xref: /freebsd/crypto/openssl/apps/openssl.cnf (revision 396c556d77189a5c474d35cec6f44a762e310b7d)
1# $FreeBSD$
2#
3# OpenSSL example configuration file.
4# This is mostly being used for generation of certificate requests.
5#
6
7# This definition stops the following lines choking if HOME isn't
8# defined.
9HOME			= .
10RANDFILE		= $ENV::HOME/.rnd
11
12# Extra OBJECT IDENTIFIER info:
13#oid_file		= $ENV::HOME/.oid
14oid_section		= new_oids
15
16# To use this configuration file with the "-extfile" option of the
17# "openssl x509" utility, name here the section containing the
18# X.509v3 extensions to use:
19# extensions		=
20# (Alternatively, use a configuration file that has only
21# X.509v3 extensions in its main [= default] section.)
22
23[ new_oids ]
24
25# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
26# Add a simple OID like this:
27# testoid1=1.2.3.4
28# Or use config file substitution like this:
29# testoid2=${testoid1}.5.6
30
31# Policies used by the TSA examples.
32tsa_policy1 = 1.2.3.4.1
33tsa_policy2 = 1.2.3.4.5.6
34tsa_policy3 = 1.2.3.4.5.7
35
36####################################################################
37[ ca ]
38default_ca	= CA_default		# The default ca section
39
40####################################################################
41[ CA_default ]
42
43dir		= ./demoCA		# Where everything is kept
44certs		= $dir/certs		# Where the issued certs are kept
45crl_dir		= $dir/crl		# Where the issued crl are kept
46database	= $dir/index.txt	# database index file.
47#unique_subject	= no			# Set to 'no' to allow creation of
48					# several ctificates with same subject.
49new_certs_dir	= $dir/newcerts		# default place for new certs.
50
51certificate	= $dir/cacert.pem 	# The CA certificate
52serial		= $dir/serial 		# The current serial number
53crlnumber	= $dir/crlnumber	# the current crl number
54					# must be commented out to leave a V1 CRL
55crl		= $dir/crl.pem 		# The current CRL
56private_key	= $dir/private/cakey.pem# The private key
57RANDFILE	= $dir/private/.rand	# private random number file
58
59x509_extensions	= usr_cert		# The extentions to add to the cert
60
61# Comment out the following two lines for the "traditional"
62# (and highly broken) format.
63name_opt 	= ca_default		# Subject Name options
64cert_opt 	= ca_default		# Certificate field options
65
66# Extension copying option: use with caution.
67# copy_extensions = copy
68
69# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
70# so this is commented out by default to leave a V1 CRL.
71# crlnumber must also be commented out to leave a V1 CRL.
72# crl_extensions	= crl_ext
73
74default_days	= 365			# how long to certify for
75default_crl_days= 30			# how long before next CRL
76default_md	= default		# use public key default MD
77preserve	= no			# keep passed DN ordering
78
79# A few difference way of specifying how similar the request should look
80# For type CA, the listed attributes must be the same, and the optional
81# and supplied fields are just that :-)
82policy		= policy_match
83
84# For the CA policy
85[ policy_match ]
86countryName		= match
87stateOrProvinceName	= match
88organizationName	= match
89organizationalUnitName	= optional
90commonName		= supplied
91emailAddress		= optional
92
93# For the 'anything' policy
94# At this point in time, you must list all acceptable 'object'
95# types.
96[ policy_anything ]
97countryName		= optional
98stateOrProvinceName	= optional
99localityName		= optional
100organizationName	= optional
101organizationalUnitName	= optional
102commonName		= supplied
103emailAddress		= optional
104
105####################################################################
106[ req ]
107default_bits		= 2048
108default_keyfile 	= privkey.pem
109distinguished_name	= req_distinguished_name
110attributes		= req_attributes
111x509_extensions	= v3_ca	# The extentions to add to the self signed cert
112
113# Passwords for private keys if not present they will be prompted for
114# input_password = secret
115# output_password = secret
116
117# This sets a mask for permitted string types. There are several options.
118# default: PrintableString, T61String, BMPString.
119# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
120# utf8only: only UTF8Strings (PKIX recommendation after 2004).
121# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
122# MASK:XXXX a literal mask value.
123# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
124string_mask = utf8only
125
126# req_extensions = v3_req # The extensions to add to a certificate request
127
128[ req_distinguished_name ]
129countryName			= Country Name (2 letter code)
130countryName_default		= AU
131countryName_min			= 2
132countryName_max			= 2
133
134stateOrProvinceName		= State or Province Name (full name)
135stateOrProvinceName_default	= Some-State
136
137localityName			= Locality Name (eg, city)
138
1390.organizationName		= Organization Name (eg, company)
1400.organizationName_default	= Internet Widgits Pty Ltd
141
142# we can do this but it is not needed normally :-)
143#1.organizationName		= Second Organization Name (eg, company)
144#1.organizationName_default	= World Wide Web Pty Ltd
145
146organizationalUnitName		= Organizational Unit Name (eg, section)
147#organizationalUnitName_default	=
148
149commonName			= Common Name (e.g. server FQDN or YOUR name)
150commonName_max			= 64
151
152emailAddress			= Email Address
153emailAddress_max		= 64
154
155# SET-ex3			= SET extension number 3
156
157[ req_attributes ]
158challengePassword		= A challenge password
159challengePassword_min		= 4
160challengePassword_max		= 20
161
162unstructuredName		= An optional company name
163
164[ usr_cert ]
165
166# These extensions are added when 'ca' signs a request.
