1*b6c28d34SAndrew Rist###############################################################
2*b6c28d34SAndrew Rist#
3*b6c28d34SAndrew Rist#  Licensed to the Apache Software Foundation (ASF) under one
4*b6c28d34SAndrew Rist#  or more contributor license agreements.  See the NOTICE file
5*b6c28d34SAndrew Rist#  distributed with this work for additional information
6*b6c28d34SAndrew Rist#  regarding copyright ownership.  The ASF licenses this file
7*b6c28d34SAndrew Rist#  to you under the Apache License, Version 2.0 (the
8*b6c28d34SAndrew Rist#  "License"); you may not use this file except in compliance
9*b6c28d34SAndrew Rist#  with the License.  You may obtain a copy of the License at
10*b6c28d34SAndrew Rist#
11*b6c28d34SAndrew Rist#    http://www.apache.org/licenses/LICENSE-2.0
12*b6c28d34SAndrew Rist#
13*b6c28d34SAndrew Rist#  Unless required by applicable law or agreed to in writing,
14*b6c28d34SAndrew Rist#  software distributed under the License is distributed on an
15*b6c28d34SAndrew Rist#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*b6c28d34SAndrew Rist#  KIND, either express or implied.  See the License for the
17*b6c28d34SAndrew Rist#  specific language governing permissions and limitations
18*b6c28d34SAndrew Rist#  under the License.
19*b6c28d34SAndrew Rist#
20*b6c28d34SAndrew Rist###############################################################
21*b6c28d34SAndrew Rist
22cdf0e10cSrcweir#
23cdf0e10cSrcweir# OpenSSL example configuration file.
24cdf0e10cSrcweir# This is mostly being used for generation of certificate requests.
25cdf0e10cSrcweir#
26cdf0e10cSrcweir
27cdf0e10cSrcweir# This definition stops the following lines choking if HOME isn't
28cdf0e10cSrcweir# defined.
29cdf0e10cSrcweirHOME			= .
30cdf0e10cSrcweirRANDFILE		= $ENV::HOME/.rnd
31cdf0e10cSrcweir
32cdf0e10cSrcweir# Extra OBJECT IDENTIFIER info:
33cdf0e10cSrcweir#oid_file		= $ENV::HOME/.oid
34cdf0e10cSrcweiroid_section		= new_oids
35cdf0e10cSrcweir
36cdf0e10cSrcweir# To use this configuration file with the "-extfile" option of the
37cdf0e10cSrcweir# "openssl x509" utility, name here the section containing the
38cdf0e10cSrcweir# X.509v3 extensions to use:
39cdf0e10cSrcweir# extensions		=
40cdf0e10cSrcweir# (Alternatively, use a configuration file that has only
41cdf0e10cSrcweir# X.509v3 extensions in its main [= default] section.)
42cdf0e10cSrcweir
43cdf0e10cSrcweir[ new_oids ]
44cdf0e10cSrcweir
45cdf0e10cSrcweir# We can add new OIDs in here for use by 'ca' and 'req'.
46cdf0e10cSrcweir# Add a simple OID like this:
47cdf0e10cSrcweir# testoid1=1.2.3.4
48cdf0e10cSrcweir# Or use config file substitution like this:
49cdf0e10cSrcweir# testoid2=${testoid1}.5.6
50cdf0e10cSrcweir
51cdf0e10cSrcweir####################################################################
52cdf0e10cSrcweir[ ca ]
53cdf0e10cSrcweirdefault_ca	= CA_default		# The default ca section
54cdf0e10cSrcweir
55cdf0e10cSrcweir####################################################################
56cdf0e10cSrcweir[ CA_default ]
57cdf0e10cSrcweir
58cdf0e10cSrcweirdir		= ./demoCA		# Where everything is kept
59cdf0e10cSrcweircerts		= $dir/certs		# Where the issued certs are kept
60cdf0e10cSrcweircrl_dir		= $dir/crl		# Where the issued crl are kept
61cdf0e10cSrcweirdatabase	= $dir/index.txt	# database index file.
62cdf0e10cSrcweir#unique_subject	= no			# Set to 'no' to allow creation of
63cdf0e10cSrcweir					# several ctificates with same subject.
64cdf0e10cSrcweirnew_certs_dir	= $dir/newcerts		# default place for new certs.
65cdf0e10cSrcweir
66cdf0e10cSrcweircertificate	= $dir/cacert.pem 	# The CA certificate
67cdf0e10cSrcweirserial		= $dir/serial	# The current serial number
68cdf0e10cSrcweircrlnumber	= $dir/crlnumber	# the current crl number
69cdf0e10cSrcweir					# must be commented out to leave a V1 CRL
70cdf0e10cSrcweircrl		= $dir/crl.pem 		# The current CRL
71cdf0e10cSrcweirprivate_key	= $dir/private/cakey.pem 	# The private key
72cdf0e10cSrcweirRANDFILE	= $dir/private/.rand	 	# private random number file
73cdf0e10cSrcweir
74cdf0e10cSrcweirx509_extensions	= usr_cert		# The extentions to add to the cert
75cdf0e10cSrcweir
76cdf0e10cSrcweir# Comment out the following two lines for the "traditional"
77cdf0e10cSrcweir# (and highly broken) format.
