xref: /freebsd/crypto/openssl/apps/openssl.cnf (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c)
1# $FreeBSD$
2#
3# OpenSSL example configuration file.
4# This is mostly being used for generation of certificate requests.
5#
6
7# Note that you can include other files from the main configuration
8# file using the .include directive.
9#.include filename
10
11# This definition stops the following lines choking if HOME isn't
12# defined.
13HOME			= .
14
15# Extra OBJECT IDENTIFIER info:
16#oid_file		= $ENV::HOME/.oid
17oid_section		= new_oids
18
19# To use this configuration file with the "-extfile" option of the
20# "openssl x509" utility, name here the section containing the
21# X.509v3 extensions to use:
22# extensions		=
23# (Alternatively, use a configuration file that has only
24# X.509v3 extensions in its main [= default] section.)
25
26[ new_oids ]
27
28# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
29# Add a simple OID like this:
30# testoid1=1.2.3.4
31# Or use config file substitution like this:
32# testoid2=${testoid1}.5.6
33
34# Policies used by the TSA examples.
35tsa_policy1 = 1.2.3.4.1
36tsa_policy2 = 1.2.3.4.5.6
37tsa_policy3 = 1.2.3.4.5.7
38
39####################################################################
40[ ca ]
41default_ca	= CA_default		# The default ca section
42
43####################################################################
44[ CA_default ]
45
46dir		= ./demoCA		# Where everything is kept
47certs		= $dir/certs		# Where the issued certs are kept
48crl_dir		= $dir/crl		# Where the issued crl are kept
49database	= $dir/index.txt	# database index file.
50#unique_subject	= no			# Set to 'no' to allow creation of
51					# several certs with same subject.
52new_certs_dir	= $dir/newcerts		# default place for new certs.
53
54certificate	= $dir/cacert.pem 	# The CA certificate
55serial		= $dir/serial 		# The current serial number
56crlnumber	= $dir/crlnumber	# the current crl number
57					# must be commented out to leave a V1 CRL
58crl		= $dir/crl.pem 		# The current CRL
59private_key	= $dir/private/cakey.pem# The private key
60
61x509_extensions	= usr_cert		# The extensions to add to the cert
62
63# Comment out the following two lines for the "traditional"
64# (and highly broken) format.
65name_opt 	= ca_default		# Subject Name options
66cert_opt 	= ca_default		# Certificate field options
67
68# Extension copying option: use with caution.
69# copy_extensions = copy
70
71# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
72# so this is commented out by default to leave a V1 CRL.
73# crlnumber must also be commented out to leave a V1 CRL.
74# crl_extensions	= crl_ext
75
76default_days	= 365			# how long to certify for
77default_crl_days= 30			# how long before next CRL
78default_md	= default		# use public key default MD
79preserve	= no			# keep passed DN ordering
80
81# A few difference way of specifying how similar the request should look
82# For type CA, the listed attributes must be the same, and the optional
83# and supplied fields are just that :-)
84policy		= policy_match
85
86# For the CA policy
87[ policy_match ]
88countryName		= match
89stateOrProvinceName	= match
90organizationName	= match
91organizationalUnitName	= optional
92commonName		= supplied
93emailAddress		= optional
94
95# For the 'anything' policy
96# At this point in time, you must list all acceptable 'object'
97# types.
98[ policy_anything ]
99countryName		= optional
100stateOrProvinceName	= optional
101localityName		= optional
102organizationName	= optional
103organizationalUnitName	= optional
104commonName		= supplied
105emailAddress		= optional
106
107####################################################################
108[ req ]
109default_bits		= 2048
110default_keyfile 	= privkey.pem
111distinguished_name	= req_distinguished_name
112attributes		= req_attributes
113x509_extensions	= v3_ca	# The extensions to add to the self signed cert
114
115# Passwords for private keys if not present they will be prompted for
116# input_password = secret
117# output_password = secret
118
119# This sets a mask for permitted string types. There are several options.
120# default: PrintableString, T61String, BMPString.
121# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
122# utf8only: only UTF8Strings (PKIX recommendation after 2004).
123# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
124# MASK:XXXX a literal mask value.
125# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
126string_mask = utf8only
127
128# req_extensions = v3_req # The extensions to add to a certificate request
129
130[ req_distinguished_name ]
131countryName			= Country Name (2 letter code)
132countryName_default		= AU
133countryName_min			= 2
134countryName_max			= 2
135
136stateOrProvinceName		= State or Province Name (full name)
137stateOrProvinceName_default	= Some-State
138
139localityName			= Locality Name (eg, city)
140
1410.organizationName		= Organization Name (eg, company)
1420.organizationName_default	= Internet Widgits Pty Ltd
143
144# we can do this but it is not needed normally :-)
145#1.organizationName		= Second Organization Name (eg, company)
146#1.organizationName_default	= World Wide Web Pty Ltd
147
148organizationalUnitName		= Organizational Unit Name (eg, section)
149#organizationalUnitName_default	=
150
151commonName			= Common Name (e.g. server FQDN or YOUR name)
152commonName_max			= 64
153
154emailAddress			= Email Address
155emailAddress_max		= 64
156
157# SET-ex3			= SET extension number 3
158
159[ req_attributes ]
160challengePassword		= A challenge password
161challengePassword_min		= 4
162challengePassword_max		= 20
163
164unstructuredName		= An optional company name
165
166[ usr_cert ]
167
168# These extensions are added when 'ca' signs a request.
