1# 2# OpenSSL example configuration file. 3# See doc/man5/config.pod for more info. 4# 5# This is mostly being used for generation of certificate requests, 6# but may be used for auto loading of providers 7 8# Note that you can include other files from the main configuration 9# file using the .include directive. 10#.include filename 11 12# This definition stops the following lines choking if HOME isn't 13# defined. 14HOME = . 15 16 # Use this in order to automatically load providers. 17openssl_conf = openssl_init 18 19# Comment out the next line to ignore configuration errors 20config_diagnostics = 1 21 22# Extra OBJECT IDENTIFIER info: 23# oid_file = $ENV::HOME/.oid 24oid_section = new_oids 25 26# To use this configuration file with the "-extfile" option of the 27# "openssl x509" utility, name here the section containing the 28# X.509v3 extensions to use: 29# extensions = 30# (Alternatively, use a configuration file that has only 31# X.509v3 extensions in its main [= default] section.) 32 33[ new_oids ] 34# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 35# Add a simple OID like this: 36# testoid1=1.2.3.4 37# Or use config file substitution like this: 38# testoid2=${testoid1}.5.6 39 40# Policies used by the TSA examples. 41tsa_policy1 = 1.2.3.4.1 42tsa_policy2 = 1.2.3.4.5.6 43tsa_policy3 = 1.2.3.4.5.7 44 45# For FIPS 46# Optionally include a file that is generated by the OpenSSL fipsinstall 47# application. This file contains configuration data required by the OpenSSL 48# fips provider. It contains a named section e.g. [fips_sect] which is 49# referenced from the [provider_sect] below. 50# Refer to the OpenSSL security policy for more information. 51# .include fipsmodule.cnf 52 53[openssl_init] 54providers = provider_sect 55 56# List of providers to load 57[provider_sect] 58default = default_sect 59# The fips section name should match the section name inside the 60# included fipsmodule.cnf. 61# fips = fips_sect 62 63# If no providers are activated explicitly, the default one is activated implicitly. 64# See man 7 OSSL_PROVIDER-default for more details. 65# 66# If you add a section explicitly activating any other provider(s), you most 67# probably need to explicitly activate the default provider, otherwise it 68# becomes unavailable in openssl. As a consequence applications depending on 69# OpenSSL may not work correctly which could lead to significant system 70# problems including inability to remotely access the system. 71[default_sect] 72# activate = 1 73 74 75#################################################################### 76[ ca ] 77default_ca = CA_default # The default ca section 78 79#################################################################### 80[ CA_default ] 81 82dir = sys\$disk:[.demoCA # Where everything is kept 83certs = $dir.certs] # Where the issued certs are kept 84crl_dir = $dir.crl] # Where the issued crl are kept 85database = $dir]index.txt # database index file. 86#unique_subject = no # Set to 'no' to allow creation of 87 # several certs with same subject. 88new_certs_dir = $dir.newcerts] # default place for new certs. 89 90certificate = $dir]cacert.pem # The CA certificate 91serial = $dir]serial. # The current serial number 92crlnumber = $dir]crlnumber. # the current crl number 93 # must be commented out to leave a V1 CRL 94crl = $dir]crl.pem # The current CRL 95private_key = $dir.private]cakey.pem# The private key 96 97x509_extensions = usr_cert # The extensions to add to the cert 98 99# Comment out the following two lines for the "traditional" 100# (and highly broken) format. 101name_opt = ca_default # Subject Name options 102cert_opt = ca_default # Certificate field options 103 104# Extension copying option: use with caution. 105# copy_extensions = copy 106 107# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 108# so this is commented out by default to leave a V1 CRL. 109# crlnumber must also be commented out to leave a V1 CRL. 110# crl_extensions = crl_ext 111 112default_days = 365 # how long to certify for 113default_crl_days= 30 # how long before next CRL 114default_md = default # use public key default MD 115preserve = no # keep passed DN ordering 116 117# A few difference way of specifying how similar the request should look 118# For type CA, the listed attributes must be the same, and the optional 119# and supplied fields are just that :-) 120policy = policy_match 121 122# For the CA policy 123[ policy_match ] 124countryName = match 125stateOrProvinceName = match 126organizationName = match 127organizationalUnitName = optional 128commonName = supplied 129emailAddress = optional 130 131# For the 'anything' policy 132# At this point in time, you must list all acceptable 'object' 133# types. 