1###############################################################
2#
3#  Licensed to the Apache Software Foundation (ASF) under one
4#  or more contributor license agreements.  See the NOTICE file
5#  distributed with this work for additional information
6#  regarding copyright ownership.  The ASF licenses this file
7#  to you under the Apache License, Version 2.0 (the
8#  "License"); you may not use this file except in compliance
9#  with the License.  You may obtain a copy of the License at
10#
11#    http://www.apache.org/licenses/LICENSE-2.0
12#
13#  Unless required by applicable law or agreed to in writing,
14#  software distributed under the License is distributed on an
15#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16#  KIND, either express or implied.  See the License for the
17#  specific language governing permissions and limitations
18#  under the License.
19#
20###############################################################
21
22#
23# OpenSSL example configuration file.
24# This is mostly being used for generation of certificate requests.
25#
26
27# This definition stops the following lines choking if HOME isn't
28# defined.
29HOME			= .
30RANDFILE		= $ENV::HOME/.rnd
31
32# Extra OBJECT IDENTIFIER info:
33#oid_file		= $ENV::HOME/.oid
34oid_section		= new_oids
35
36# To use this configuration file with the "-extfile" option of the
37# "openssl x509" utility, name here the section containing the
38# X.509v3 extensions to use:
39# extensions		=
40# (Alternatively, use a configuration file that has only
41# X.509v3 extensions in its main [= default] section.)
42
43[ new_oids ]
44
45# We can add new OIDs in here for use by 'ca' and 'req'.
46# Add a simple OID like this:
47# testoid1=1.2.3.4
48# Or use config file substitution like this:
49# testoid2=${testoid1}.5.6
50
51####################################################################
52[ ca ]
53default_ca	= CA_default		# The default ca section
54
55####################################################################
56[ CA_default ]
57
58dir		= ./demoCA		# Where everything is kept
59certs		= $dir/certs		# Where the issued certs are kept
60crl_dir		= $dir/crl		# Where the issued crl are kept
61database	= $dir/index.txt	# database index file.
62#unique_subject	= no			# Set to 'no' to allow creation of
63					# several ctificates with same subject.
64new_certs_dir	= $dir/newcerts		# default place for new certs.
65
66certificate	= $dir/cacert.pem 	# The CA certificate
67serial		= $dir/serial	# The current serial number
68crlnumber	= $dir/crlnumber	# the current crl number
69					# must be commented out to leave a V1 CRL
70crl		= $dir/crl.pem 		# The current CRL
71private_key	= $dir/private/cakey.pem 	# The private key
72RANDFILE	= $dir/private/.rand	 	# private random number file
73
74x509_extensions	= usr_cert		# The extentions to add to the cert
75
76# Comment out the following two lines for the "traditional"
77# (and highly broken) format.
78name_opt 	= ca_default		# Subject Name options
79cert_opt 	= ca_default		# Certificate field options
80
81# Extension copying option: use with caution.
82# copy_extensions = copy
83
84# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
85# so this is commented out by default to leave a V1 CRL.
86# crlnumber must also be commented out to leave a V1 CRL.
87# crl_extensions	= crl_ext
88
89default_days	= 365			# how long to certify for
90default_crl_days= 30			# how long before next CRL
91default_md	= sha1			# which md to use.
92preserve	= no			# keep passed DN ordering
93
94# A few difference way of specifying how similar the request should look
95# For type CA, the listed attributes must be the same, and the optional
96# and supplied fields are just that :-)
97policy		= policy_match
98
99# For the CA policy
100[ policy_match ]
101countryName		= match
102stateOrProvinceName	= match
103organizationName	= match
104organizationalUnitName	= optional
105commonName		= supplied
106emailAddress		= optional
107
108# For the 'anything' policy
109# At this point in time, you must list all acceptable 'object'
110# types.
111[ policy_anything ]
112countryName		= optional
113stateOrProvinceName	= optional
114localityName		= optional
115organizationName	= optional
116organizationalUnitName	= optional
117commonName		= supplied
118emailAddress		= optional
119
120####################################################################
121[ req ]
122default_bits		= 1024
123default_keyfile 	= privkey.pem
124distinguished_name	= req_distinguished_name
125attributes		= req_attributes
126x509_extensions	= v3_ca	# The extentions to add to the self signed cert
127
128# Passwords for private keys if not present they will be prompted for
129# input_password = secret
130# output_password = secret
131
132# This sets a mask for permitted string types. There are several options.
133# default: PrintableString, T61String, BMPString.
134# pkix	 : PrintableString, BMPString.
135# utf8only: only UTF8Strings.
136# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
137# MASK:XXXX a literal mask value.
138# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
139# so use this option with caution!
