1# $FreeBSD$ 2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# This definition stops the following lines choking if HOME isn't 8# defined. 9HOME = . 10RANDFILE = $ENV::HOME/.rnd 11 12# Extra OBJECT IDENTIFIER info: 13#oid_file = $ENV::HOME/.oid 14oid_section = new_oids 15 16# To use this configuration file with the "-extfile" option of the 17# "openssl x509" utility, name here the section containing the 18# X.509v3 extensions to use: 19# extensions = 20# (Alternatively, use a configuration file that has only 21# X.509v3 extensions in its main [= default] section.) 22 23[ new_oids ] 24 25# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 26# Add a simple OID like this: 27# testoid1=1.2.3.4 28# Or use config file substitution like this: 29# testoid2=${testoid1}.5.6 30 31# Policies used by the TSA examples. 32tsa_policy1 = 1.2.3.4.1 33tsa_policy2 = 1.2.3.4.5.6 34tsa_policy3 = 1.2.3.4.5.7 35 36#################################################################### 37[ ca ] 38default_ca = CA_default # The default ca section 39 40#################################################################### 41[ CA_default ] 42 43dir = ./demoCA # Where everything is kept 44certs = $dir/certs # Where the issued certs are kept 45crl_dir = $dir/crl # Where the issued crl are kept 46database = $dir/index.txt # database index file. 47#unique_subject = no # Set to 'no' to allow creation of 48 # several ctificates with same subject. 49new_certs_dir = $dir/newcerts # default place for new certs. 50 51certificate = $dir/cacert.pem # The CA certificate 52serial = $dir/serial # The current serial number 53crlnumber = $dir/crlnumber # the current crl number 54 # must be commented out to leave a V1 CRL 55crl = $dir/crl.pem # The current CRL 56private_key = $dir/private/cakey.pem# The private key 57RANDFILE = $dir/private/.rand # private random number file 58 59x509_extensions = usr_cert # The extentions to add to the cert 60 61# Comment out the following two lines for the "traditional" 62# (and highly broken) format. 63name_opt = ca_default # Subject Name options 64cert_opt = ca_default # Certificate field options 65 66# Extension copying option: use with caution. 67# copy_extensions = copy 68 69# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 70# so this is commented out by default to leave a V1 CRL. 71# crlnumber must also be commented out to leave a V1 CRL. 72# crl_extensions = crl_ext 73 74default_days = 365 # how long to certify for 75default_crl_days= 30 # how long before next CRL 76default_md = default # use public key default MD 77preserve = no # keep passed DN ordering 78 79# A few difference way of specifying how similar the request should look 80# For type CA, the listed attributes must be the same, and the optional 81# and supplied fields are just that :-) 82policy = policy_match 83 84# For the CA policy 85[ policy_match ] 86countryName = match 87stateOrProvinceName = match 88organizationName = match 89organizationalUnitName = optional 90commonName = supplied 91emailAddress = optional 92 93# For the 'anything' policy 94# At this point in time, you must list all acceptable 'object' 95# types. 96[ policy_anything ] 97countryName = optional 98stateOrProvinceName = optional 99localityName = optional 100organizationName = optional 101organizationalUnitName = optional 102commonName = supplied 103emailAddress = optional 104 105#################################################################### 106[ req ] 107default_bits = 1024 108default_keyfile = privkey.pem 109distinguished_name = req_distinguished_name 110attributes = req_attributes 111x509_extensions = v3_ca # The extentions to add to the self signed cert 112 113# Passwords for private keys if not present they will be prompted for 114# input_password = secret 115# output_password = secret 116 117# This sets a mask for permitted string types. There are several options. 118# default: PrintableString, T61String, BMPString. 119# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 120# utf8only: only UTF8Strings (PKIX recommendation after 2004). 121# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 122# MASK:XXXX a literal mask value. 123# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 124string_mask = utf8only 125 126# req_extensions = v3_req # The extensions to add to a certificate request 127 128[ req_distinguished_name ] 129countryName = Country Name (2 letter code) 130countryName_default = AU 131countryName_min = 2 132countryName_max = 2 133 134stateOrProvinceName = State or Province Name (full name) 135stateOrProvinceName_default = Some-State 136 137localityName = Locality Name (eg, city) 138 1390.organizationName = Organization Name (eg, company) 1400.organizationName_default = Internet Widgits Pty Ltd 141 142# we can do this but it is not needed normally :-) 143#1.organizationName = Second Organization Name (eg, company) 144#1.organizationName_default = World Wide Web Pty Ltd 145 146organizationalUnitName = Organizational Unit Name (eg, section) 147#organizationalUnitName_default = 148 149commonName = Common Name (e.g. server FQDN or YOUR name) 150commonName_max = 64 151 152emailAddress = Email Address 153emailAddress_max = 64 154 155# SET-ex3 = SET extension number 3 156 157[ req_attributes ] 158challengePassword = A challenge password 159challengePassword_min = 4 160challengePassword_max = 20 161 162unstructuredName = An optional company name 163 164[ usr_cert ] 165 166# These extensions are added when 'ca' signs a request. 167 168# This goes against PKIX guidelines but some CAs do it and some software 169# requires this to avoid interpreting an end user certificate as a CA. 170 171basicConstraints=CA:FALSE 172 173# Here are some examples of the usage of nsCertType. If it is omitted 174# the certificate can be used for anything *except* object signing. 