1*b6c28d34SAndrew Rist###############################################################
2*b6c28d34SAndrew Rist#
3*b6c28d34SAndrew Rist#  Licensed to the Apache Software Foundation (ASF) under one
4*b6c28d34SAndrew Rist#  or more contributor license agreements.  See the NOTICE file
5*b6c28d34SAndrew Rist#  distributed with this work for additional information
6*b6c28d34SAndrew Rist#  regarding copyright ownership.  The ASF licenses this file
7*b6c28d34SAndrew Rist#  to you under the Apache License, Version 2.0 (the
8*b6c28d34SAndrew Rist#  "License"); you may not use this file except in compliance
9*b6c28d34SAndrew Rist#  with the License.  You may obtain a copy of the License at
10*b6c28d34SAndrew Rist#
11*b6c28d34SAndrew Rist#    http://www.apache.org/licenses/LICENSE-2.0
12*b6c28d34SAndrew Rist#
13*b6c28d34SAndrew Rist#  Unless required by applicable law or agreed to in writing,
14*b6c28d34SAndrew Rist#  software distributed under the License is distributed on an
15*b6c28d34SAndrew Rist#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*b6c28d34SAndrew Rist#  KIND, either express or implied.  See the License for the
17*b6c28d34SAndrew Rist#  specific language governing permissions and limitations
18*b6c28d34SAndrew Rist#  under the License.
19*b6c28d34SAndrew Rist#
20*b6c28d34SAndrew Rist###############################################################
21*b6c28d34SAndrew Rist
22cdf0e10cSrcweir#
23cdf0e10cSrcweir# OpenSSL example configuration file.
24cdf0e10cSrcweir# This is mostly being used for generation of certificate requests.
25cdf0e10cSrcweir#
26cdf0e10cSrcweir
27cdf0e10cSrcweir# This definition stops the following lines choking if HOME isn't
28cdf0e10cSrcweir# defined.
29cdf0e10cSrcweirHOME			= .
30cdf0e10cSrcweirRANDFILE		= $ENV::HOME/.rnd
31cdf0e10cSrcweir
32cdf0e10cSrcweir# Extra OBJECT IDENTIFIER info:
33cdf0e10cSrcweir#oid_file		= $ENV::HOME/.oid
34cdf0e10cSrcweiroid_section		= new_oids
35cdf0e10cSrcweir
36cdf0e10cSrcweir# To use this configuration file with the "-extfile" option of the
37cdf0e10cSrcweir# "openssl x509" utility, name here the section containing the
38cdf0e10cSrcweir# X.509v3 extensions to use:
39cdf0e10cSrcweir# extensions		=
40cdf0e10cSrcweir# (Alternatively, use a configuration file that has only
41cdf0e10cSrcweir# X.509v3 extensions in its main [= default] section.)
42cdf0e10cSrcweir
43cdf0e10cSrcweir[ new_oids ]
44cdf0e10cSrcweir
45cdf0e10cSrcweir# We can add new OIDs in here for use by 'ca' and 'req'.
46cdf0e10cSrcweir# Add a simple OID like this:
47cdf0e10cSrcweir# testoid1=1.2.3.4
48cdf0e10cSrcweir# Or use config file substitution like this:
49cdf0e10cSrcweir# testoid2=${testoid1}.5.6
50cdf0e10cSrcweir
51cdf0e10cSrcweir####################################################################
52cdf0e10cSrcweir[ ca ]
53cdf0e10cSrcweirdefault_ca	= CA_default		# The default ca section
54cdf0e10cSrcweir
55cdf0e10cSrcweir####################################################################
56cdf0e10cSrcweir[ CA_default ]
57cdf0e10cSrcweir
58cdf0e10cSrcweirdir		= ./demoCA		# Where everything is kept
59cdf0e10cSrcweircerts		= $dir/certs		# Where the issued certs are kept
60cdf0e10cSrcweircrl_dir		= $dir/crl		# Where the issued crl are kept
61cdf0e10cSrcweirdatabase	= $dir/index.txt	# database index file.
62cdf0e10cSrcweir#unique_subject	= no			# Set to 'no' to allow creation of
63cdf0e10cSrcweir					# several ctificates with same subject.
64cdf0e10cSrcweirnew_certs_dir	= $dir/newcerts		# default place for new certs.
