1*b6c28d34SAndrew Rist############################################################### 2*b6c28d34SAndrew Rist# 3*b6c28d34SAndrew Rist# Licensed to the Apache Software Foundation (ASF) under one 4*b6c28d34SAndrew Rist# or more contributor license agreements. See the NOTICE file 5*b6c28d34SAndrew Rist# distributed with this work for additional information 6*b6c28d34SAndrew Rist# regarding copyright ownership. The ASF licenses this file 7*b6c28d34SAndrew Rist# to you under the Apache License, Version 2.0 (the 8*b6c28d34SAndrew Rist# "License"); you may not use this file except in compliance 9*b6c28d34SAndrew Rist# with the License. You may obtain a copy of the License at 10*b6c28d34SAndrew Rist# 11*b6c28d34SAndrew Rist# http://www.apache.org/licenses/LICENSE-2.0 12*b6c28d34SAndrew Rist# 13*b6c28d34SAndrew Rist# Unless required by applicable law or agreed to in writing, 14*b6c28d34SAndrew Rist# software distributed under the License is distributed on an 15*b6c28d34SAndrew Rist# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16*b6c28d34SAndrew Rist# KIND, either express or implied. See the License for the 17*b6c28d34SAndrew Rist# specific language governing permissions and limitations 18*b6c28d34SAndrew Rist# under the License. 19*b6c28d34SAndrew Rist# 20*b6c28d34SAndrew Rist############################################################### 21*b6c28d34SAndrew Rist 22cdf0e10cSrcweir# 23cdf0e10cSrcweir# OpenSSL example configuration file. 24cdf0e10cSrcweir# This is mostly being used for generation of certificate requests. 25cdf0e10cSrcweir# 26cdf0e10cSrcweir 27cdf0e10cSrcweir# This definition stops the following lines choking if HOME isn't 28cdf0e10cSrcweir# defined. 29cdf0e10cSrcweirHOME = . 30cdf0e10cSrcweirRANDFILE = $ENV::HOME/.rnd 31cdf0e10cSrcweir 32cdf0e10cSrcweir# Extra OBJECT IDENTIFIER info: 33cdf0e10cSrcweir#oid_file = $ENV::HOME/.oid 34cdf0e10cSrcweiroid_section = new_oids 35cdf0e10cSrcweir 36cdf0e10cSrcweir# To use this configuration file with the "-extfile" option of the 37cdf0e10cSrcweir# "openssl x509" utility, name here the section containing the 38cdf0e10cSrcweir# X.509v3 extensions to use: 39cdf0e10cSrcweir# extensions = 40cdf0e10cSrcweir# (Alternatively, use a configuration file that has only 41cdf0e10cSrcweir# X.509v3 extensions in its main [= default] section.) 42cdf0e10cSrcweir 43cdf0e10cSrcweir[ new_oids ] 44cdf0e10cSrcweir 45cdf0e10cSrcweir# We can add new OIDs in here for use by 'ca' and 'req'. 46cdf0e10cSrcweir# Add a simple OID like this: 47cdf0e10cSrcweir# testoid1=1.2.3.4 48cdf0e10cSrcweir# Or use config file substitution like this: 49cdf0e10cSrcweir# testoid2=${testoid1}.5.6 50cdf0e10cSrcweir 51cdf0e10cSrcweir#################################################################### 52cdf0e10cSrcweir[ ca ] 53cdf0e10cSrcweirdefault_ca = CA_default # The default ca section 54cdf0e10cSrcweir 55cdf0e10cSrcweir#################################################################### 56cdf0e10cSrcweir[ CA_default ] 57cdf0e10cSrcweir 58cdf0e10cSrcweirdir = ./demoCA # Where everything is kept 59cdf0e10cSrcweircerts = $dir/certs # Where the issued certs are kept 60cdf0e10cSrcweircrl_dir = $dir/crl # Where the issued crl are kept 61cdf0e10cSrcweirdatabase = $dir/index.txt # database index file. 62cdf0e10cSrcweir#unique_subject = no # Set to 'no' to allow creation of 63cdf0e10cSrcweir # several ctificates with same subject. 64cdf0e10cSrcweirnew_certs_dir = $dir/newcerts # default place for new certs. 