name = req_distinguished_name
65attributes = req_attributes
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]66x509_extensions = v3_ca # The extentions to add to the self signed cert
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]67
68[ req_distinguished_name ]
69countryName = Country Name (2 letter code)
70countryName_default = AU
71countryName_min = 2
72countryName_max = 2
73
74stateOrProvinceName = State or Province Name (full name)
75stateOrProvinceName_default = Some-State
76
77localityName = Locality Name (eg, city)
78
790.organizationName = Organization Name (eg, company)
800.organizationName_default = Internet Widgits Pty Ltd
81
82# we can do this but it is not needed normally :-)
83#1.organizationName = Second Organization Name (eg, company)
Ralf S. Engelschall06d5b161999-01-02 12:59:33 +0000[diff] [blame]84#1.organizationName_default = World Wide Web Pty Ltd
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]85
86organizationalUnitName = Organizational Unit Name (eg, section)
87#organizationalUnitName_default =
88
89commonName = Common Name (eg, YOUR name)
90commonName_max = 64
91
92emailAddress = Email Address
93emailAddress_max = 40
94
Ralf S. Engelschalldfeab061998-12-21 11:00:56 +0000[diff] [blame]95SET-ex3 = SET extension number 3
96
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]97[ req_attributes ]
98challengePassword = A challenge password
99challengePassword_min = 4
100challengePassword_max = 20
101
102unstructuredName = An optional company name
103
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]104[ usr_cert ]
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]105
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]106# These extensions are added when 'ca' signs a request.
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]107
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]108# This goes against PKIX guidelines but some CAs do it and some software
109# requires this to avoid interpreting an end user certificate as a CA.
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]110
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]111basicConstraints=CA:FALSE
112
113# Here are some examples of the usage of nsCertType. If it is omitted
114# the certificate can be used for anything *except* object signing.
115
116# This is OK for an SSL server.
117#nsCertType = server
118
119# For an object signing certificate this would be used.
120#nsCertType = objsign
121
122# For normal client use this is typical
123#nsCertType = client, email
124
125# This is typical also
126
127keyUsage = nonRepudiation, digitalSignature, keyEncipherment
128
129nsComment = "OpenSSL Generated Certificate"
Dr. Stephen Henson0be97471999-02-17 23:22:57 +0000[diff] [blame]130
131# PKIX recommendations
Dr. Stephen Henson175b0941999-02-10 01:12:59 +0000[diff] [blame]132subjectKeyIdentifier=hash
Dr. Stephen Henson0be97471999-02-17 23:22:57 +0000[diff] [blame]133authorityKeyIdentifier=keyid,issuer:always
134
Dr. Stephen Hensonaa066b91999-02-21 01:46:45 +0000[diff] [blame^]135# Import the email address.
136
137subjectAltName=email:copy
138
139# Copy subject details
140
141issuerAltName=issuer:copy
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]142
143#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]144#nsBaseUrl
145#nsRevocationUrl
146#nsRenewalUrl
147#nsCaPolicyUrl
148#nsSslServerName
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]149
Dr. Stephen Hensonf317aa41999-01-25 01:09:21 +0000[diff] [blame]150[ v3_ca]
151
152# Extensions for a typical CA
153
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]154# It's a CA certificate
Dr. Stephen Hensonf317aa41999-01-25 01:09:21 +0000[diff] [blame]155basicConstraints = CA:true
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]156
Dr. Stephen Henson175b0941999-02-10 01:12:59 +0000[diff] [blame]157# PKIX recommendation.
158
159subjectKeyIdentifier=hash
160
Dr. Stephen Henson0be97471999-02-17 23:22:57 +0000[diff] [blame]161authorityKeyIdentifier=keyid:always,issuer:always
162
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]163# This is what PKIX recommends but some broken software chokes on critical
164# extensions.
165#basicConstraints = critical,CA:true
166
167# Key usage: again this should really be critical.
Dr. Stephen Hensonf317aa41999-01-25 01:09:21 +0000[diff] [blame]168keyUsage = cRLSign, keyCertSign
169
Dr. Stephen Hensonb2347661999-01-26 01:19:27 +0000[diff] [blame]170# Some might want this also
171#nsCertType = sslCA, emailCA
Dr. Stephen Henson388ff0b1999-02-14 16:48:22 +0000[diff] [blame]172
Dr. Stephen Hensonaa066b91999-02-21 01:46:45 +0000[diff] [blame^]173# Include email address in subject alt name: another PKIX recommendation
174subjectAltName=email:copy
175# Copy issuer details
176issuerAltName=issuer:copy
177
Dr. Stephen Henson388ff0b1999-02-14 16:48:22 +0000[diff] [blame]178# RAW DER hex encoding of an extension: beware experts only!
179# 1.2.3.5=RAW:02:03
180# You can even override a supported extension:
181# basicConstraints= critical, RAW:30:03:01:01:FF