134[ policy_anything ] 135countryName = optional 136stateOrProvinceName = optional 137localityName = optional 138organizationName = optional 139organizationalUnitName = optional 140commonName = supplied 141emailAddress = optional 142 143#################################################################### 144[ req ] 145default_bits = 2048 146default_keyfile = privkey.pem 147distinguished_name = req_distinguished_name 148attributes = req_attributes 149x509_extensions = v3_ca # The extensions to add to the self signed cert 150 151# Passwords for private keys if not present they will be prompted for 152# input_password = secret 153# output_password = secret 154 155# This sets a mask for permitted string types. There are several options. 156# default: PrintableString, T61String, BMPString. 157# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 158# utf8only: only UTF8Strings (PKIX recommendation after 2004). 159# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 160# MASK:XXXX a literal mask value. 161# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 162string_mask = utf8only 163 164# req_extensions = v3_req # The extensions to add to a certificate request 165 166[ req_distinguished_name ] 167countryName = Country Name (2 letter code) 168countryName_default = AU 169countryName_min = 2 170countryName_max = 2 171 172stateOrProvinceName = State or Province Name (full name) 173stateOrProvinceName_default = Some-State 174 175localityName = Locality Name (eg, city) 176 1770.organizationName = Organization Name (eg, company) 1780.organizationName_default = Internet Widgits Pty Ltd 179 180# we can do this but it is not needed normally :-) 181#1.organizationName = Second Organization Name (eg, company) 182#1.organizationName_default = World Wide Web Pty Ltd 183 184organizationalUnitName = Organizational Unit Name (eg, section) 185#organizationalUnitName_default = 186 187commonName = Common Name (e.g. server FQDN or YOUR name) 188commonName_max = 64 189 190emailAddress = Email Address 191emailAddress_max = 64 192 193# SET-ex3 = SET extension number 3 194 195[ req_attributes ] 196challengePassword = A challenge password 197challengePassword_min = 4 198challengePassword_max = 20 199 200unstructuredName = An optional company name 201 202[ usr_cert ] 203 204# These extensions are added when 'ca' signs a request. 205 206# This goes against PKIX guidelines but some CAs do it and some software 207# requires this to avoid interpreting an end user certificate as a CA. 208 209basicConstraints=CA:FALSE 210 211# This is typical in keyUsage for a client certificate. 212# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 213 214# PKIX recommendations harmless if included in all certificates. 215subjectKeyIdentifier=hash 216authorityKeyIdentifier=keyid,issuer 217 218# This stuff is for subjectAltName and issuerAltname. 219# Import the email address. 220# subjectAltName=email:copy 221# An alternative to produce certificates that aren't 222# deprecated according to PKIX. 223# subjectAltName=email:move 224 225# Copy subject details 226# issuerAltName=issuer:copy 227 228# This is required for TSA certificates. 229# extendedKeyUsage = critical,timeStamping 230 231[ v3_req ] 232 233# Extensions to add to a certificate request 234 235basicConstraints = CA:FALSE 236keyUsage = nonRepudiation, digitalSignature, keyEncipherment 237 238[ v3_ca ] 239 240 241# Extensions for a typical CA 242 243 244# PKIX recommendation. 245 246subjectKeyIdentifier=hash 247 248authorityKeyIdentifier=keyid:always,issuer 249 250basicConstraints = critical,CA:true 251 252# Key usage: this is typical for a CA certificate. However since it will 253# prevent it being used as an test self-signed certificate it is best 254# left out by default. 