xref: /freebsd/crypto/openssl/apps/openssl.cnf (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1# $FreeBSD$
2#
3# OpenSSL example configuration file.
4# See doc/man5/config.pod for more info.
5#
6# This is mostly being used for generation of certificate requests,
7# but may be used for auto loading of providers
8
9# Note that you can include other files from the main configuration
10# file using the .include directive.
11#.include filename
12
13# This definition stops the following lines choking if HOME isn't
14# defined.
15HOME			= .
16
17 # Use this in order to automatically load providers.
18openssl_conf = openssl_init
19
20# Comment out the next line to ignore configuration errors
21config_diagnostics = 1
22
23# Extra OBJECT IDENTIFIER info:
24# oid_file       = $ENV::HOME/.oid
25oid_section = new_oids
26
27# To use this configuration file with the "-extfile" option of the
28# "openssl x509" utility, name here the section containing the
29# X.509v3 extensions to use:
30# extensions		=
31# (Alternatively, use a configuration file that has only
32# X.509v3 extensions in its main [= default] section.)
33
34[ new_oids ]
35# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
36# Add a simple OID like this:
37# testoid1=1.2.3.4
38# Or use config file substitution like this:
39# testoid2=${testoid1}.5.6
40
41# Policies used by the TSA examples.
42tsa_policy1 = 1.2.3.4.1
43tsa_policy2 = 1.2.3.4.5.6
44tsa_policy3 = 1.2.3.4.5.7
45
46# For FIPS
47# Optionally include a file that is generated by the OpenSSL fipsinstall
48# application. This file contains configuration data required by the OpenSSL
49# fips provider. It contains a named section e.g. [fips_sect] which is
50# referenced from the [provider_sect] below.
51# Refer to the OpenSSL security policy for more information.
52# .include fipsmodule.cnf
53
54[openssl_init]
55providers = provider_sect
56
57# List of providers to load
58[provider_sect]
59default = default_sect
60# The fips section name should match the section name inside the
61# included fipsmodule.cnf.
62# fips = fips_sect
63
64# If no providers are activated explicitly, the default one is activated implicitly.
65# See man 7 OSSL_PROVIDER-default for more details.
66#
67# If you add a section explicitly activating any other provider(s), you most
68# probably need to explicitly activate the default provider, otherwise it
69# becomes unavailable in openssl.  As a consequence applications depending on
70# OpenSSL may not work correctly which could lead to significant system
71# problems including inability to remotely access the system.
72[default_sect]
73# activate = 1
74
75
76####################################################################
77[ ca ]
78default_ca	= CA_default		# The default ca section
79
80####################################################################
81[ CA_default ]
82
83dir		= ./demoCA		# Where everything is kept
84certs		= $dir/certs		# Where the issued certs are kept
85crl_dir		= $dir/crl		# Where the issued crl are kept
86database	= $dir/index.txt	# database index file.
87#unique_subject	= no			# Set to 'no' to allow creation of
88					# several certs with same subject.
89new_certs_dir	= $dir/newcerts		# default place for new certs.
90
91certificate	= $dir/cacert.pem 	# The CA certificate
92serial		= $dir/serial 		# The current serial number
93crlnumber	= $dir/crlnumber	# the current crl number
94					# must be commented out to leave a V1 CRL
95crl		= $dir/crl.pem 		# The current CRL
96private_key	= $dir/private/cakey.pem# The private key
97
98x509_extensions	= usr_cert		# The extensions to add to the cert
99
100# Comment out the following two lines for the "traditional"
101# (and highly broken) format.
102name_opt 	= ca_default		# Subject Name options
103cert_opt 	= ca_default		# Certificate field options
104
105# Extension copying option: use with caution.
106# copy_extensions = copy
107
108# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
109# so this is commented out by default to leave a V1 CRL.
110# crlnumber must also be commented out to leave a V1 CRL.
