1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5# $FreeBSD$ 6 7# This definition stops the following lines choking if HOME isn't 8# defined. 9HOME = . 10RANDFILE = $ENV::HOME/.rnd 11 12# Extra OBJECT IDENTIFIER info: 13#oid_file = $ENV::HOME/.oid 14oid_section = new_oids 15 16# To use this configuration file with the "-extfile" option of the 17# "openssl x509" utility, name here the section containing the 18# X.509v3 extensions to use: 19# extensions = 20# (Alternatively, use a configuration file that has only 21# X.509v3 extensions in its main [= default] section.) 22 23[ new_oids ] 24 25# We can add new OIDs in here for use by 'ca' and 'req'. 26# Add a simple OID like this: 27# testoid1=1.2.3.4 28# Or use config file substitution like this: 29# testoid2=${testoid1}.5.6 30 31#################################################################### 32[ ca ] 33default_ca = CA_default # The default ca section 34 35#################################################################### 36[ CA_default ] 37 38dir = ./demoCA # Where everything is kept 39certs = $dir/certs # Where the issued certs are kept 40crl_dir = $dir/crl # Where the issued crl are kept 41database = $dir/index.txt # database index file. 42new_certs_dir = $dir/newcerts # default place for new certs. 43 44certificate = $dir/cacert.pem # The CA certificate 45serial = $dir/serial # The current serial number 46crl = $dir/crl.pem # The current CRL 47private_key = $dir/private/cakey.pem# The private key 48RANDFILE = $dir/private/.rand # private random number file 49 50x509_extensions = usr_cert # The extentions to add to the cert 51 52# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 53# so this is commented out by default to leave a V1 CRL. 54# crl_extensions = crl_ext 55 56default_days = 365 # how long to certify for 57default_crl_days= 30 # how long before next CRL 58default_md = md5 # which md to use. 59preserve = no # keep passed DN ordering 60 61# A few difference way of specifying how similar the request should look 62# For type CA, the listed attributes must be the same, and the optional 63# and supplied fields are just that :-) 64policy = policy_match 65 66# For the CA policy 67[ policy_match ] 68countryName = match 69stateOrProvinceName = match 70organizationName = match 71organizationalUnitName = optional 72commonName = supplied 73emailAddress = optional 74 75# For the 'anything' policy 76# At this point in time, you must list all acceptable 'object' 77# types. 78[ policy_anything ] 79countryName = optional 80stateOrProvinceName = optional 81localityName = optional 82organizationName = optional 83organizationalUnitName = optional 84commonName = supplied 85emailAddress = optional 86 87#################################################################### 88[ req ] 89default_bits = 1024 90default_keyfile = privkey.pem 91distinguished_name = req_distinguished_name 92attributes = req_attributes 93x509_extensions = v3_ca # The extentions to add to the self signed cert 94 95# Passwords for private keys if not present they will be prompted for 96# input_password = secret 97# output_password = secret 98 99# This sets a mask for permitted string types. There are several options. 100# default: PrintableString, T61String, BMPString. 101# pkix : PrintableString, BMPString. 102# utf8only: only UTF8Strings. 103# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 104# MASK:XXXX a literal mask value. 105# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 106# so use this option with caution! 107string_mask = nombstr 108 109# req_extensions = v3_req # The extensions to add to a certificate request 110 111[ req_distinguished_name ] 112countryName = Country Name (2 letter code) 113countryName_default = AU 114countryName_min = 2 115countryName_max = 2 116 117stateOrProvinceName = State or Province Name (full name) 118stateOrProvinceName_default = Some-State 119 120localityName = Locality Name (eg, city) 121 1220.organizationName = Organization Name (eg, company) 1230.organizationName_default = Internet Widgits Pty Ltd 124 125# we can do this but it is not needed normally :-) 126#1.organizationName = Second Organization Name (eg, company) 127#1.organizationName_default = World Wide Web Pty Ltd 128 129organizationalUnitName = Organizational Unit Name (eg, section) 130#organizationalUnitName_default = 131 132commonName = Common Name (eg, YOUR name) 133commonName_max = 64 134 135emailAddress = Email Address 136emailAddress_max = 40 137 138# SET-ex3 = SET extension number 3 139 140[ req_attributes ] 141challengePassword = A challenge password 142challengePassword_min = 4 143challengePassword_max = 20 144 145unstructuredName = An optional company name 146 147[ usr_cert ] 148 149# These extensions are added when 'ca' signs a request. 150 151# This goes against PKIX guidelines but some CAs do it and some software 152# requires this to avoid interpreting an end user certificate as a CA. 153 154basicConstraints=CA:FALSE 155 156# Here are some examples of the usage of nsCertType. If it is omitted 157# the certificate can be used for anything *except* object signing. 158 159# This is OK for an SSL server. 160# nsCertType = server 161 162# For an object signing certificate this would be used. 163# nsCertType = objsign 164 165# For normal client use this is typical 166# nsCertType = client, email 167 168# and for everything including object signing: 169# nsCertType = client, email, objsign 170 171# This is typical in keyUsage for a client certificate. 172# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 173 174# This will be displayed in Netscape's comment listbox. 175nsComment = "OpenSSL Generated Certificate" 176 177# PKIX recommendations harmless if included in all certificates. 178subjectKeyIdentifier=hash 179authorityKeyIdentifier=keyid,issuer:always 180 181# This stuff is for subjectAltName and issuerAltname. 182# Import the email address. 183# subjectAltName=email:copy 184 185# Copy subject details 186# issuerAltName=issuer:copy 187 188#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 189#nsBaseUrl 190#nsRevocationUrl 191#nsRenewalUrl 192#nsCaPolicyUrl 193#nsSslServerName 194 195[ v3_req ] 196 197# Extensions to add to a certificate request 198 199basicConstraints = CA:FALSE 200keyUsage = nonRepudiation, digitalSignature, keyEncipherment 201 202[ v3_ca ] 203 204 205# Extensions for a typical CA 206 207 208# PKIX recommendation. 209 210subjectKeyIdentifier=hash 211 212authorityKeyIdentifier=keyid:always,issuer:always 213 214# This is what PKIX recommends but some broken software chokes on critical 215# extensions. 216#basicConstraints = critical,CA:true 217# So we do this instead. 218basicConstraints = CA:true 219 220# Key usage: this is typical for a CA certificate. However since it will 221# prevent it being used as an test self-signed certificate it is best 222# left out by default. 223# keyUsage = cRLSign, keyCertSign 224 225# Some might want this also 226# nsCertType = sslCA, emailCA 227 228# Include email address in subject alt name: another PKIX recommendation 229# subjectAltName=email:copy 230# Copy issuer details 231# issuerAltName=issuer:copy 232 233# DER hex encoding of an extension: beware experts only! 234# obj=DER:02:03 235# Where 'obj' is a standard or added object 236# You can even override a supported extension: 237# basicConstraints= critical, DER:30:03:01:01:FF 238 239[ crl_ext ] 240 241# CRL extensions. 242# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 243 244# issuerAltName=issuer:copy 245authorityKeyIdentifier=keyid:always,issuer:always 246