Blame - apps/openssl.cnf - third_party/openssl

blob: eca51c3322803c21c213c72516126a869bbc7f80 [file] [log] [blame]

Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	1	#
Ralf S. Engelschall	06d5b16	1999-01-02 12:59:33 +0000	[diff] [blame]	2	# OpenSSL example configuration file.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	3	# This is mostly being used for generation of certificate requests.
				4	#
				5
Dr. Stephen Henson	36217a9	1999-12-24 23:53:57 +0000	[diff] [blame]	6	# This definition stops the following lines choking if HOME isn't
				7	# defined.
				8	HOME = .
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	9	RANDFILE = $ENV::HOME/.rnd
Dr. Stephen Henson	20432ea	2000-01-01 16:42:49 +0000	[diff] [blame]	10
				11	# Extra OBJECT IDENTIFIER info:
				12	#oid_file = $ENV::HOME/.oid
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	13	oid_section = new_oids
				14
Bodo Möller	3f45ed8	1999-05-17 08:28:37 +0000	[diff] [blame]	15	# To use this configuration file with the "-extfile" option of the
Bodo Möller	e186bf9	1999-05-16 12:17:20 +0000	[diff] [blame]	16	# "openssl x509" utility, name here the section containing the
				17	# X.509v3 extensions to use:
				18	# extensions =
				19	# (Alternatively, use a configuration file that has only
				20	# X.509v3 extensions in its main [= default] section.)
				21
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	22	[ new_oids ]
				23
				24	# We can add new OIDs in here for use by 'ca' and 'req'.
				25	# Add a simple OID like this:
				26	# testoid1=1.2.3.4
				27	# Or use config file substitution like this:
				28	# testoid2=${testoid1}.5.6
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	29
				30	####################################################################
				31	[ ca ]
				32	default_ca = CA_default # The default ca section
				33
				34	####################################################################
				35	[ CA_default ]
				36
				37	dir = ./demoCA # Where everything is kept
				38	certs = $dir/certs # Where the issued certs are kept
				39	crl_dir = $dir/crl # Where the issued crl are kept
				40	database = $dir/index.txt # database index file.
				41	new_certs_dir = $dir/newcerts # default place for new certs.
				42
				43	certificate = $dir/cacert.pem # The CA certificate
				44	serial = $dir/serial # The current serial number
				45	crl = $dir/crl.pem # The current CRL
				46	private_key = $dir/private/cakey.pem# The private key
				47	RANDFILE = $dir/private/.rand # private random number file
				48
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	49	x509_extensions = usr_cert # The extentions to add to the cert
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	50
Dr. Stephen Henson	e890dcd	2001-03-15 22:45:20 +0000	[diff] [blame]	51	# Comment out the following two lines for the "traditional"
				52	# (and highly broken) format.
				53	name_opt = ca_default # Subject Name options
				54	cert_opt = ca_default # Certificate field options
				55
Dr. Stephen Henson	791bd0c	2001-03-16 02:04:17 +0000	[diff] [blame]	56	# Extension copying option: use with caution.
				57	# copy_extensions = copy
				58
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	59	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
				60	# so this is commented out by default to leave a V1 CRL.
				61	# crl_extensions = crl_ext
				62
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	63	default_days = 365 # how long to certify for
				64	default_crl_days= 30 # how long before next CRL
				65	default_md = md5 # which md to use.
				66	preserve = no # keep passed DN ordering
				67
				68	# A few difference way of specifying how similar the request should look
				69	# For type CA, the listed attributes must be the same, and the optional
				70	# and supplied fields are just that :-)
				71	policy = policy_match
				72
				73	# For the CA policy
				74	[ policy_match ]
				75	countryName = match
				76	stateOrProvinceName = match
				77	organizationName = match
				78	organizationalUnitName = optional
				79	commonName = supplied
				80	emailAddress = optional
				81
				82	# For the 'anything' policy
				83	# At this point in time, you must list all acceptable 'object'
				84	# types.