65cdf0e10cSrcweir 66cdf0e10cSrcweircertificate = $dir/cacert.pem # The CA certificate 67cdf0e10cSrcweirserial = $dir/serial # The current serial number 68cdf0e10cSrcweircrlnumber = $dir/crlnumber # the current crl number 69cdf0e10cSrcweir # must be commented out to leave a V1 CRL 70cdf0e10cSrcweircrl = $dir/crl.pem # The current CRL 71cdf0e10cSrcweirprivate_key = $dir/private/cakey.pem # The private key 72cdf0e10cSrcweirRANDFILE = $dir/private/.rand # private random number file 73cdf0e10cSrcweir 74cdf0e10cSrcweirx509_extensions = usr_cert # The extentions to add to the cert 75cdf0e10cSrcweir 76cdf0e10cSrcweir# Comment out the following two lines for the "traditional" 77cdf0e10cSrcweir# (and highly broken) format. 78cdf0e10cSrcweirname_opt = ca_default # Subject Name options 79cdf0e10cSrcweircert_opt = ca_default # Certificate field options 80cdf0e10cSrcweir 81cdf0e10cSrcweir# Extension copying option: use with caution. 82cdf0e10cSrcweir# copy_extensions = copy 83cdf0e10cSrcweir 84cdf0e10cSrcweir# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 85cdf0e10cSrcweir# so this is commented out by default to leave a V1 CRL. 86cdf0e10cSrcweir# crlnumber must also be commented out to leave a V1 CRL. 87cdf0e10cSrcweir# crl_extensions = crl_ext 88cdf0e10cSrcweir 89cdf0e10cSrcweirdefault_days = 365 # how long to certify for 90cdf0e10cSrcweirdefault_crl_days= 30 # how long before next CRL 91cdf0e10cSrcweirdefault_md = sha1 # which md to use. 92cdf0e10cSrcweirpreserve = no # keep passed DN ordering 93cdf0e10cSrcweir 94cdf0e10cSrcweir# A few difference way of specifying how similar the request should look 95cdf0e10cSrcweir# For type CA, the listed attributes must be the same, and the optional 96cdf0e10cSrcweir# and supplied fields are just that :-) 97cdf0e10cSrcweirpolicy = policy_match 98cdf0e10cSrcweir 99cdf0e10cSrcweir# For the CA policy 100cdf0e10cSrcweir[ policy_match ] 101cdf0e10cSrcweircountryName = match 102cdf0e10cSrcweirstateOrProvinceName = match 103cdf0e10cSrcweirorganizationName = match 104cdf0e10cSrcweirorganizationalUnitName = optional 105cdf0e10cSrcweircommonName = supplied 106cdf0e10cSrcweiremailAddress = optional 107cdf0e10cSrcweir 108cdf0e10cSrcweir# For the 'anything' policy 109cdf0e10cSrcweir# At this point in time, you must list all acceptable 'object' 110cdf0e10cSrcweir# types. 111cdf0e10cSrcweir[ policy_anything ] 112cdf0e10cSrcweircountryName = optional 113cdf0e10cSrcweirstateOrProvinceName = optional 114cdf0e10cSrcweirlocalityName = optional 115cdf0e10cSrcweirorganizationName = optional 116cdf0e10cSrcweirorganizationalUnitName = optional 117cdf0e10cSrcweircommonName = supplied 118cdf0e10cSrcweiremailAddress = optional 119cdf0e10cSrcweir 120cdf0e10cSrcweir#################################################################### 121cdf0e10cSrcweir[ req ] 122cdf0e10cSrcweirdefault_bits = 1024 123cdf0e10cSrcweirdefault_keyfile = privkey.pem 124cdf0e10cSrcweirdistinguished_name = req_distinguished_name 125cdf0e10cSrcweirattributes = req_attributes 126cdf0e10cSrcweirx509_extensions = v3_ca # The extentions to add to the self signed cert 127cdf0e10cSrcweir 128cdf0e10cSrcweir# Passwords for private keys if not present they will be prompted for 129cdf0e10cSrcweir# input_password = secret 130cdf0e10cSrcweir# output_password = secret 131cdf0e10cSrcweir 132cdf0e10cSrcweir# This sets a mask for permitted string types. There are several options. 133cdf0e10cSrcweir# default: PrintableString, T61String, BMPString. 134cdf0e10cSrcweir# pkix : PrintableString, BMPString. 135cdf0e10cSrcweir# utf8only: only UTF8Strings. 136cdf0e10cSrcweir# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 137cdf0e10cSrcweir# MASK:XXXX a literal mask value. 138cdf0e10cSrcweir# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 139cdf0e10cSrcweir# so use this option with caution! 