140string_mask = nombstr
141
142# req_extensions = v3_req # The extensions to add to a certificate request
143
144[ req_distinguished_name ]
145countryName			= Country Name (2 letter code)
146countryName_default		= DE
147countryName_min			= 2
148countryName_max			= 2
149
150stateOrProvinceName		= State or Province Name (full name)
151stateOrProvinceName_default	= Hamburg
152
153localityName			= Locality Name (eg, city)
154
1550.organizationName		= Organization Name (eg, company)
1560.organizationName_default	= OpenOffice.org
157
158# we can do this but it is not needed normally :-)
159#1.organizationName		= Second Organization Name (eg, company)
160#1.organizationName_default	= World Wide Web Pty Ltd
161
162organizationalUnitName		= Organizational Unit Name (eg, section)
163organizationalUnitName_default	= Development
164
165commonName			= Common Name (eg, YOUR name)
166commonName_max			= 64
167
168emailAddress			= Email Address
169emailAddress_max		= 64
170
171# SET-ex3			= SET extension number 3
172
173[ req_attributes ]
174challengePassword		= A challenge password
175challengePassword_min		= 4
176challengePassword_max		= 20
177
178unstructuredName		= An optional company name
179
180[ usr_cert ]
181
182# These extensions are added when 'ca' signs a request.
183#authorityInfoAccess = OCSP;URI:http://localhost:8888/
184crlDistributionPoints=URI:http://localhost:8902/demoCA/crl/Sub_CA_1_Root_5.crl
185# This is typical in keyUsage for a client certificate.
186keyUsage = nonRepudiation, digitalSignature, keyEncipherment
187
188# This will be displayed in Netscape's comment listbox.
189#nsComment			= "OpenSSL Generated Certificate"
190
191# PKIX recommendations harmless if included in all certificates.
192subjectKeyIdentifier=hash
193authorityKeyIdentifier=keyid,issuer
194
195# This stuff is for subjectAltName and issuerAltname.
196# Import the email address.
197# subjectAltName=email:copy
198# An alternative to produce certificates that aren't
199# deprecated according to PKIX.
200# subjectAltName=email:move
201
202# Copy subject details
203# issuerAltName=issuer:copy
204
205
206
207[ v3_req ]
208
209# Extensions to add to a certificate request
210
211basicConstraints = CA:FALSE
212keyUsage = nonRepudiation, digitalSignature, keyEncipherment
213#authorityInfoAccess = OCSP;URI:http://localhost:8888/
214
215[ v3_ca ]
216
217
218# Extensions for a typical CA
219
220
221# PKIX recommendation.
222
223subjectKeyIdentifier=hash
224
225authorityKeyIdentifier=keyid:always,issuer:always
226
227#authorityInfoAccess = OCSP;URI:http://localhost:8888
228#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Test_CA_2009.2.crl
229# This is what PKIX recommends but some broken software chokes on critical
230# extensions.
231#basicConstraints = critical,CA:true
232# So we do this instead.
233basicConstraints = critical, CA:true
234
235# Key usage: this is typical for a CA certificate. However since it will
236# prevent it being used as an test self-signed certificate it is best
237# left out by default.
238# keyUsage = cRLSign, keyCertSign
239
240# Some might want this also
241# nsCertType = sslCA, emailCA
242
243# Include email address in subject alt name: another PKIX recommendation
244# subjectAltName=email:copy
245# Copy issuer details
246# issuerAltName=issuer:copy
247
248# DER hex encoding of an extension: beware experts only!
249# obj=DER:02:03
250# Where 'obj' is a standard or added object
251# You can even override a supported extension:
252# basicConstraints= critical, DER:30:03:01:01:FF
253
254[ crl_ext ]
255
256# CRL extensions.
257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258
259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always
261
262[ proxy_cert_ext ]
263# These extensions should be added when creating a proxy certificate
264
265# This goes against PKIX guidelines but some CAs do it and some software
266# requires this to avoid interpreting an end user certificate as a CA.
267
268basicConstraints=CA:FALSE
269
270# Here are some examples of the usage of nsCertType. If it is omitted
271# the certificate can be used for anything *except* object signing.
272
273# This is OK for an SSL server.
274# nsCertType			= server
275
276# For an object signing certificate this would be used.
277# nsCertType = objsign
278
279# For normal client use this is typical
280# nsCertType = client, email
281
282# and for everything including object signing:
283# nsCertType = client, email, objsign
284
285# This is typical in keyUsage for a client certificate.
286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287
288# This will be displayed in Netscape's comment listbox.
289nsComment			= "OpenSSL Generated Certificate"
290
291# PKIX recommendations harmless if included in all certificates.
292subjectKeyIdentifier=hash
293authorityKeyIdentifier=keyid,issuer:always
294
295# This stuff is for subjectAltName and issuerAltname.
296# Import the email address.
297# subjectAltName=email:copy
298# An alternative to produce certificates that aren't
299# deprecated according to PKIX.
300# subjectAltName=email:move
301
302# Copy subject details
303# issuerAltName=issuer:copy
304
305#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
306#nsBaseUrl
307#nsRevocationUrl
308#nsRenewalUrl
309#nsCaPolicyUrl
310#nsSslServerName
311
312# This really needs to be in place for it to be a proxy certificate.
313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
314