				85	[ policy_anything ]
				86	countryName = optional
				87	stateOrProvinceName = optional
				88	localityName = optional
				89	organizationName = optional
				90	organizationalUnitName = optional
				91	commonName = supplied
				92	emailAddress = optional
				93
				94	####################################################################
				95	[ req ]
				96	default_bits = 1024
				97	default_keyfile = privkey.pem
				98	distinguished_name = req_distinguished_name
				99	attributes = req_attributes
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	100	x509_extensions = v3_ca # The extentions to add to the self signed cert
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	101
Dr. Stephen Henson	36217a9	1999-12-24 23:53:57 +0000	[diff] [blame]	102	# Passwords for private keys if not present they will be prompted for
				103	# input_password = secret
				104	# output_password = secret
				105
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	106	# This sets a mask for permitted string types. There are several options.
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	107	# default: PrintableString, T61String, BMPString.
				108	# pkix : PrintableString, BMPString.
				109	# utf8only: only UTF8Strings.
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	110	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	111	# MASK:XXXX a literal mask value.
				112	# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
				113	# so use this option with caution!
Dr. Stephen Henson	b38f9f6	2000-01-06 01:26:48 +0000	[diff] [blame]	114	string_mask = nombstr
Dr. Stephen Henson	74400f7	1999-10-27 00:15:11 +0000	[diff] [blame]	115
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	116	# req_extensions = v3_req # The extensions to add to a certificate request
				117
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	118	[ req_distinguished_name ]
				119	countryName = Country Name (2 letter code)
				120	countryName_default = AU
				121	countryName_min = 2
				122	countryName_max = 2
				123
				124	stateOrProvinceName = State or Province Name (full name)
				125	stateOrProvinceName_default = Some-State
				126
				127	localityName = Locality Name (eg, city)
				128
				129	0.organizationName = Organization Name (eg, company)
				130	0.organizationName_default = Internet Widgits Pty Ltd
				131
				132	# we can do this but it is not needed normally :-)
				133	#1.organizationName = Second Organization Name (eg, company)
Ralf S. Engelschall	06d5b16	1999-01-02 12:59:33 +0000	[diff] [blame]	134	#1.organizationName_default = World Wide Web Pty Ltd
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	135
				136	organizationalUnitName = Organizational Unit Name (eg, section)
				137	#organizationalUnitName_default =
				138
				139	commonName = Common Name (eg, YOUR name)
				140	commonName_max = 64
				141
				142	emailAddress = Email Address
Bodo Möller	d8c2ada	2001-03-04 01:33:55 +0000	[diff] [blame]	143	emailAddress_max = 64
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	144
Dr. Stephen Henson	a43aa73	1999-02-23 00:07:46 +0000	[diff] [blame]	145	# SET-ex3 = SET extension number 3
Ralf S. Engelschall	dfeab06	1998-12-21 11:00:56 +0000	[diff] [blame]	146
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	147	[ req_attributes ]
				148	challengePassword = A challenge password
				149	challengePassword_min = 4
				150	challengePassword_max = 20
				151
				152	unstructuredName = An optional company name
				153
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	154	[ usr_cert ]
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	155
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	156	# These extensions are added when 'ca' signs a request.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	157
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	158	# This goes against PKIX guidelines but some CAs do it and some software
				159	# requires this to avoid interpreting an end user certificate as a CA.
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	160
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	161	basicConstraints=CA:FALSE
				162
				163	# Here are some examples of the usage of nsCertType. If it is omitted
				164	# the certificate can be used for anything except object signing.
				165
				166	# This is OK for an SSL server.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	167	# nsCertType = server
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	168
				169	# For an object signing certificate this would be used.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	170	# nsCertType = objsign
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	171
				172	# For normal client use this is typical
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	173	# nsCertType = client, email
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	174
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	175	# and for everything including object signing:
				176	# nsCertType = client, email, objsign
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	177
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	178	# This is typical in keyUsage for a client certificate.
				179	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	180
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	181	# This will be displayed in Netscape's comment listbox.