111# crl_extensions	= crl_ext
112
113default_days	= 365			# how long to certify for
114default_crl_days= 30			# how long before next CRL
115default_md	= default		# use public key default MD
116preserve	= no			# keep passed DN ordering
117
118# A few difference way of specifying how similar the request should look
119# For type CA, the listed attributes must be the same, and the optional
120# and supplied fields are just that :-)
121policy		= policy_match
122
123# For the CA policy
124[ policy_match ]
125countryName		= match
126stateOrProvinceName	= match
127organizationName	= match
128organizationalUnitName	= optional
129commonName		= supplied
130emailAddress		= optional
131
132# For the 'anything' policy
133# At this point in time, you must list all acceptable 'object'
134# types.
135[ policy_anything ]
136countryName		= optional
137stateOrProvinceName	= optional
138localityName		= optional
139organizationName	= optional
140organizationalUnitName	= optional
141commonName		= supplied
142emailAddress		= optional
143
144####################################################################
145[ req ]
146default_bits		= 2048
147default_keyfile 	= privkey.pem
148distinguished_name	= req_distinguished_name
149attributes		= req_attributes
150x509_extensions	= v3_ca	# The extensions to add to the self signed cert
151
152# Passwords for private keys if not present they will be prompted for
153# input_password = secret
154# output_password = secret
155
156# This sets a mask for permitted string types. There are several options.
157# default: PrintableString, T61String, BMPString.
158# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
159# utf8only: only UTF8Strings (PKIX recommendation after 2004).
160# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
161# MASK:XXXX a literal mask value.
162# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
163string_mask = utf8only
164
165# req_extensions = v3_req # The extensions to add to a certificate request
166
167[ req_distinguished_name ]
168countryName			= Country Name (2 letter code)
169countryName_default		= AU
170countryName_min			= 2
171countryName_max			= 2
172
173stateOrProvinceName		= State or Province Name (full name)
174stateOrProvinceName_default	= Some-State
175
176localityName			= Locality Name (eg, city)
177
1780.organizationName		= Organization Name (eg, company)
1790.organizationName_default	= Internet Widgits Pty Ltd
180
181# we can do this but it is not needed normally :-)
182#1.organizationName		= Second Organization Name (eg, company)
183#1.organizationName_default	= World Wide Web Pty Ltd
184
185organizationalUnitName		= Organizational Unit Name (eg, section)
186#organizationalUnitName_default	=
187
188commonName			= Common Name (e.g. server FQDN or YOUR name)
189commonName_max			= 64
190
191emailAddress			= Email Address
192emailAddress_max		= 64
193
194# SET-ex3			= SET extension number 3
195
196[ req_attributes ]
197challengePassword		= A challenge password
198challengePassword_min		= 4
199challengePassword_max		= 20
200
201unstructuredName		= An optional company name
202
203[ usr_cert ]
204
205# These extensions are added when 'ca' signs a request.
206
207# This goes against PKIX guidelines but some CAs do it and some software
208# requires this to avoid interpreting an end user certificate as a CA.
209
210basicConstraints=CA:FALSE
211
212# This is typical in keyUsage for a client certificate.
213# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
214
215# PKIX recommendations harmless if included in all certificates.
216subjectKeyIdentifier=hash
217authorityKeyIdentifier=keyid,issuer
218
219# This stuff is for subjectAltName and issuerAltname.
220# Import the email address.
221# subjectAltName=email:copy
222# An alternative to produce certificates that aren't
223# deprecated according to PKIX.
224# subjectAltName=email:move
225
226# Copy subject details
227# issuerAltName=issuer:copy
228
229# This is required for TSA certificates.
230# extendedKeyUsage = critical,timeStamping
231
232[ v3_req ]
233
234# Extensions to add to a certificate request
235
236basicConstraints = CA:FALSE
237keyUsage = nonRepudiation, digitalSignature, keyEncipherment
238
239[ v3_ca ]
240
241
242# Extensions for a typical CA
243
244
245# PKIX recommendation.
246
247subjectKeyIdentifier=hash
248
249authorityKeyIdentifier=keyid:always,issuer
250
251basicConstraints = critical,CA:true
252
253# Key usage: this is typical for a CA certificate. However since it will
254# prevent it being used as an test self-signed certificate it is best
255# left out by default.