175 176# This is OK for an SSL server. 177# nsCertType = server 178 179# For an object signing certificate this would be used. 180# nsCertType = objsign 181 182# For normal client use this is typical 183# nsCertType = client, email 184 185# and for everything including object signing: 186# nsCertType = client, email, objsign 187 188# This is typical in keyUsage for a client certificate. 189# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 190 191# This will be displayed in Netscape's comment listbox. 192nsComment = "OpenSSL Generated Certificate" 193 194# PKIX recommendations harmless if included in all certificates. 195subjectKeyIdentifier=hash 196authorityKeyIdentifier=keyid,issuer 197 198# This stuff is for subjectAltName and issuerAltname. 199# Import the email address. 200# subjectAltName=email:copy 201# An alternative to produce certificates that aren't 202# deprecated according to PKIX. 203# subjectAltName=email:move 204 205# Copy subject details 206# issuerAltName=issuer:copy 207 208#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 209#nsBaseUrl 210#nsRevocationUrl 211#nsRenewalUrl 212#nsCaPolicyUrl 213#nsSslServerName 214 215# This is required for TSA certificates. 216# extendedKeyUsage = critical,timeStamping 217 218[ v3_req ] 219 220# Extensions to add to a certificate request 221 222basicConstraints = CA:FALSE 223keyUsage = nonRepudiation, digitalSignature, keyEncipherment 224 225[ v3_ca ] 226 227 228# Extensions for a typical CA 229 230 231# PKIX recommendation. 232 233subjectKeyIdentifier=hash 234 235authorityKeyIdentifier=keyid:always,issuer 236 237# This is what PKIX recommends but some broken software chokes on critical 238# extensions. 239#basicConstraints = critical,CA:true 240# So we do this instead. 241basicConstraints = CA:true 242 243# Key usage: this is typical for a CA certificate. However since it will 244# prevent it being used as an test self-signed certificate it is best 245# left out by default. 246# keyUsage = cRLSign, keyCertSign 247 248# Some might want this also 249# nsCertType = sslCA, emailCA 250 251# Include email address in subject alt name: another PKIX recommendation 252# subjectAltName=email:copy 253# Copy issuer details 254# issuerAltName=issuer:copy 255 256# DER hex encoding of an extension: beware experts only! 257# obj=DER:02:03 258# Where 'obj' is a standard or added object 259# You can even override a supported extension: 260# basicConstraints= critical, DER:30:03:01:01:FF 261 262[ crl_ext ] 263 264# CRL extensions. 265# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 266 267# issuerAltName=issuer:copy 268authorityKeyIdentifier=keyid:always 269 270[ proxy_cert_ext ] 271# These extensions should be added when creating a proxy certificate 272 273# This goes against PKIX guidelines but some CAs do it and some software 274# requires this to avoid interpreting an end user certificate as a CA. 275 276basicConstraints=CA:FALSE 277 278# Here are some examples of the usage of nsCertType. If it is omitted 279# the certificate can be used for anything *except* object signing. 280 281# This is OK for an SSL server. 282# nsCertType = server 283 284# For an object signing certificate this would be used. 285# nsCertType = objsign 286 287# For normal client use this is typical 288# nsCertType = client, email 289 290# and for everything including object signing: 291# nsCertType = client, email, objsign 292 293# This is typical in keyUsage for a client certificate. 294# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 295 296# This will be displayed in Netscape's comment listbox. 297nsComment = "OpenSSL Generated Certificate" 298 299# PKIX recommendations harmless if included in all certificates. 300subjectKeyIdentifier=hash 301authorityKeyIdentifier=keyid,issuer 302 303# This stuff is for subjectAltName and issuerAltname. 304# Import the email address. 305# subjectAltName=email:copy 306# An alternative to produce certificates that aren't 307# deprecated according to PKIX. 308# subjectAltName=email:move 309 310# Copy subject details 311# issuerAltName=issuer:copy 312 313#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 314#nsBaseUrl 315#nsRevocationUrl 316#nsRenewalUrl 317#nsCaPolicyUrl 318#nsSslServerName 319 320# This really needs to be in place for it to be a proxy certificate. 321proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 322 323#################################################################### 324[ tsa ] 325 326default_tsa = tsa_config1 # the default TSA section 327 328[ tsa_config1 ] 329 330# These are used by the TSA reply generation only. 331dir = ./demoCA # TSA root directory 332serial = $dir/tsaserial # The current serial number (mandatory) 333crypto_device = builtin # OpenSSL engine to use for signing 334signer_cert = $dir/tsacert.pem # The TSA signing certificate 335 # (optional) 336certs = $dir/cacert.pem # Certificate chain to include in reply 337 # (optional) 338signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 339 340default_policy = tsa_policy1 # Policy if request did not specify it 341 # (optional) 342other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 343digests = md5, sha1 # Acceptable message digests (mandatory) 344accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 345clock_precision_digits = 0 # number of digits after dot. (optional) 346ordering = yes # Is ordering defined for timestamps? 347 # (optional, default: no) 348tsa_name = yes # Must the TSA name be included in the reply? 349 # (optional, default: no) 350ess_cert_id_chain = no # Must the ESS cert id chain be included? 351 # (optional, default: no) 352