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	182	nsComment = "OpenSSL Generated Certificate"
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	183
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	184	# PKIX recommendations harmless if included in all certificates.
Dr. Stephen Henson	175b094	1999-02-10 01:12:59 +0000	[diff] [blame]	185	subjectKeyIdentifier=hash
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	186	authorityKeyIdentifier=keyid,issuer:always
				187
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	188	# This stuff is for subjectAltName and issuerAltname.
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	189	# Import the email address.
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	190	# subjectAltName=email:copy
Richard Levitte	ed2e24d	2001-04-11 13:04:20 +0000	[diff] [blame^]	191	# An alternative to produce certificates that aren't
				192	# deprecated according to PKIX.
				193	# subjectAltName=email:move
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	194
				195	# Copy subject details
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	196	# issuerAltName=issuer:copy
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	197
				198	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	199	#nsBaseUrl
				200	#nsRevocationUrl
				201	#nsRenewalUrl
				202	#nsCaPolicyUrl
				203	#nsSslServerName
Ralf S. Engelschall	d02b48c	1998-12-21 10:52:47 +0000	[diff] [blame]	204
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	205	[ v3_req ]
				206
				207	# Extensions to add to a certificate request
				208
				209	basicConstraints = CA:FALSE
				210	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
				211
Ralf S. Engelschall	5a97a0b	1999-08-08 09:39:43 +0000	[diff] [blame]	212	[ v3_ca ]
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	213
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	214
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	215	# Extensions for a typical CA
				216
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	217
Dr. Stephen Henson	175b094	1999-02-10 01:12:59 +0000	[diff] [blame]	218	# PKIX recommendation.
				219
				220	subjectKeyIdentifier=hash
				221
Dr. Stephen Henson	0be9747	1999-02-17 23:22:57 +0000	[diff] [blame]	222	authorityKeyIdentifier=keyid:always,issuer:always
				223
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	224	# This is what PKIX recommends but some broken software chokes on critical
				225	# extensions.
				226	#basicConstraints = critical,CA:true
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	227	# So we do this instead.
				228	basicConstraints = CA:true
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	229
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	230	# Key usage: this is typical for a CA certificate. However since it will
				231	# prevent it being used as an test self-signed certificate it is best
				232	# left out by default.
				233	# keyUsage = cRLSign, keyCertSign
Dr. Stephen Henson	f317aa4	1999-01-25 01:09:21 +0000	[diff] [blame]	234
Dr. Stephen Henson	b234766	1999-01-26 01:19:27 +0000	[diff] [blame]	235	# Some might want this also
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	236	# nsCertType = sslCA, emailCA
Dr. Stephen Henson	388ff0b	1999-02-14 16:48:22 +0000	[diff] [blame]	237
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	238	# Include email address in subject alt name: another PKIX recommendation
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	239	# subjectAltName=email:copy
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	240	# Copy issuer details
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	241	# issuerAltName=issuer:copy
Dr. Stephen Henson	aa066b9	1999-02-21 01:46:45 +0000	[diff] [blame]	242
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	243	# DER hex encoding of an extension: beware experts only!
				244	# obj=DER:02:03
				245	# Where 'obj' is a standard or added object
Dr. Stephen Henson	388ff0b	1999-02-14 16:48:22 +0000	[diff] [blame]	246	# You can even override a supported extension:
Dr. Stephen Henson	c79b16e	1999-08-25 16:59:26 +0000	[diff] [blame]	247	# basicConstraints= critical, DER:30:03:01:01:FF
Dr. Stephen Henson	1756d40	1999-03-06 19:33:29 +0000	[diff] [blame]	248
				249	[ crl_ext ]
				250
				251	# CRL extensions.
				252	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
				253
Dr. Stephen Henson	257e206	1999-05-19 23:54:58 +0000	[diff] [blame]	254	# issuerAltName=issuer:copy
Dr. Stephen Henson	1756d40	1999-03-06 19:33:29 +0000	[diff] [blame]	255	authorityKeyIdentifier=keyid:always,issuer:always