1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6RANDFILE = $ENV::HOME/.rnd 7oid_file = $ENV::HOME/.oid 8oid_section = new_oids 9 10# To use this configuration file with the "-extfile" option of the 11# "openssl x509" utility, name here the section containing the 12# X.509v3 extensions to use: 13# extensions = 14# (Alternatively, use a configuration file that has only 15# X.509v3 extensions in its main [= default] section.) 16 17[ new_oids ] 18 19# We can add new OIDs in here for use by 'ca' and 'req'. 20# Add a simple OID like this: 21# testoid1=1.2.3.4 22# Or use config file substitution like this: 23# testoid2=${testoid1}.5.6 24 25#################################################################### 26[ ca ] 27default_ca = CA_default # The default ca section 28 29#################################################################### 30[ CA_default ] 31 32dir = ./demoCA # Where everything is kept 33certs = $dir/certs # Where the issued certs are kept 34crl_dir = $dir/crl # Where the issued crl are kept 35database = $dir/index.txt # database index file. 36new_certs_dir = $dir/newcerts # default place for new certs. 37 38certificate = $dir/cacert.pem # The CA certificate 39serial = $dir/serial # The current serial number 40crl = $dir/crl.pem # The current CRL 41private_key = $dir/private/cakey.pem# The private key 42RANDFILE = $dir/private/.rand # private random number file 43 44x509_extensions = usr_cert # The extentions to add to the cert 45 46# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 47# so this is commented out by default to leave a V1 CRL. 48# crl_extensions = crl_ext 49 50default_days = 365 # how long to certify for 51default_crl_days= 30 # how long before next CRL 52default_md = md5 # which md to use. 53preserve = no # keep passed DN ordering 54 55# A few difference way of specifying how similar the request should look 56# For type CA, the listed attributes must be the same, and the optional 57# and supplied fields are just that :-) 58policy = policy_match 59 60# For the CA policy 61[ policy_match ] 62countryName = match 63stateOrProvinceName = match 64organizationName = match 65organizationalUnitName = optional 66commonName = supplied 67emailAddress = optional 68 69# For the 'anything' policy 70# At this point in time, you must list all acceptable 'object' 71# types. 72[ policy_anything ] 73countryName = optional 74stateOrProvinceName = optional 75localityName = optional 76organizationName = optional 77organizationalUnitName = optional 78commonName = supplied 79emailAddress = optional 80 81#################################################################### 82[ req ] 83default_bits = 1024 84default_keyfile = privkey.pem 85distinguished_name = req_distinguished_name 86attributes = req_attributes 87x509_extensions = v3_ca # The extentions to add to the self signed cert 88 89[ req_distinguished_name ] 90countryName = Country Name (2 letter code) 91countryName_default = AU 92countryName_min = 2 93countryName_max = 2 94 95stateOrProvinceName = State or Province Name (full name) 96stateOrProvinceName_default = Some-State 97 98localityName = Locality Name (eg, city) 99 1000.organizationName = Organization Name (eg, company) 1010.organizationName_default = Internet Widgits Pty Ltd 102 103# we can do this but it is not needed normally :-) 104#1.organizationName = Second Organization Name (eg, company) 105#1.organizationName_default = World Wide Web Pty Ltd 106 107organizationalUnitName = Organizational Unit Name (eg, section) 108#organizationalUnitName_default = 109 110commonName = Common Name (eg, YOUR name) 111commonName_max = 64 112 113emailAddress = Email Address 114emailAddress_max = 40 115 116# SET-ex3 = SET extension number 3 117 118[ req_attributes ] 119challengePassword = A challenge password 120challengePassword_min = 4 121challengePassword_max = 20 122 123unstructuredName = An optional company name 124 125[ usr_cert ] 126 127# These extensions are added when 'ca' signs a request. 128 129# This goes against PKIX guidelines but some CAs do it and some software 130# requires this to avoid interpreting an end user certificate as a CA. 131 132basicConstraints=CA:FALSE 133 134# Here are some examples of the usage of nsCertType. If it is omitted 135# the certificate can be used for anything *except* object signing. 136 137# This is OK for an SSL server. 138# nsCertType = server 139 140# For an object signing certificate this would be used. 141# nsCertType = objsign 142 143# For normal client use this is typical 144# nsCertType = client, email 145 146# and for everything including object signing: 147# nsCertType = client, email, objsign 148 149# This is typical in keyUsage for a client certificate. 150# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 151 152# This will be displayed in Netscape's comment listbox. 153nsComment = "OpenSSL Generated Certificate" 154 155# PKIX recommendations harmless if included in all certificates. 156subjectKeyIdentifier=hash 157authorityKeyIdentifier=keyid,issuer:always 158 159# This stuff is for subjectAltName and issuerAltname. 160# Import the email address. 161# subjectAltName=email:copy 162 163# Copy subject details 164# issuerAltName=issuer:copy 165 166#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 167#nsBaseUrl 168#nsRevocationUrl 169#nsRenewalUrl 170#nsCaPolicyUrl 171#nsSslServerName 172 173[ v3_ca ] 174 175# Extensions for a typical CA 176 177 178# PKIX recommendation. 179 180subjectKeyIdentifier=hash 181 182authorityKeyIdentifier=keyid:always,issuer:always 183 184# This is what PKIX recommends but some broken software chokes on critical 185# extensions. 186#basicConstraints = critical,CA:true 187# So we do this instead. 188basicConstraints = CA:true 189 190# Key usage: this is typical for a CA certificate. However since it will 191# prevent it being used as an test self-signed certificate it is best 192# left out by default. 193# keyUsage = cRLSign, keyCertSign 194 195# Some might want this also 196# nsCertType = sslCA, emailCA 197 198# Include email address in subject alt name: another PKIX recommendation 199# subjectAltName=email:copy 200# Copy issuer details 201# issuerAltName=issuer:copy 202 203# RAW DER hex encoding of an extension: beware experts only! 204# 1.2.3.5=RAW:02:03 205# You can even override a supported extension: 206# basicConstraints= critical, RAW:30:03:01:01:FF 207 208[ crl_ext ] 209 210# CRL extensions. 211# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 212 213# issuerAltName=issuer:copy 214authorityKeyIdentifier=keyid:always,issuer:always 215