1# $FreeBSD$ 2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# This definition stops the following lines choking if HOME isn't 8# defined. 9HOME = . 10RANDFILE = $ENV::HOME/.rnd 11 12# Extra OBJECT IDENTIFIER info: 13#oid_file = $ENV::HOME/.oid 14oid_section = new_oids 15 16# To use this configuration file with the "-extfile" option of the 17# "openssl x509" utility, name here the section containing the 18# X.509v3 extensions to use: 19# extensions = 20# (Alternatively, use a configuration file that has only 21# X.509v3 extensions in its main [= default] section.) 22 23[ new_oids ] 24 25# We can add new OIDs in here for use by 'ca' and 'req'. 26# Add a simple OID like this: 27# testoid1=1.2.3.4 28# Or use config file substitution like this: 29# testoid2=${testoid1}.5.6 30 31#################################################################### 32[ ca ] 33default_ca = CA_default # The default ca section 34 35#################################################################### 36[ CA_default ] 37 38dir = ./demoCA # Where everything is kept 39certs = $dir/certs # Where the issued certs are kept 40crl_dir = $dir/crl # Where the issued crl are kept 41database = $dir/index.txt # database index file. 42#unique_subject = no # Set to 'no' to allow creation of 43 # several ctificates with same subject. 44new_certs_dir = $dir/newcerts # default place for new certs. 45 46certificate = $dir/cacert.pem # The CA certificate 47serial = $dir/serial # The current serial number 48crlnumber = $dir/crlnumber # the current crl number 49 # must be commented out to leave a V1 CRL 50crl = $dir/crl.pem # The current CRL 51private_key = $dir/private/cakey.pem# The private key 52RANDFILE = $dir/private/.rand # private random number file 53 54x509_extensions = usr_cert # The extentions to add to the cert 55 56# Comment out the following two lines for the "traditional" 57# (and highly broken) format. 58name_opt = ca_default # Subject Name options 59cert_opt = ca_default # Certificate field options 60 61# Extension copying option: use with caution. 62# copy_extensions = copy 63 64# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 65# so this is commented out by default to leave a V1 CRL. 66# crlnumber must also be commented out to leave a V1 CRL. 67# crl_extensions = crl_ext 68 69default_days = 365 # how long to certify for 70default_crl_days= 30 # how long before next CRL 71default_md = sha1 # which md to use. 72preserve = no # keep passed DN ordering 73 74# A few difference way of specifying how similar the request should look 75# For type CA, the listed attributes must be the same, and the optional 76# and supplied fields are just that :-) 77policy = policy_match 78 79# For the CA policy 80[ policy_match ] 81countryName = match 82stateOrProvinceName = match 83organizationName = match 84organizationalUnitName = optional 85commonName = supplied 86emailAddress = optional 87 88# For the 'anything' policy 89# At this point in time, you must list all acceptable 'object' 90# types. 91[ policy_anything ] 92countryName = optional 93stateOrProvinceName = optional 94localityName = optional 95organizationName = optional 96organizationalUnitName = optional 97commonName = supplied 98emailAddress = optional 99 100#################################################################### 101[ req ] 102default_bits = 1024 103default_keyfile = privkey.pem 104distinguished_name = req_distinguished_name 105attributes = req_attributes 106x509_extensions = v3_ca # The extentions to add to the self signed cert 107 108# Passwords for private keys if not present they will be prompted for 109# input_password = secret 110# output_password = secret 111 112# This sets a mask for permitted string types. There are several options. 113# default: PrintableString, T61String, BMPString. 114# pkix : PrintableString, BMPString. 115# utf8only: only UTF8Strings. 116# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 117# MASK:XXXX a literal mask value. 118# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 119# so use this option with caution! 120string_mask = nombstr 121 122# req_extensions = v3_req # The extensions to add to a certificate request 123 124[ req_distinguished_name ] 125countryName = Country Name (2 letter code) 126countryName_default = AU 127countryName_min = 2 128countryName_max = 2 129 130stateOrProvinceName = State or Province Name (full name) 131stateOrProvinceName_default = Some-State 132 133localityName = Locality Name (eg, city) 134 1350.organizationName = Organization Name (eg, company) 1360.organizationName_default = Internet Widgits Pty Ltd 137 138# we can do this but it is not needed normally :-) 139#1.organizationName = Second Organization Name (eg, company) 140#1.organizationName_default = World Wide Web Pty Ltd 141 142organizationalUnitName = Organizational Unit Name (eg, section) 143#organizationalUnitName_default = 144 145commonName = Common Name (eg, YOUR name) 146commonName_max = 64 147 148emailAddress = Email Address 149emailAddress_max = 64 150 151# SET-ex3 = SET extension number 3 152 153[ req_attributes ] 154challengePassword = A challenge password 155challengePassword_min = 4 156challengePassword_max = 20 157 158unstructuredName = An optional company name 159 160[ usr_cert ] 161 162# These extensions are added when 'ca' signs a request. 