140cdf0e10cSrcweirstring_mask = nombstr 141cdf0e10cSrcweir 142cdf0e10cSrcweir# req_extensions = v3_req # The extensions to add to a certificate request 143cdf0e10cSrcweir 144cdf0e10cSrcweir[ req_distinguished_name ] 145cdf0e10cSrcweircountryName = Country Name (2 letter code) 146cdf0e10cSrcweircountryName_default = DE 147cdf0e10cSrcweircountryName_min = 2 148cdf0e10cSrcweircountryName_max = 2 149cdf0e10cSrcweir 150cdf0e10cSrcweirstateOrProvinceName = State or Province Name (full name) 151cdf0e10cSrcweirstateOrProvinceName_default = Hamburg 152cdf0e10cSrcweir 153cdf0e10cSrcweirlocalityName = Locality Name (eg, city) 154cdf0e10cSrcweir 155cdf0e10cSrcweir0.organizationName = Organization Name (eg, company) 156cdf0e10cSrcweir0.organizationName_default = OpenOffice.org 157cdf0e10cSrcweir 158cdf0e10cSrcweir# we can do this but it is not needed normally :-) 159cdf0e10cSrcweir#1.organizationName = Second Organization Name (eg, company) 160cdf0e10cSrcweir#1.organizationName_default = World Wide Web Pty Ltd 161cdf0e10cSrcweir 162cdf0e10cSrcweirorganizationalUnitName = Organizational Unit Name (eg, section) 163cdf0e10cSrcweirorganizationalUnitName_default = Development 164cdf0e10cSrcweir 165cdf0e10cSrcweircommonName = Common Name (eg, YOUR name) 166cdf0e10cSrcweircommonName_max = 64 167cdf0e10cSrcweir 168cdf0e10cSrcweiremailAddress = Email Address 169cdf0e10cSrcweiremailAddress_max = 64 170cdf0e10cSrcweir 171cdf0e10cSrcweir# SET-ex3 = SET extension number 3 172cdf0e10cSrcweir 173cdf0e10cSrcweir[ req_attributes ] 174cdf0e10cSrcweirchallengePassword = A challenge password 175cdf0e10cSrcweirchallengePassword_min = 4 176cdf0e10cSrcweirchallengePassword_max = 20 177cdf0e10cSrcweir 178cdf0e10cSrcweirunstructuredName = An optional company name 179cdf0e10cSrcweir 180cdf0e10cSrcweir[ usr_cert ] 181cdf0e10cSrcweir 182cdf0e10cSrcweir# These extensions are added when 'ca' signs a request. 183cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 184cdf0e10cSrcweir 185cdf0e10cSrcweir# This is typical in keyUsage for a client certificate. 186cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 187cdf0e10cSrcweir 188cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox. 189cdf0e10cSrcweirnsComment = "OpenSSL Generated Certificate" 190cdf0e10cSrcweir 191cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates. 192cdf0e10cSrcweirsubjectKeyIdentifier=hash 193cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer 194cdf0e10cSrcweir 195cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname. 196cdf0e10cSrcweir# Import the email address. 197cdf0e10cSrcweir# subjectAltName=email:copy 198cdf0e10cSrcweir# An alternative to produce certificates that aren't 199cdf0e10cSrcweir# deprecated according to PKIX. 200cdf0e10cSrcweir# subjectAltName=email:move 201cdf0e10cSrcweir 202cdf0e10cSrcweir# Copy subject details 203cdf0e10cSrcweir# issuerAltName=issuer:copy 204cdf0e10cSrcweir 205cdf0e10cSrcweir 206cdf0e10cSrcweir 207cdf0e10cSrcweir[ v3_req ] 208cdf0e10cSrcweir 209cdf0e10cSrcweir# Extensions to add to a certificate request 210cdf0e10cSrcweir 211cdf0e10cSrcweirbasicConstraints = CA:FALSE 212cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 213cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 214cdf0e10cSrcweir 215cdf0e10cSrcweir[ v3_ca ] 216cdf0e10cSrcweir 217cdf0e10cSrcweir 218cdf0e10cSrcweir# Extensions for a typical CA 219cdf0e10cSrcweir 220cdf0e10cSrcweir 221cdf0e10cSrcweir# PKIX recommendation. 222cdf0e10cSrcweir 223cdf0e10cSrcweirsubjectKeyIdentifier=hash 224cdf0e10cSrcweir 225cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always 226cdf0e10cSrcweir 227cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888 228cdf0e10cSrcweircrlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_5.crl 229cdf0e10cSrcweir# This is what PKIX recommends but some broken software chokes on critical 230cdf0e10cSrcweir# extensions. 231cdf0e10cSrcweir#basicConstraints = critical,CA:true 232cdf0e10cSrcweir# So we do this instead. 