169
170# This goes against PKIX guidelines but some CAs do it and some software
171# requires this to avoid interpreting an end user certificate as a CA.
172
173basicConstraints=CA:FALSE
174
175# Here are some examples of the usage of nsCertType. If it is omitted
176# the certificate can be used for anything *except* object signing.
177
178# This is OK for an SSL server.
179# nsCertType			= server
180
181# For an object signing certificate this would be used.
182# nsCertType = objsign
183
184# For normal client use this is typical
185# nsCertType = client, email
186
187# and for everything including object signing:
188# nsCertType = client, email, objsign
189
190# This is typical in keyUsage for a client certificate.
191# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
192
193# This will be displayed in Netscape's comment listbox.
194nsComment			= "OpenSSL Generated Certificate"
195
196# PKIX recommendations harmless if included in all certificates.
197subjectKeyIdentifier=hash
198authorityKeyIdentifier=keyid,issuer
199
200# This stuff is for subjectAltName and issuerAltname.
201# Import the email address.
202# subjectAltName=email:copy
203# An alternative to produce certificates that aren't
204# deprecated according to PKIX.
205# subjectAltName=email:move
206
207# Copy subject details
208# issuerAltName=issuer:copy
209
210#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
211#nsBaseUrl
212#nsRevocationUrl
213#nsRenewalUrl
214#nsCaPolicyUrl
215#nsSslServerName
216
217# This is required for TSA certificates.
218# extendedKeyUsage = critical,timeStamping
219
220[ v3_req ]
221
222# Extensions to add to a certificate request
223
224basicConstraints = CA:FALSE
225keyUsage = nonRepudiation, digitalSignature, keyEncipherment
226
227[ v3_ca ]
228
229
230# Extensions for a typical CA
231
232
233# PKIX recommendation.
234
235subjectKeyIdentifier=hash
236
237authorityKeyIdentifier=keyid:always,issuer
238
239basicConstraints = critical,CA:true
240
241# Key usage: this is typical for a CA certificate. However since it will
242# prevent it being used as an test self-signed certificate it is best
243# left out by default.
244# keyUsage = cRLSign, keyCertSign
245
246# Some might want this also
247# nsCertType = sslCA, emailCA
248
249# Include email address in subject alt name: another PKIX recommendation
250# subjectAltName=email:copy
251# Copy issuer details
252# issuerAltName=issuer:copy
253
254# DER hex encoding of an extension: beware experts only!
255# obj=DER:02:03
256# Where 'obj' is a standard or added object
257# You can even override a supported extension:
258# basicConstraints= critical, DER:30:03:01:01:FF
259
260[ crl_ext ]
261
262# CRL extensions.
263# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
264
265# issuerAltName=issuer:copy
266authorityKeyIdentifier=keyid:always
267
268[ proxy_cert_ext ]
269# These extensions should be added when creating a proxy certificate
270
271# This goes against PKIX guidelines but some CAs do it and some software
272# requires this to avoid interpreting an end user certificate as a CA.
273
274basicConstraints=CA:FALSE
275
276# Here are some examples of the usage of nsCertType. If it is omitted
277# the certificate can be used for anything *except* object signing.
278
279# This is OK for an SSL server.
280# nsCertType			= server
281
282# For an object signing certificate this would be used.
283# nsCertType = objsign
284
285# For normal client use this is typical
286# nsCertType = client, email
287
288# and for everything including object signing:
289# nsCertType = client, email, objsign
290
291# This is typical in keyUsage for a client certificate.
292# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
293
294# This will be displayed in Netscape's comment listbox.
295nsComment			= "OpenSSL Generated Certificate"
296
297# PKIX recommendations harmless if included in all certificates.
298subjectKeyIdentifier=hash
299authorityKeyIdentifier=keyid,issuer
300
301# This stuff is for subjectAltName and issuerAltname.
302# Import the email address.
303# subjectAltName=email:copy
304# An alternative to produce certificates that aren't
305# deprecated according to PKIX.
306# subjectAltName=email:move
307
308# Copy subject details
309# issuerAltName=issuer:copy
310
311#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
312#nsBaseUrl
313#nsRevocationUrl
314#nsRenewalUrl
315#nsCaPolicyUrl
316#nsSslServerName
317
318# This really needs to be in place for it to be a proxy certificate.
319proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
320
321####################################################################
322[ tsa ]
323
324default_tsa = tsa_config1	# the default TSA section
325
326[ tsa_config1 ]
327
328# These are used by the TSA reply generation only.
329dir		= ./demoCA		# TSA root directory
330serial		= $dir/tsaserial	# The current serial number (mandatory)
331crypto_device	= builtin		# OpenSSL engine to use for signing
332signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
333					# (optional)
334certs		= $dir/cacert.pem	# Certificate chain to include in reply
335					# (optional)
336signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
337signer_digest  = sha256			# Signing digest to use. (Optional)
338default_policy	= tsa_policy1		# Policy if request did not specify it
339					# (optional)
340other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
341digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
342accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
343clock_precision_digits  = 0	# number of digits after dot. (optional)
344ordering		= yes	# Is ordering defined for timestamps?
345				# (optional, default: no)
346tsa_name		= yes	# Must the TSA name be included in the reply?
347				# (optional, default: no)
348ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
349				# (optional, default: no)
350ess_cert_id_alg		= sha1	# algorithm to compute certificate
351				# identifier (optional, default: sha1)
352