1# $FreeBSD$ 2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# Note that you can include other files from the main configuration 8# file using the .include directive. 9#.include filename 10 11# This definition stops the following lines choking if HOME isn't 12# defined. 13HOME = . 14RANDFILE = $ENV::HOME/.rnd 15 16# Extra OBJECT IDENTIFIER info: 17#oid_file = $ENV::HOME/.oid 18oid_section = new_oids 19 20# To use this configuration file with the "-extfile" option of the 21# "openssl x509" utility, name here the section containing the 22# X.509v3 extensions to use: 23# extensions = 24# (Alternatively, use a configuration file that has only 25# X.509v3 extensions in its main [= default] section.) 26 27[ new_oids ] 28 29# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 30# Add a simple OID like this: 31# testoid1=1.2.3.4 32# Or use config file substitution like this: 33# testoid2=${testoid1}.5.6 34 35# Policies used by the TSA examples. 36tsa_policy1 = 1.2.3.4.1 37tsa_policy2 = 1.2.3.4.5.6 38tsa_policy3 = 1.2.3.4.5.7 39 40#################################################################### 41[ ca ] 42default_ca = CA_default # The default ca section 43 44#################################################################### 45[ CA_default ] 46 47dir = ./demoCA # Where everything is kept 48certs = $dir/certs # Where the issued certs are kept 49crl_dir = $dir/crl # Where the issued crl are kept 50database = $dir/index.txt # database index file. 51#unique_subject = no # Set to 'no' to allow creation of 52 # several certs with same subject. 53new_certs_dir = $dir/newcerts # default place for new certs. 54 55certificate = $dir/cacert.pem # The CA certificate 56serial = $dir/serial # The current serial number 57crlnumber = $dir/crlnumber # the current crl number 58 # must be commented out to leave a V1 CRL 59crl = $dir/crl.pem # The current CRL 60private_key = $dir/private/cakey.pem# The private key 61RANDFILE = $dir/private/.rand # private random number file 62 63x509_extensions = usr_cert # The extensions to add to the cert 64 65# Comment out the following two lines for the "traditional" 66# (and highly broken) format. 67name_opt = ca_default # Subject Name options 68cert_opt = ca_default # Certificate field options 69 70# Extension copying option: use with caution. 71# copy_extensions = copy 72 73# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 74# so this is commented out by default to leave a V1 CRL. 75# crlnumber must also be commented out to leave a V1 CRL. 76# crl_extensions = crl_ext 77 78default_days = 365 # how long to certify for 79default_crl_days= 30 # how long before next CRL 80default_md = default # use public key default MD 81preserve = no # keep passed DN ordering 82 83# A few difference way of specifying how similar the request should look 84# For type CA, the listed attributes must be the same, and the optional 85# and supplied fields are just that :-) 86policy = policy_match 87 88# For the CA policy 89[ policy_match ] 90countryName = match 91stateOrProvinceName = match 92organizationName = match 93organizationalUnitName = optional 94commonName = supplied 95emailAddress = optional 96 97# For the 'anything' policy 98# At this point in time, you must list all acceptable 'object' 99# types. 100[ policy_anything ] 101countryName = optional 102stateOrProvinceName = optional 103localityName = optional 104organizationName = optional 105organizationalUnitName = optional 106commonName = supplied 107emailAddress = optional 108 109#################################################################### 110[ req ] 111default_bits = 2048 112default_keyfile = privkey.pem 113distinguished_name = req_distinguished_name 114attributes = req_attributes 115x509_extensions = v3_ca # The extensions to add to the self signed cert 116 117# Passwords for private keys if not present they will be prompted for 118# input_password = secret 119# output_password = secret 120 121# This sets a mask for permitted string types. There are several options. 122# default: PrintableString, T61String, BMPString. 123# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 124# utf8only: only UTF8Strings (PKIX recommendation after 2004). 125# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 126# MASK:XXXX a literal mask value. 127# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 128string_mask = utf8only 129 130# req_extensions = v3_req # The extensions to add to a certificate request 131 132[ req_distinguished_name ] 133countryName = Country Name (2 letter code) 134countryName_default = AU 135countryName_min = 2 136countryName_max = 2 137 138stateOrProvinceName = State or Province Name (full name) 139stateOrProvinceName_default = Some-State 140 141localityName = Locality Name (eg, city) 142 1430.organizationName = Organization Name (eg, company) 1440.organizationName_default = Internet Widgits Pty Ltd 145 146# we can do this but it is not needed normally :-) 147#1.organizationName = Second Organization Name (eg, company) 148#1.organizationName_default = World Wide Web Pty Ltd 149 150organizationalUnitName = Organizational Unit Name (eg, section) 151#organizationalUnitName_default = 152 153commonName = Common Name (e.g. server FQDN or YOUR name) 154commonName_max = 64 155 156emailAddress = Email Address 157emailAddress_max = 64 158 159# SET-ex3 = SET extension number 3 160 161[ req_attributes ] 162challengePassword = A challenge password 163challengePassword_min = 4 164challengePassword_max = 20 165 166unstructuredName = An optional company name 167 168[ usr_cert ] 169 170# These extensions are added when 'ca' signs a request. 171 172# This goes against PKIX guidelines but some CAs do it and some software 173# requires this to avoid interpreting an end user certificate as a CA. 174 175basicConstraints=CA:FALSE 176 177# Here are some examples of the usage of nsCertType. If it is omitted 178# the certificate can be used for anything *except* object signing. 