233cdf0e10cSrcweirbasicConstraints = critical, CA:true 234cdf0e10cSrcweir 235cdf0e10cSrcweir# Key usage: this is typical for a CA certificate. However since it will 236cdf0e10cSrcweir# prevent it being used as an test self-signed certificate it is best 237cdf0e10cSrcweir# left out by default. 238cdf0e10cSrcweir# keyUsage = cRLSign, keyCertSign 239cdf0e10cSrcweir 240cdf0e10cSrcweir# Some might want this also 241cdf0e10cSrcweir# nsCertType = sslCA, emailCA 242cdf0e10cSrcweir 243cdf0e10cSrcweir# Include email address in subject alt name: another PKIX recommendation 244cdf0e10cSrcweir# subjectAltName=email:copy 245cdf0e10cSrcweir# Copy issuer details 246cdf0e10cSrcweir# issuerAltName=issuer:copy 247cdf0e10cSrcweir 248cdf0e10cSrcweir# DER hex encoding of an extension: beware experts only! 249cdf0e10cSrcweir# obj=DER:02:03 250cdf0e10cSrcweir# Where 'obj' is a standard or added object 251cdf0e10cSrcweir# You can even override a supported extension: 252cdf0e10cSrcweir# basicConstraints= critical, DER:30:03:01:01:FF 253cdf0e10cSrcweir 254cdf0e10cSrcweir[ crl_ext ] 255cdf0e10cSrcweir 256cdf0e10cSrcweir# CRL extensions. 257cdf0e10cSrcweir# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 258cdf0e10cSrcweir 259cdf0e10cSrcweir# issuerAltName=issuer:copy 260cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always 261cdf0e10cSrcweir 262cdf0e10cSrcweir[ proxy_cert_ext ] 263cdf0e10cSrcweir# These extensions should be added when creating a proxy certificate 264cdf0e10cSrcweir 265cdf0e10cSrcweir# This goes against PKIX guidelines but some CAs do it and some software 266cdf0e10cSrcweir# requires this to avoid interpreting an end user certificate as a CA. 267cdf0e10cSrcweir 268cdf0e10cSrcweirbasicConstraints=CA:FALSE 269cdf0e10cSrcweir 270cdf0e10cSrcweir# Here are some examples of the usage of nsCertType. If it is omitted 271cdf0e10cSrcweir# the certificate can be used for anything *except* object signing. 272cdf0e10cSrcweir 273cdf0e10cSrcweir# This is OK for an SSL server. 274cdf0e10cSrcweir# nsCertType = server 275cdf0e10cSrcweir 276cdf0e10cSrcweir# For an object signing certificate this would be used. 277cdf0e10cSrcweir# nsCertType = objsign 278cdf0e10cSrcweir 279cdf0e10cSrcweir# For normal client use this is typical 280cdf0e10cSrcweir# nsCertType = client, email 281cdf0e10cSrcweir 282cdf0e10cSrcweir# and for everything including object signing: 283cdf0e10cSrcweir# nsCertType = client, email, objsign 284cdf0e10cSrcweir 285cdf0e10cSrcweir# This is typical in keyUsage for a client certificate. 286cdf0e10cSrcweir# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 287cdf0e10cSrcweir 288cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox. 289cdf0e10cSrcweirnsComment = "OpenSSL Generated Certificate" 290cdf0e10cSrcweir 291cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates. 292cdf0e10cSrcweirsubjectKeyIdentifier=hash 293cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer:always 294cdf0e10cSrcweir 295cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname. 296cdf0e10cSrcweir# Import the email address. 297cdf0e10cSrcweir# subjectAltName=email:copy 298cdf0e10cSrcweir# An alternative to produce certificates that aren't 299cdf0e10cSrcweir# deprecated according to PKIX. 300cdf0e10cSrcweir# subjectAltName=email:move 301cdf0e10cSrcweir 302cdf0e10cSrcweir# Copy subject details 303cdf0e10cSrcweir# issuerAltName=issuer:copy 304cdf0e10cSrcweir 305cdf0e10cSrcweir#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 306cdf0e10cSrcweir#nsBaseUrl 307cdf0e10cSrcweir#nsRevocationUrl 308cdf0e10cSrcweir#nsRenewalUrl 309cdf0e10cSrcweir#nsCaPolicyUrl 310cdf0e10cSrcweir#nsSslServerName 311cdf0e10cSrcweir 312cdf0e10cSrcweir# This really needs to be in place for it to be a proxy certificate. 313cdf0e10cSrcweirproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 314