1# $FreeBSD$ 2# 3# OpenSSL example configuration file. 4# This is mostly being used for generation of certificate requests. 5# 6 7# Note that you can include other files from the main configuration 8# file using the .include directive. 9#.include filename 10 11# This definition stops the following lines choking if HOME isn't 12# defined. 13HOME = . 14 15# Extra OBJECT IDENTIFIER info: 16#oid_file = $ENV::HOME/.oid 17oid_section = new_oids 18 19# To use this configuration file with the "-extfile" option of the 20# "openssl x509" utility, name here the section containing the 21# X.509v3 extensions to use: 22# extensions = 23# (Alternatively, use a configuration file that has only 24# X.509v3 extensions in its main [= default] section.) 25 26[ new_oids ] 27 28# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 29# Add a simple OID like this: 30# testoid1=1.2.3.4 31# Or use config file substitution like this: 32# testoid2=${testoid1}.5.6 33 34# Policies used by the TSA examples. 35tsa_policy1 = 1.2.3.4.1 36tsa_policy2 = 1.2.3.4.5.6 37tsa_policy3 = 1.2.3.4.5.7 38 39#################################################################### 40[ ca ] 41default_ca = CA_default # The default ca section 42 43#################################################################### 44[ CA_default ] 45 46dir = ./demoCA # Where everything is kept 47certs = $dir/certs # Where the issued certs are kept 48crl_dir = $dir/crl # Where the issued crl are kept 49database = $dir/index.txt # database index file. 50#unique_subject = no # Set to 'no' to allow creation of 51 # several certs with same subject. 52new_certs_dir = $dir/newcerts # default place for new certs. 53 54certificate = $dir/cacert.pem # The CA certificate 55serial = $dir/serial # The current serial number 56crlnumber = $dir/crlnumber # the current crl number 57 # must be commented out to leave a V1 CRL 58crl = $dir/crl.pem # The current CRL 59private_key = $dir/private/cakey.pem# The private key 60 61x509_extensions = usr_cert # The extensions to add to the cert 62 63# Comment out the following two lines for the "traditional" 64# (and highly broken) format. 65name_opt = ca_default # Subject Name options 66cert_opt = ca_default # Certificate field options 67 68# Extension copying option: use with caution. 69# copy_extensions = copy 70 71# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 72# so this is commented out by default to leave a V1 CRL. 73# crlnumber must also be commented out to leave a V1 CRL. 74# crl_extensions = crl_ext 75 76default_days = 365 # how long to certify for 77default_crl_days= 30 # how long before next CRL 78default_md = default # use public key default MD 79preserve = no # keep passed DN ordering 80 81# A few difference way of specifying how similar the request should look 82# For type CA, the listed attributes must be the same, and the optional 83# and supplied fields are just that :-) 84policy = policy_match 85 86# For the CA policy 87[ policy_match ] 88countryName = match 89stateOrProvinceName = match 90organizationName = match 91organizationalUnitName = optional 92commonName = supplied 93emailAddress = optional 94 95# For the 'anything' policy 96# At this point in time, you must list all acceptable 'object' 97# types. 98[ policy_anything ] 99countryName = optional 100stateOrProvinceName = optional 101localityName = optional 102organizationName = optional 103organizationalUnitName = optional 104commonName = supplied 105emailAddress = optional 106 107#################################################################### 108[ req ] 109default_bits = 2048 110default_keyfile = privkey.pem 111distinguished_name = req_distinguished_name 112attributes = req_attributes 113x509_extensions = v3_ca # The extensions to add to the self signed cert 114 115# Passwords for private keys if not present they will be prompted for 116# input_password = secret 117# output_password = secret 118 119# This sets a mask for permitted string types. There are several options. 120# default: PrintableString, T61String, BMPString. 121# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 122# utf8only: only UTF8Strings (PKIX recommendation after 2004). 123# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 124# MASK:XXXX a literal mask value. 125# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 126string_mask = utf8only 127 128# req_extensions = v3_req # The extensions to add to a certificate request 129 130[ req_distinguished_name ] 131countryName = Country Name (2 letter code) 132countryName_default = AU 133countryName_min = 2 134countryName_max = 2 135 136stateOrProvinceName = State or Province Name (full name) 137stateOrProvinceName_default = Some-State 138 139localityName = Locality Name (eg, city) 140 1410.organizationName = Organization Name (eg, company) 1420.organizationName_default = Internet Widgits Pty Ltd 143 144# we can do this but it is not needed normally :-) 145#1.organizationName = Second Organization Name (eg, company) 146#1.organizationName_default = World Wide Web Pty Ltd 147 148organizationalUnitName = Organizational Unit Name (eg, section) 149#organizationalUnitName_default = 150 151commonName = Common Name (e.g. server FQDN or YOUR name) 152commonName_max = 64 153 154emailAddress = Email Address 155emailAddress_max = 64 156 157# SET-ex3 = SET extension number 3 158 159[ req_attributes ] 160challengePassword = A challenge password 161challengePassword_min = 4 162challengePassword_max = 20 163 164unstructuredName = An optional company name 165 166[ usr_cert ] 167 168# These extensions are added when 'ca' signs a request. 169 170# This goes against PKIX guidelines but some CAs do it and some software 171# requires this to avoid interpreting an end user certificate as a CA. 172 173basicConstraints=CA:FALSE 174 175# Here are some examples of the usage of nsCertType. If it is omitted 176# the certificate can be used for anything *except* object signing. 