179 180# This is OK for an SSL server. 181# nsCertType = server 182 183# For an object signing certificate this would be used. 184# nsCertType = objsign 185 186# For normal client use this is typical 187# nsCertType = client, email 188 189# and for everything including object signing: 190# nsCertType = client, email, objsign 191 192# This is typical in keyUsage for a client certificate. 193# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 194 195# This will be displayed in Netscape's comment listbox. 196nsComment = "OpenSSL Generated Certificate" 197 198# PKIX recommendations harmless if included in all certificates. 199subjectKeyIdentifier=hash 200authorityKeyIdentifier=keyid,issuer 201 202# This stuff is for subjectAltName and issuerAltname. 203# Import the email address. 204# subjectAltName=email:copy 205# An alternative to produce certificates that aren't 206# deprecated according to PKIX. 207# subjectAltName=email:move 208 209# Copy subject details 210# issuerAltName=issuer:copy 211 212#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 213#nsBaseUrl 214#nsRevocationUrl 215#nsRenewalUrl 216#nsCaPolicyUrl 217#nsSslServerName 218 219# This is required for TSA certificates. 220# extendedKeyUsage = critical,timeStamping 221 222[ v3_req ] 223 224# Extensions to add to a certificate request 225 226basicConstraints = CA:FALSE 227keyUsage = nonRepudiation, digitalSignature, keyEncipherment 228 229[ v3_ca ] 230 231 232# Extensions for a typical CA 233 234 235# PKIX recommendation. 236 237subjectKeyIdentifier=hash 238 239authorityKeyIdentifier=keyid:always,issuer 240 241basicConstraints = critical,CA:true 242 243# Key usage: this is typical for a CA certificate. However since it will 244# prevent it being used as an test self-signed certificate it is best 245# left out by default. 246# keyUsage = cRLSign, keyCertSign 247 248# Some might want this also 249# nsCertType = sslCA, emailCA 250 251# Include email address in subject alt name: another PKIX recommendation 252# subjectAltName=email:copy 253# Copy issuer details 254# issuerAltName=issuer:copy 255 256# DER hex encoding of an extension: beware experts only! 257# obj=DER:02:03 258# Where 'obj' is a standard or added object 259# You can even override a supported extension: 260# basicConstraints= critical, DER:30:03:01:01:FF 261 262[ crl_ext ] 263 264# CRL extensions. 265# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 266 267# issuerAltName=issuer:copy 268authorityKeyIdentifier=keyid:always 269 270[ proxy_cert_ext ] 271# These extensions should be added when creating a proxy certificate 272 273# This goes against PKIX guidelines but some CAs do it and some software 274# requires this to avoid interpreting an end user certificate as a CA. 275 276basicConstraints=CA:FALSE 277 278# Here are some examples of the usage of nsCertType. If it is omitted 279# the certificate can be used for anything *except* object signing. 280 281# This is OK for an SSL server. 282# nsCertType = server 283 284# For an object signing certificate this would be used. 285# nsCertType = objsign 286 287# For normal client use this is typical 288# nsCertType = client, email 289 290# and for everything including object signing: 291# nsCertType = client, email, objsign 292 293# This is typical in keyUsage for a client certificate. 294# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 295 296# This will be displayed in Netscape's comment listbox. 297nsComment = "OpenSSL Generated Certificate" 298 299# PKIX recommendations harmless if included in all certificates. 300subjectKeyIdentifier=hash 301authorityKeyIdentifier=keyid,issuer 302 303# This stuff is for subjectAltName and issuerAltname. 304# Import the email address. 305# subjectAltName=email:copy 306# An alternative to produce certificates that aren't 307# deprecated according to PKIX. 308# subjectAltName=email:move 309 310# Copy subject details 311# issuerAltName=issuer:copy 312 313#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 314#nsBaseUrl 315#nsRevocationUrl 316#nsRenewalUrl 317#nsCaPolicyUrl 318#nsSslServerName 319 320# This really needs to be in place for it to be a proxy certificate. 321proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 322 323#################################################################### 324[ tsa ] 325 326default_tsa = tsa_config1 # the default TSA section 327 328[ tsa_config1 ] 329 330# These are used by the TSA reply generation only. 331dir = ./demoCA # TSA root directory 332serial = $dir/tsaserial # The current serial number (mandatory) 333crypto_device = builtin # OpenSSL engine to use for signing 334signer_cert = $dir/tsacert.pem # The TSA signing certificate 335 # (optional) 336certs = $dir/cacert.pem # Certificate chain to include in reply 337 # (optional) 338signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 339signer_digest = sha256 # Signing digest to use. (Optional) 340default_policy = tsa_policy1 # Policy if request did not specify it 341 # (optional) 342other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 343digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 344accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 345clock_precision_digits = 0 # number of digits after dot. (optional) 346ordering = yes # Is ordering defined for timestamps? 347 # (optional, default: no) 348tsa_name = yes # Must the TSA name be included in the reply? 349 # (optional, default: no) 350ess_cert_id_chain = no # Must the ESS cert id chain be included? 351 # (optional, default: no) 352ess_cert_id_alg = sha1 # algorithm to compute certificate 353 # identifier (optional, default: sha1) 354