167
168# This goes against PKIX guidelines but some CAs do it and some software
169# requires this to avoid interpreting an end user certificate as a CA.
170
171basicConstraints=CA:FALSE
172
173# Here are some examples of the usage of nsCertType. If it is omitted
174# the certificate can be used for anything *except* object signing.
175
176# This is OK for an SSL server.
177# nsCertType			= server
178
179# For an object signing certificate this would be used.
180# nsCertType = objsign
181
182# For normal client use this is typical
183# nsCertType = client, email
184
185# and for everything including object signing:
186# nsCertType = client, email, objsign
187
188# This is typical in keyUsage for a client certificate.
189# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
190
191# This will be displayed in Netscape's comment listbox.
192nsComment			= "OpenSSL Generated Certificate"
193
194# PKIX recommendations harmless if included in all certificates.
195subjectKeyIdentifier=hash
196authorityKeyIdentifier=keyid,issuer
197
198# This stuff is for subjectAltName and issuerAltname.
199# Import the email address.
200# subjectAltName=email:copy
201# An alternative to produce certificates that aren't
202# deprecated according to PKIX.
203# subjectAltName=email:move
204
205# Copy subject details
206# issuerAltName=issuer:copy
207
208#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
209#nsBaseUrl
210#nsRevocationUrl
211#nsRenewalUrl
212#nsCaPolicyUrl
213#nsSslServerName
214
215# This is required for TSA certificates.
216# extendedKeyUsage = critical,timeStamping
217
218[ v3_req ]
219
220# Extensions to add to a certificate request
221
222basicConstraints = CA:FALSE
223keyUsage = nonRepudiation, digitalSignature, keyEncipherment
224
225[ v3_ca ]
226
227
228# Extensions for a typical CA
229
230
231# PKIX recommendation.
232
233subjectKeyIdentifier=hash
234
235authorityKeyIdentifier=keyid:always,issuer
236
237# This is what PKIX recommends but some broken software chokes on critical
238# extensions.
239#basicConstraints = critical,CA:true
240# So we do this instead.
241basicConstraints = CA:true
242
243# Key usage: this is typical for a CA certificate. However since it will
244# prevent it being used as an test self-signed certificate it is best
245# left out by default.
246# keyUsage = cRLSign, keyCertSign
247
248# Some might want this also
249# nsCertType = sslCA, emailCA
250
251# Include email address in subject alt name: another PKIX recommendation
252# subjectAltName=email:copy
253# Copy issuer details
254# issuerAltName=issuer:copy
255
256# DER hex encoding of an extension: beware experts only!
257# obj=DER:02:03
258# Where 'obj' is a standard or added object
259# You can even override a supported extension:
260# basicConstraints= critical, DER:30:03:01:01:FF
261
262[ crl_ext ]
263
264# CRL extensions.
265# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
266
267# issuerAltName=issuer:copy
268authorityKeyIdentifier=keyid:always
269
270[ proxy_cert_ext ]
271# These extensions should be added when creating a proxy certificate
272
273# This goes against PKIX guidelines but some CAs do it and some software
274# requires this to avoid interpreting an end user certificate as a CA.
275
276basicConstraints=CA:FALSE
277
278# Here are some examples of the usage of nsCertType. If it is omitted
279# the certificate can be used for anything *except* object signing.
280
281# This is OK for an SSL server.
282# nsCertType			= server
283
284# For an object signing certificate this would be used.
285# nsCertType = objsign
286
287# For normal client use this is typical
288# nsCertType = client, email
289
290# and for everything including object signing:
291# nsCertType = client, email, objsign
292
293# This is typical in keyUsage for a client certificate.
294# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
295
296# This will be displayed in Netscape's comment listbox.
297nsComment			= "OpenSSL Generated Certificate"
298
299# PKIX recommendations harmless if included in all certificates.
300subjectKeyIdentifier=hash
301authorityKeyIdentifier=keyid,issuer
302
303# This stuff is for subjectAltName and issuerAltname.
304# Import the email address.
305# subjectAltName=email:copy
306# An alternative to produce certificates that aren't
307# deprecated according to PKIX.
308# subjectAltName=email:move
309
310# Copy subject details
311# issuerAltName=issuer:copy
312
313#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
314#nsBaseUrl
315#nsRevocationUrl
316#nsRenewalUrl
317#nsCaPolicyUrl
318#nsSslServerName
319
320# This really needs to be in place for it to be a proxy certificate.
321proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
322
323####################################################################
324[ tsa ]
325
326default_tsa = tsa_config1	# the default TSA section
327
328[ tsa_config1 ]
329
330# These are used by the TSA reply generation only.
331dir		= ./demoCA		# TSA root directory
332serial		= $dir/tsaserial	# The current serial number (mandatory)
333crypto_device	= builtin		# OpenSSL engine to use for signing
334signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
335					# (optional)
336certs		= $dir/cacert.pem	# Certificate chain to include in reply
337					# (optional)
338signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
339
340default_policy	= tsa_policy1		# Policy if request did not specify it
341					# (optional)
342other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
343digests		= md5, sha1		# Acceptable message digests (mandatory)
344accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
345clock_precision_digits  = 0	# number of digits after dot. (optional)
346ordering		= yes	# Is ordering defined for timestamps?
347				# (optional, default: no)
348tsa_name		= yes	# Must the TSA name be included in the reply?
349				# (optional, default: no)
350ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
351				# (optional, default: no)
352