163 164# This goes against PKIX guidelines but some CAs do it and some software 165# requires this to avoid interpreting an end user certificate as a CA. 166 167basicConstraints=CA:FALSE 168 169# Here are some examples of the usage of nsCertType. If it is omitted 170# the certificate can be used for anything *except* object signing. 171 172# This is OK for an SSL server. 173# nsCertType = server 174 175# For an object signing certificate this would be used. 176# nsCertType = objsign 177 178# For normal client use this is typical 179# nsCertType = client, email 180 181# and for everything including object signing: 182# nsCertType = client, email, objsign 183 184# This is typical in keyUsage for a client certificate. 185# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 186 187# This will be displayed in Netscape's comment listbox. 188nsComment = "OpenSSL Generated Certificate" 189 190# PKIX recommendations harmless if included in all certificates. 191subjectKeyIdentifier=hash 192authorityKeyIdentifier=keyid,issuer 193 194# This stuff is for subjectAltName and issuerAltname. 195# Import the email address. 196# subjectAltName=email:copy 197# An alternative to produce certificates that aren't 198# deprecated according to PKIX. 199# subjectAltName=email:move 200 201# Copy subject details 202# issuerAltName=issuer:copy 203 204#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 205#nsBaseUrl 206#nsRevocationUrl 207#nsRenewalUrl 208#nsCaPolicyUrl 209#nsSslServerName 210 211[ v3_req ] 212 213# Extensions to add to a certificate request 214 215basicConstraints = CA:FALSE 216keyUsage = nonRepudiation, digitalSignature, keyEncipherment 217 218[ v3_ca ] 219 220 221# Extensions for a typical CA 222 223 224# PKIX recommendation. 225 226subjectKeyIdentifier=hash 227 228authorityKeyIdentifier=keyid:always,issuer:always 229 230# This is what PKIX recommends but some broken software chokes on critical 231# extensions. 232#basicConstraints = critical,CA:true 233# So we do this instead. 234basicConstraints = CA:true 235 236# Key usage: this is typical for a CA certificate. However since it will 237# prevent it being used as an test self-signed certificate it is best 238# left out by default. 239# keyUsage = cRLSign, keyCertSign 240 241# Some might want this also 242# nsCertType = sslCA, emailCA 243 244# Include email address in subject alt name: another PKIX recommendation 245# subjectAltName=email:copy 246# Copy issuer details 247# issuerAltName=issuer:copy 248 249# DER hex encoding of an extension: beware experts only! 250# obj=DER:02:03 251# Where 'obj' is a standard or added object 252# You can even override a supported extension: 253# basicConstraints= critical, DER:30:03:01:01:FF 254 255[ crl_ext ] 256 257# CRL extensions. 258# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 259 260# issuerAltName=issuer:copy 261authorityKeyIdentifier=keyid:always,issuer:always 262 263[ proxy_cert_ext ] 264# These extensions should be added when creating a proxy certificate 265 266# This goes against PKIX guidelines but some CAs do it and some software 267# requires this to avoid interpreting an end user certificate as a CA. 268 269basicConstraints=CA:FALSE 270 271# Here are some examples of the usage of nsCertType. If it is omitted 272# the certificate can be used for anything *except* object signing. 273 274# This is OK for an SSL server. 275# nsCertType = server 276 277# For an object signing certificate this would be used. 278# nsCertType = objsign 279 280# For normal client use this is typical 281# nsCertType = client, email 282 283# and for everything including object signing: 284# nsCertType = client, email, objsign 285 286# This is typical in keyUsage for a client certificate. 287# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 288 289# This will be displayed in Netscape's comment listbox. 290nsComment = "OpenSSL Generated Certificate" 291 292# PKIX recommendations harmless if included in all certificates. 293subjectKeyIdentifier=hash 294authorityKeyIdentifier=keyid,issuer:always 295 296# This stuff is for subjectAltName and issuerAltname. 297# Import the email address. 298# subjectAltName=email:copy 299# An alternative to produce certificates that aren't 300# deprecated according to PKIX. 301# subjectAltName=email:move 302 303# Copy subject details 304# issuerAltName=issuer:copy 305 306#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 307#nsBaseUrl 308#nsRevocationUrl 309#nsRenewalUrl 310#nsCaPolicyUrl 311#nsSslServerName 312 313# This really needs to be in place for it to be a proxy certificate. 314proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 315