65cdf0e10cSrcweir
66cdf0e10cSrcweircertificate	= $dir/cacert.pem 	# The CA certificate
67cdf0e10cSrcweirserial		= $dir/serial	# The current serial number
68cdf0e10cSrcweircrlnumber	= $dir/crlnumber	# the current crl number
69cdf0e10cSrcweir					# must be commented out to leave a V1 CRL
70cdf0e10cSrcweircrl		= $dir/crl.pem 		# The current CRL
71cdf0e10cSrcweirprivate_key	= $dir/private/cakey.pem 	# The private key
72cdf0e10cSrcweirRANDFILE	= $dir/private/.rand	 	# private random number file
73cdf0e10cSrcweir
74cdf0e10cSrcweirx509_extensions	= usr_cert		# The extentions to add to the cert
75cdf0e10cSrcweir
76cdf0e10cSrcweir# Comment out the following two lines for the "traditional"
77cdf0e10cSrcweir# (and highly broken) format.
78cdf0e10cSrcweirname_opt 	= ca_default		# Subject Name options
79cdf0e10cSrcweircert_opt 	= ca_default		# Certificate field options
80cdf0e10cSrcweir
81cdf0e10cSrcweir# Extension copying option: use with caution.
82cdf0e10cSrcweir# copy_extensions = copy
83cdf0e10cSrcweir
84cdf0e10cSrcweir# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
85cdf0e10cSrcweir# so this is commented out by default to leave a V1 CRL.
86cdf0e10cSrcweir# crlnumber must also be commented out to leave a V1 CRL.
87cdf0e10cSrcweir# crl_extensions	= crl_ext
88cdf0e10cSrcweir
89cdf0e10cSrcweirdefault_days	= 365			# how long to certify for
90cdf0e10cSrcweirdefault_crl_days= 30			# how long before next CRL
91cdf0e10cSrcweirdefault_md	= sha1			# which md to use.
92cdf0e10cSrcweirpreserve	= no			# keep passed DN ordering
93cdf0e10cSrcweir
94cdf0e10cSrcweir# A few difference way of specifying how similar the request should look
95cdf0e10cSrcweir# For type CA, the listed attributes must be the same, and the optional
96cdf0e10cSrcweir# and supplied fields are just that :-)
97cdf0e10cSrcweirpolicy		= policy_match
98cdf0e10cSrcweir
99cdf0e10cSrcweir# For the CA policy
100cdf0e10cSrcweir[ policy_match ]
101cdf0e10cSrcweircountryName		= match
102cdf0e10cSrcweirstateOrProvinceName	= match
103cdf0e10cSrcweirorganizationName	= match
104cdf0e10cSrcweirorganizationalUnitName	= optional
105cdf0e10cSrcweircommonName		= supplied
106cdf0e10cSrcweiremailAddress		= optional
107cdf0e10cSrcweir
108cdf0e10cSrcweir# For the 'anything' policy
109cdf0e10cSrcweir# At this point in time, you must list all acceptable 'object'
110cdf0e10cSrcweir# types.
111cdf0e10cSrcweir[ policy_anything ]
112cdf0e10cSrcweircountryName		= optional
113cdf0e10cSrcweirstateOrProvinceName	= optional
114cdf0e10cSrcweirlocalityName		= optional
115cdf0e10cSrcweirorganizationName	= optional
116cdf0e10cSrcweirorganizationalUnitName	= optional
117cdf0e10cSrcweircommonName		= supplied
118cdf0e10cSrcweiremailAddress		= optional
119cdf0e10cSrcweir
120cdf0e10cSrcweir####################################################################
121cdf0e10cSrcweir[ req ]
122cdf0e10cSrcweirdefault_bits		= 1024
123cdf0e10cSrcweirdefault_keyfile 	= privkey.pem
124cdf0e10cSrcweirdistinguished_name	= req_distinguished_name
125cdf0e10cSrcweirattributes		= req_attributes
126cdf0e10cSrcweirx509_extensions	= v3_ca	# The extentions to add to the self signed cert
127cdf0e10cSrcweirutf8 = yes
128cdf0e10cSrcweir# Passwords for private keys if not present they will be prompted for
129cdf0e10cSrcweir# input_password = secret
130cdf0e10cSrcweir# output_password = secret
131cdf0e10cSrcweir
132cdf0e10cSrcweir# This sets a mask for permitted string types. There are several options.
133cdf0e10cSrcweir# default: PrintableString, T61String, BMPString.
134cdf0e10cSrcweir# pkix	 : PrintableString, BMPString.
135cdf0e10cSrcweir# utf8only: only UTF8Strings.
136cdf0e10cSrcweir# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
137cdf0e10cSrcweir# MASK:XXXX a literal mask value.
138cdf0e10cSrcweir# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
139cdf0e10cSrcweir# so use this option with caution!
