1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca' and 'req'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30#################################################################### 31[ ca ] 32default_ca = CA_default # The default ca section 33 34#################################################################### 35[ CA_default ] 36 37dir = ./demoCA # Where everything is kept 38certs = $dir/certs # Where the issued certs are kept 39crl_dir = $dir/crl # Where the issued crl are kept 40database = $dir/index.txt # database index file. 41new_certs_dir = $dir/newcerts # default place for new certs. 42 43certificate = $dir/cacert.pem # The CA certificate 44serial = $dir/serial # The current serial number 45crl = $dir/crl.pem # The current CRL 46private_key = $dir/private/cakey.pem# The private key 47RANDFILE = $dir/private/.rand # private random number file 48 49x509_extensions = usr_cert # The extentions to add to the cert 50 51# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 52# so this is commented out by default to leave a V1 CRL. 53# crl_extensions = crl_ext 54 55default_days = 365 # how long to certify for 56default_crl_days= 30 # how long before next CRL 57default_md = md5 # which md to use. 58preserve = no # keep passed DN ordering 59 60# A few difference way of specifying how similar the request should look 61# For type CA, the listed attributes must be the same, and the optional 62# and supplied fields are just that :-) 63policy = policy_match 64 65# For the CA policy 66[ policy_match ] 67countryName = match 68stateOrProvinceName = match 69organizationName = match 70organizationalUnitName = optional 71commonName = supplied 72emailAddress = optional 73 74# For the 'anything' policy 75# At this point in time, you must list all acceptable 'object' 76# types. 77[ policy_anything ] 78countryName = optional 79stateOrProvinceName = optional 80localityName = optional 81organizationName = optional 82organizationalUnitName = optional 83commonName = supplied 84emailAddress = optional 85 86#################################################################### 87[ req ] 88default_bits = 1024 89default_keyfile = privkey.pem 90distinguished_name = req_distinguished_name 91attributes = req_attributes 92x509_extensions = v3_ca # The extentions to add to the self signed cert 93 94# Passwords for private keys if not present they will be prompted for 95# input_password = secret 96# output_password = secret 97 98# This sets a mask for permitted string types. There are several options. 99# default: PrintableString, T61String, BMPString. 100# pkix : PrintableString, BMPString. 101# utf8only: only UTF8Strings. 102# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 103# MASK:XXXX a literal mask value. 104# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 105# so use this option with caution! 106string_mask = nombstr 107 108# req_extensions = v3_req # The extensions to add to a certificate request 109 110[ req_distinguished_name ] 111countryName = Country Name (2 letter code) 112countryName_default = AU 113countryName_min = 2 114countryName_max = 2 115 116stateOrProvinceName = State or Province Name (full name) 117stateOrProvinceName_default = Some-State 118 119localityName = Locality Name (eg, city) 120 1210.organizationName = Organization Name (eg, company) 1220.organizationName_default = Internet Widgits Pty Ltd 123 124# we can do this but it is not needed normally :-) 125#1.organizationName = Second Organization Name (eg, company) 126#1.organizationName_default = World Wide Web Pty Ltd 127 128organizationalUnitName = Organizational Unit Name (eg, section) 129#organizationalUnitName_default = 130 131commonName = Common Name (eg, YOUR name) 132commonName_max = 64 133 134emailAddress = Email Address 135emailAddress_max = 40 136 137# SET-ex3 = SET extension number 3 138 139[ req_attributes ] 140challengePassword = A challenge password 141challengePassword_min = 4 142challengePassword_max = 20 143 144unstructuredName = An optional company name 145 146[ usr_cert ] 147 148# These extensions are added when 'ca' signs a request. 149 150# This goes against PKIX guidelines but some CAs do it and some software 151# requires this to avoid interpreting an end user certificate as a CA. 152 153basicConstraints=CA:FALSE 154 155# Here are some examples of the usage of nsCertType. If it is omitted 156# the certificate can be used for anything *except* object signing. 157 158# This is OK for an SSL server. 159# nsCertType = server 160 161# For an object signing certificate this would be used. 162# nsCertType = objsign 163 164# For normal client use this is typical 165# nsCertType = client, email 166 167# and for everything including object signing: 168# nsCertType = client, email, objsign 169 170# This is typical in keyUsage for a client certificate. 171# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 172 173# This will be displayed in Netscape's comment listbox. 174nsComment = "OpenSSL Generated Certificate" 175 176# PKIX recommendations harmless if included in all certificates. 177subjectKeyIdentifier=hash 178authorityKeyIdentifier=keyid,issuer:always 179 180# This stuff is for subjectAltName and issuerAltname. 181# Import the email address. 182# subjectAltName=email:copy 183 184# Copy subject details 185# issuerAltName=issuer:copy 186 187#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 188#nsBaseUrl 189#nsRevocationUrl 190#nsRenewalUrl 191#nsCaPolicyUrl 192#nsSslServerName 193 194[ v3_req ] 195 196# Extensions to add to a certificate request 197 198basicConstraints = CA:FALSE 199keyUsage = nonRepudiation, digitalSignature, keyEncipherment 200 201[ v3_ca ] 202 203 204# Extensions for a typical CA 205 206 207# PKIX recommendation. 208 209subjectKeyIdentifier=hash 210 211authorityKeyIdentifier=keyid:always,issuer:always 212 213# This is what PKIX recommends but some broken software chokes on critical 214# extensions. 215#basicConstraints = critical,CA:true 216# So we do this instead. 217basicConstraints = CA:true 218 219# Key usage: this is typical for a CA certificate. However since it will 220# prevent it being used as an test self-signed certificate it is best 221# left out by default. 222# keyUsage = cRLSign, keyCertSign 223 224# Some might want this also 225# nsCertType = sslCA, emailCA 226 227# Include email address in subject alt name: another PKIX recommendation 228# subjectAltName=email:copy 229# Copy issuer details 230# issuerAltName=issuer:copy 231 232# DER hex encoding of an extension: beware experts only! 233# obj=DER:02:03 234# Where 'obj' is a standard or added object 235# You can even override a supported extension: 236# basicConstraints= critical, DER:30:03:01:01:FF 237 238[ crl_ext ] 239 240# CRL extensions. 241# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 242 243# issuerAltName=issuer:copy 244authorityKeyIdentifier=keyid:always,issuer:always 245