255# keyUsage = cRLSign, keyCertSign 256 257# Include email address in subject alt name: another PKIX recommendation 258# subjectAltName=email:copy 259# Copy issuer details 260# issuerAltName=issuer:copy 261 262# DER hex encoding of an extension: beware experts only! 263# obj=DER:02:03 264# Where 'obj' is a standard or added object 265# You can even override a supported extension: 266# basicConstraints= critical, DER:30:03:01:01:FF 267 268[ crl_ext ] 269 270# CRL extensions. 271# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 272 273# issuerAltName=issuer:copy 274authorityKeyIdentifier=keyid:always 275 276[ proxy_cert_ext ] 277# These extensions should be added when creating a proxy certificate 278 279# This goes against PKIX guidelines but some CAs do it and some software 280# requires this to avoid interpreting an end user certificate as a CA. 281 282basicConstraints=CA:FALSE 283 284# This is typical in keyUsage for a client certificate. 285# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 286 287# PKIX recommendations harmless if included in all certificates. 288subjectKeyIdentifier=hash 289authorityKeyIdentifier=keyid,issuer 290 291# This stuff is for subjectAltName and issuerAltname. 292# Import the email address. 293# subjectAltName=email:copy 294# An alternative to produce certificates that aren't 295# deprecated according to PKIX. 296# subjectAltName=email:move 297 298# Copy subject details 299# issuerAltName=issuer:copy 300 301# This really needs to be in place for it to be a proxy certificate. 302proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 303 304#################################################################### 305[ tsa ] 306 307default_tsa = tsa_config1 # the default TSA section 308 309[ tsa_config1 ] 310 311# These are used by the TSA reply generation only. 312dir = sys\$disk:[.demoCA # TSA root directory 313serial = $dir]tsaserial. # The current serial number (mandatory) 314crypto_device = builtin # OpenSSL engine to use for signing 315signer_cert = $dir/tsacert.pem # The TSA signing certificate 316 # (optional) 317certs = $dir.cacert.pem] # Certificate chain to include in reply 318 # (optional) 319signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 320signer_digest = sha256 # Signing digest to use. (Optional) 321default_policy = tsa_policy1 # Policy if request did not specify it 322 # (optional) 323other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 324digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 325accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 326clock_precision_digits = 0 # number of digits after dot. (optional) 327ordering = yes # Is ordering defined for timestamps? 328 # (optional, default: no) 329tsa_name = yes # Must the TSA name be included in the reply? 330 # (optional, default: no) 331ess_cert_id_chain = no # Must the ESS cert id chain be included? 332 # (optional, default: no) 333ess_cert_id_alg = sha1 # algorithm to compute certificate 334 # identifier (optional, default: sha1) 335 336[insta] # CMP using Insta Demo CA 337# Message transfer 338server = pki.certificate.fi:8700 339# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 340# tls_use = 0 341path = pkix/ 342 343# Server authentication 344recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer 345ignore_keyusage = 1 # potentially needed quirk 346unprotected_errors = 1 # potentially needed quirk 347extracertsout = insta.extracerts.pem 348 349# Client authentication 350ref = 3078 # user identification 351secret = pass:insta # can be used for both client and server side 352 353# Generic message options 354cmd = ir # default operation, can be overridden on cmd line with, e.g., kur 355 356# Certificate enrollment 357subject = "/CN=openssl-cmp-test" 358newkey = insta.priv.pem 359out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature 360certout = insta.cert.pem 361 362[pbm] # Password-based protection for Insta CA 363# Server and client authentication 364ref = $insta::ref # 3078 365secret = $insta::secret # pass:insta 366 367[signature] # Signature-based protection for Insta CA 368# Server authentication 369trusted = $insta::out_trusted # apps/insta.ca.crt 370 371# Client authentication 372secret = # disable PBM 373key = $insta::newkey # insta.priv.pem 374cert = $insta::certout # insta.cert.pem 375 376[ir] 377cmd = ir 378 379[cr] 380cmd = cr 381 382[kur] 383# Certificate update 384cmd = kur 385oldcert = $insta::certout # insta.cert.pem 386 387[rr] 388# Certificate revocation 389cmd = rr 390oldcert = $insta::certout # insta.cert.pem 391