140cdf0e10cSrcweirstring_mask =pkix
141cdf0e10cSrcweir
142cdf0e10cSrcweir# req_extensions = v3_req # The extensions to add to a certificate request
143cdf0e10cSrcweir
144cdf0e10cSrcweir[ req_distinguished_name ]
145cdf0e10cSrcweircountryName			= Country Name (2 letter code)
146cdf0e10cSrcweircountryName_default		= DE
147cdf0e10cSrcweircountryName_min			= 2
148cdf0e10cSrcweircountryName_max			= 2
149cdf0e10cSrcweir
150cdf0e10cSrcweirstateOrProvinceName		= State or Province Name (full name)
151cdf0e10cSrcweirstateOrProvinceName_default	= Hamburg
152cdf0e10cSrcweir
153cdf0e10cSrcweirlocalityName			= Locality Name (eg, city)
154cdf0e10cSrcweir
155cdf0e10cSrcweir0.organizationName		= Organization Name (eg, company)
156cdf0e10cSrcweir0.organizationName_default	= OpenOffice.org
157cdf0e10cSrcweir
158cdf0e10cSrcweir# we can do this but it is not needed normally :-)
159cdf0e10cSrcweir#1.organizationName		= Second Organization Name (eg, company)
160cdf0e10cSrcweir#1.organizationName_default	= World Wide Web Pty Ltd
161cdf0e10cSrcweir
162cdf0e10cSrcweirorganizationalUnitName		= Organizational Unit Name (eg, section)
163cdf0e10cSrcweirorganizationalUnitName_default	= Development
164cdf0e10cSrcweir
165cdf0e10cSrcweircommonName			= Common Name (eg, YOUR name)
166cdf0e10cSrcweircommonName_max			= 64
167cdf0e10cSrcweircommonName_default		=User 14 \",middle quote
168cdf0e10cSrcweir
169cdf0e10cSrcweiremailAddress			= Email Address
170cdf0e10cSrcweiremailAddress_max		= 64
171cdf0e10cSrcweir
172cdf0e10cSrcweir# SET-ex3			= SET extension number 3
173cdf0e10cSrcweir
174cdf0e10cSrcweir[ req_attributes ]
175cdf0e10cSrcweirchallengePassword		= A challenge password
176cdf0e10cSrcweirchallengePassword_min		= 4
177cdf0e10cSrcweirchallengePassword_max		= 20
178cdf0e10cSrcweir
179cdf0e10cSrcweirunstructuredName		= An optional company name
180cdf0e10cSrcweir
181cdf0e10cSrcweir[ usr_cert ]
182cdf0e10cSrcweir
183cdf0e10cSrcweir# These extensions are added when 'ca' signs a request.
184cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
185cdf0e10cSrcweir
186cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
187cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
188cdf0e10cSrcweir
189cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
190cdf0e10cSrcweir#nsComment			= "OpenSSL Generated Certificate"
191cdf0e10cSrcweir
192cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
193cdf0e10cSrcweirsubjectKeyIdentifier=hash
194cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer
195cdf0e10cSrcweir
196cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
197cdf0e10cSrcweir# Import the email address.
198cdf0e10cSrcweir# subjectAltName=email:copy
199cdf0e10cSrcweir# An alternative to produce certificates that aren't
200cdf0e10cSrcweir# deprecated according to PKIX.
201cdf0e10cSrcweir# subjectAltName=email:move
202cdf0e10cSrcweirsubjectAltName=DNS:alt.openoffice.org,IP:192.168.7.1,IP:13::17,email:my@other.address,RID:1.2.3.4,otherName:1.2.3.4;UTF8:some other identifier,dirName:dir_sect,URI:http://my.url.here/
203cdf0e10cSrcweir# Copy subject details
204cdf0e10cSrcweir# issuerAltName=issuer:copy
205cdf0e10cSrcweir
206cdf0e10cSrcweir
207cdf0e10cSrcweir[dir_sect]
208cdf0e10cSrcweirC=DE
209cdf0e10cSrcweirO=OpenOffice.org
210cdf0e10cSrcweirOU=Development
211cdf0e10cSrcweirCN=User 32 Root 11
212cdf0e10cSrcweir
213cdf0e10cSrcweir[ v3_req ]
214cdf0e10cSrcweir
215cdf0e10cSrcweir# Extensions to add to a certificate request
216cdf0e10cSrcweir
217cdf0e10cSrcweirbasicConstraints = CA:FALSE
218cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
219cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
220cdf0e10cSrcweir
221cdf0e10cSrcweir[ v3_ca ]
222cdf0e10cSrcweir
223cdf0e10cSrcweir
224cdf0e10cSrcweir# Extensions for a typical CA
225cdf0e10cSrcweir
226cdf0e10cSrcweir
227cdf0e10cSrcweir# PKIX recommendation.
228cdf0e10cSrcweir
229cdf0e10cSrcweirsubjectKeyIdentifier=hash
230cdf0e10cSrcweir
231cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
232cdf0e10cSrcweir
233cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888
234cdf0e10cSrcweir#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl
235cdf0e10cSrcweir# This is what PKIX recommends but some broken software chokes on critical
236cdf0e10cSrcweir# extensions.