256# keyUsage = cRLSign, keyCertSign
257
258# Include email address in subject alt name: another PKIX recommendation
259# subjectAltName=email:copy
260# Copy issuer details
261# issuerAltName=issuer:copy
262
263# DER hex encoding of an extension: beware experts only!
264# obj=DER:02:03
265# Where 'obj' is a standard or added object
266# You can even override a supported extension:
267# basicConstraints= critical, DER:30:03:01:01:FF
268
269[ crl_ext ]
270
271# CRL extensions.
272# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
273
274# issuerAltName=issuer:copy
275authorityKeyIdentifier=keyid:always
276
277[ proxy_cert_ext ]
278# These extensions should be added when creating a proxy certificate
279
280# This goes against PKIX guidelines but some CAs do it and some software
281# requires this to avoid interpreting an end user certificate as a CA.
282
283basicConstraints=CA:FALSE
284
285# This is typical in keyUsage for a client certificate.
286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287
288# PKIX recommendations harmless if included in all certificates.
289subjectKeyIdentifier=hash
290authorityKeyIdentifier=keyid,issuer
291
292# This stuff is for subjectAltName and issuerAltname.
293# Import the email address.
294# subjectAltName=email:copy
295# An alternative to produce certificates that aren't
296# deprecated according to PKIX.
297# subjectAltName=email:move
298
299# Copy subject details
300# issuerAltName=issuer:copy
301
302# This really needs to be in place for it to be a proxy certificate.
303proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
304
305####################################################################
306[ tsa ]
307
308default_tsa = tsa_config1	# the default TSA section
309
310[ tsa_config1 ]
311
312# These are used by the TSA reply generation only.
313dir		= ./demoCA		# TSA root directory
314serial		= $dir/tsaserial	# The current serial number (mandatory)
315crypto_device	= builtin		# OpenSSL engine to use for signing
316signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
317					# (optional)
318certs		= $dir/cacert.pem	# Certificate chain to include in reply
319					# (optional)
320signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
321signer_digest  = sha256			# Signing digest to use. (Optional)
322default_policy	= tsa_policy1		# Policy if request did not specify it
323					# (optional)
324other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
325digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
326accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
327clock_precision_digits  = 0	# number of digits after dot. (optional)
328ordering		= yes	# Is ordering defined for timestamps?
329				# (optional, default: no)
330tsa_name		= yes	# Must the TSA name be included in the reply?
331				# (optional, default: no)
332ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
333				# (optional, default: no)
334ess_cert_id_alg		= sha1	# algorithm to compute certificate
335				# identifier (optional, default: sha1)
336
337[insta] # CMP using Insta Demo CA
338# Message transfer
339server = pki.certificate.fi:8700
340# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
341# tls_use = 0
342path = pkix/
343
344# Server authentication
345recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
346ignore_keyusage = 1 # potentially needed quirk
347unprotected_errors = 1 # potentially needed quirk
348extracertsout = insta.extracerts.pem
349
350# Client authentication
351ref = 3078 # user identification
352secret = pass:insta # can be used for both client and server side
353
354# Generic message options
355cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
356
357# Certificate enrollment
358subject = "/CN=openssl-cmp-test"
359newkey = insta.priv.pem
360out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
361certout = insta.cert.pem
362
363[pbm] # Password-based protection for Insta CA
364# Server and client authentication
365ref = $insta::ref # 3078
366secret = $insta::secret # pass:insta
367
368[signature] # Signature-based protection for Insta CA
369# Server authentication
370trusted = $insta::out_trusted # apps/insta.ca.crt
371
372# Client authentication
373secret = # disable PBM
374key = $insta::newkey # insta.priv.pem
375cert = $insta::certout # insta.cert.pem
376
377[ir]
378cmd = ir
379
380[cr]
381cmd = cr
382
383[kur]
384# Certificate update
385cmd = kur
386oldcert = $insta::certout # insta.cert.pem
387
388[rr]
389# Certificate revocation
390cmd = rr
391oldcert = $insta::certout # insta.cert.pem
392