177 178# This is OK for an SSL server. 179# nsCertType = server 180 181# For an object signing certificate this would be used. 182# nsCertType = objsign 183 184# For normal client use this is typical 185# nsCertType = client, email 186 187# and for everything including object signing: 188# nsCertType = client, email, objsign 189 190# This is typical in keyUsage for a client certificate. 191# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 192 193# This will be displayed in Netscape's comment listbox. 194nsComment = "OpenSSL Generated Certificate" 195 196# PKIX recommendations harmless if included in all certificates. 197subjectKeyIdentifier=hash 198authorityKeyIdentifier=keyid,issuer 199 200# This stuff is for subjectAltName and issuerAltname. 201# Import the email address. 202# subjectAltName=email:copy 203# An alternative to produce certificates that aren't 204# deprecated according to PKIX. 205# subjectAltName=email:move 206 207# Copy subject details 208# issuerAltName=issuer:copy 209 210#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 211#nsBaseUrl 212#nsRevocationUrl 213#nsRenewalUrl 214#nsCaPolicyUrl 215#nsSslServerName 216 217# This is required for TSA certificates. 218# extendedKeyUsage = critical,timeStamping 219 220[ v3_req ] 221 222# Extensions to add to a certificate request 223 224basicConstraints = CA:FALSE 225keyUsage = nonRepudiation, digitalSignature, keyEncipherment 226 227[ v3_ca ] 228 229 230# Extensions for a typical CA 231 232 233# PKIX recommendation. 234 235subjectKeyIdentifier=hash 236 237authorityKeyIdentifier=keyid:always,issuer 238 239basicConstraints = critical,CA:true 240 241# Key usage: this is typical for a CA certificate. However since it will 242# prevent it being used as an test self-signed certificate it is best 243# left out by default. 244# keyUsage = cRLSign, keyCertSign 245 246# Some might want this also 247# nsCertType = sslCA, emailCA 248 249# Include email address in subject alt name: another PKIX recommendation 250# subjectAltName=email:copy 251# Copy issuer details 252# issuerAltName=issuer:copy 253 254# DER hex encoding of an extension: beware experts only! 255# obj=DER:02:03 256# Where 'obj' is a standard or added object 257# You can even override a supported extension: 258# basicConstraints= critical, DER:30:03:01:01:FF 259 260[ crl_ext ] 261 262# CRL extensions. 263# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 264 265# issuerAltName=issuer:copy 266authorityKeyIdentifier=keyid:always 267 268[ proxy_cert_ext ] 269# These extensions should be added when creating a proxy certificate 270 271# This goes against PKIX guidelines but some CAs do it and some software 272# requires this to avoid interpreting an end user certificate as a CA. 273 274basicConstraints=CA:FALSE 275 276# Here are some examples of the usage of nsCertType. If it is omitted 277# the certificate can be used for anything *except* object signing. 278 279# This is OK for an SSL server. 280# nsCertType = server 281 282# For an object signing certificate this would be used. 283# nsCertType = objsign 284 285# For normal client use this is typical 286# nsCertType = client, email 287 288# and for everything including object signing: 289# nsCertType = client, email, objsign 290 291# This is typical in keyUsage for a client certificate. 292# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 293 294# This will be displayed in Netscape's comment listbox. 295nsComment = "OpenSSL Generated Certificate" 296 297# PKIX recommendations harmless if included in all certificates. 298subjectKeyIdentifier=hash 299authorityKeyIdentifier=keyid,issuer 300 301# This stuff is for subjectAltName and issuerAltname. 302# Import the email address. 303# subjectAltName=email:copy 304# An alternative to produce certificates that aren't 305# deprecated according to PKIX. 306# subjectAltName=email:move 307 308# Copy subject details 309# issuerAltName=issuer:copy 310 311#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 312#nsBaseUrl 313#nsRevocationUrl 314#nsRenewalUrl 315#nsCaPolicyUrl 316#nsSslServerName 317 318# This really needs to be in place for it to be a proxy certificate. 319proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 320 321#################################################################### 322[ tsa ] 323 324default_tsa = tsa_config1 # the default TSA section 325 326[ tsa_config1 ] 327 328# These are used by the TSA reply generation only. 329dir = ./demoCA # TSA root directory 330serial = $dir/tsaserial # The current serial number (mandatory) 331crypto_device = builtin # OpenSSL engine to use for signing 332signer_cert = $dir/tsacert.pem # The TSA signing certificate 333 # (optional) 334certs = $dir/cacert.pem # Certificate chain to include in reply 335 # (optional) 336signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 337signer_digest = sha256 # Signing digest to use. (Optional) 338default_policy = tsa_policy1 # Policy if request did not specify it 339 # (optional) 340other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 341digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 342accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 343clock_precision_digits = 0 # number of digits after dot. (optional) 344ordering = yes # Is ordering defined for timestamps? 345 # (optional, default: no) 346tsa_name = yes # Must the TSA name be included in the reply? 347 # (optional, default: no) 348ess_cert_id_chain = no # Must the ESS cert id chain be included? 349 # (optional, default: no) 350ess_cert_id_alg = sha1 # algorithm to compute certificate 351 # identifier (optional, default: sha1) 352