237cdf0e10cSrcweir#basicConstraints = critical,CA:true
238cdf0e10cSrcweir# So we do this instead.
239cdf0e10cSrcweirbasicConstraints = critical, CA:true
240cdf0e10cSrcweir
241cdf0e10cSrcweir# Key usage: this is typical for a CA certificate. However since it will
242cdf0e10cSrcweir# prevent it being used as an test self-signed certificate it is best
243cdf0e10cSrcweir# left out by default.
244cdf0e10cSrcweir# keyUsage = cRLSign, keyCertSign
245cdf0e10cSrcweir
246cdf0e10cSrcweir# Some might want this also
247cdf0e10cSrcweir# nsCertType = sslCA, emailCA
248cdf0e10cSrcweir
249cdf0e10cSrcweir# Include email address in subject alt name: another PKIX recommendation
250cdf0e10cSrcweir# subjectAltName=email:copy
251cdf0e10cSrcweir# Copy issuer details
252cdf0e10cSrcweir# issuerAltName=issuer:copy
253cdf0e10cSrcweir
254cdf0e10cSrcweir# DER hex encoding of an extension: beware experts only!
255cdf0e10cSrcweir# obj=DER:02:03
256cdf0e10cSrcweir# Where 'obj' is a standard or added object
257cdf0e10cSrcweir# You can even override a supported extension:
258cdf0e10cSrcweir# basicConstraints= critical, DER:30:03:01:01:FF
259cdf0e10cSrcweir
260cdf0e10cSrcweir[ crl_ext ]
261cdf0e10cSrcweir
262cdf0e10cSrcweir# CRL extensions.
263cdf0e10cSrcweir# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
264cdf0e10cSrcweir
265cdf0e10cSrcweir# issuerAltName=issuer:copy
266cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
267cdf0e10cSrcweir
268cdf0e10cSrcweir[ proxy_cert_ext ]
269cdf0e10cSrcweir# These extensions should be added when creating a proxy certificate
270cdf0e10cSrcweir
271cdf0e10cSrcweir# This goes against PKIX guidelines but some CAs do it and some software
272cdf0e10cSrcweir# requires this to avoid interpreting an end user certificate as a CA.
273cdf0e10cSrcweir
274cdf0e10cSrcweirbasicConstraints=CA:FALSE
275cdf0e10cSrcweir
276cdf0e10cSrcweir# Here are some examples of the usage of nsCertType. If it is omitted
277cdf0e10cSrcweir# the certificate can be used for anything *except* object signing.
278cdf0e10cSrcweir
279cdf0e10cSrcweir# This is OK for an SSL server.
280cdf0e10cSrcweir# nsCertType			= server
281cdf0e10cSrcweir
282cdf0e10cSrcweir# For an object signing certificate this would be used.
283cdf0e10cSrcweir# nsCertType = objsign
284cdf0e10cSrcweir
285cdf0e10cSrcweir# For normal client use this is typical
286cdf0e10cSrcweir# nsCertType = client, email
287cdf0e10cSrcweir
288cdf0e10cSrcweir# and for everything including object signing:
289cdf0e10cSrcweir# nsCertType = client, email, objsign
290cdf0e10cSrcweir
291cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
292cdf0e10cSrcweir# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
293cdf0e10cSrcweir
294cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
295cdf0e10cSrcweirnsComment			= "OpenSSL Generated Certificate"
296cdf0e10cSrcweir
297cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
298cdf0e10cSrcweirsubjectKeyIdentifier=hash
299cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer:always
300cdf0e10cSrcweir
301cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
302cdf0e10cSrcweir# Import the email address.
303cdf0e10cSrcweir# subjectAltName=email:copy
304cdf0e10cSrcweir# An alternative to produce certificates that aren't
305cdf0e10cSrcweir# deprecated according to PKIX.
306cdf0e10cSrcweir# subjectAltName=email:move
307cdf0e10cSrcweir
308cdf0e10cSrcweir# Copy subject details
309cdf0e10cSrcweir# issuerAltName=issuer:copy
310cdf0e10cSrcweir
311cdf0e10cSrcweir#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
312cdf0e10cSrcweir#nsBaseUrl
313cdf0e10cSrcweir#nsRevocationUrl
314cdf0e10cSrcweir#nsRenewalUrl
315cdf0e10cSrcweir#nsCaPolicyUrl
316cdf0e10cSrcweir#nsSslServerName
317cdf0e10cSrcweir
318cdf0e10cSrcweir# This really needs to be in place for it to be a proxy certificate.
319cdf0e10cSrcweirproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
320