78cdf0e10cSrcweirname_opt 	= ca_default		# Subject Name options
79cdf0e10cSrcweircert_opt 	= ca_default		# Certificate field options
80cdf0e10cSrcweir
81cdf0e10cSrcweir# Extension copying option: use with caution.
82cdf0e10cSrcweir# copy_extensions = copy
83cdf0e10cSrcweir
84cdf0e10cSrcweir# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
85cdf0e10cSrcweir# so this is commented out by default to leave a V1 CRL.
86cdf0e10cSrcweir# crlnumber must also be commented out to leave a V1 CRL.
87cdf0e10cSrcweir# crl_extensions	= crl_ext
88cdf0e10cSrcweir
89cdf0e10cSrcweirdefault_days	= 365			# how long to certify for
90cdf0e10cSrcweirdefault_crl_days= 30			# how long before next CRL
91cdf0e10cSrcweirdefault_md	= sha1			# which md to use.
92cdf0e10cSrcweirpreserve	= no			# keep passed DN ordering
93cdf0e10cSrcweir
94cdf0e10cSrcweir# A few difference way of specifying how similar the request should look
95cdf0e10cSrcweir# For type CA, the listed attributes must be the same, and the optional
96cdf0e10cSrcweir# and supplied fields are just that :-)
97cdf0e10cSrcweirpolicy		= policy_match
98cdf0e10cSrcweir
99cdf0e10cSrcweir# For the CA policy
100cdf0e10cSrcweir[ policy_match ]
101cdf0e10cSrcweircountryName		= match
102cdf0e10cSrcweirstateOrProvinceName	= match
103cdf0e10cSrcweirorganizationName	= match
104cdf0e10cSrcweirorganizationalUnitName	= optional
105cdf0e10cSrcweircommonName		= supplied
106cdf0e10cSrcweiremailAddress		= optional
107cdf0e10cSrcweir
108cdf0e10cSrcweir# For the 'anything' policy
109cdf0e10cSrcweir# At this point in time, you must list all acceptable 'object'
110cdf0e10cSrcweir# types.
111cdf0e10cSrcweir[ policy_anything ]
112cdf0e10cSrcweircountryName		= optional
113cdf0e10cSrcweirstateOrProvinceName	= optional
114cdf0e10cSrcweirlocalityName		= optional
115cdf0e10cSrcweirorganizationName	= optional
116cdf0e10cSrcweirorganizationalUnitName	= optional
117cdf0e10cSrcweircommonName		= supplied
118cdf0e10cSrcweiremailAddress		= optional
119cdf0e10cSrcweir
120cdf0e10cSrcweir####################################################################
121cdf0e10cSrcweir[ req ]
122cdf0e10cSrcweirdefault_bits		= 1024
123cdf0e10cSrcweirdefault_keyfile 	= privkey.pem
124cdf0e10cSrcweirdistinguished_name	= req_distinguished_name
125cdf0e10cSrcweirattributes		= req_attributes
126cdf0e10cSrcweirx509_extensions	= v3_ca	# The extentions to add to the self signed cert
127cdf0e10cSrcweir
128cdf0e10cSrcweir# Passwords for private keys if not present they will be prompted for
129cdf0e10cSrcweir# input_password = secret
130cdf0e10cSrcweir# output_password = secret
131cdf0e10cSrcweir
132cdf0e10cSrcweir# This sets a mask for permitted string types. There are several options.
133cdf0e10cSrcweir# default: PrintableString, T61String, BMPString.
134cdf0e10cSrcweir# pkix	 : PrintableString, BMPString.
135cdf0e10cSrcweir# utf8only: only UTF8Strings.
136cdf0e10cSrcweir# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
137cdf0e10cSrcweir# MASK:XXXX a literal mask value.
138cdf0e10cSrcweir# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
139cdf0e10cSrcweir# so use this option with caution!
140cdf0e10cSrcweirstring_mask = nombstr
141cdf0e10cSrcweir
142cdf0e10cSrcweir# req_extensions = v3_req # The extensions to add to a certificate request
143cdf0e10cSrcweir
144cdf0e10cSrcweir[ req_distinguished_name ]
145cdf0e10cSrcweircountryName			= Country Name (2 letter code)
146cdf0e10cSrcweircountryName_default		= DE
147cdf0e10cSrcweircountryName_min			= 2
148cdf0e10cSrcweircountryName_max			= 2
149cdf0e10cSrcweir
150cdf0e10cSrcweirstateOrProvinceName		= State or Province Name (full name)
151cdf0e10cSrcweirstateOrProvinceName_default	= Hamburg
152cdf0e10cSrcweir
153cdf0e10cSrcweirlocalityName			= Locality Name (eg, city)
154cdf0e10cSrcweir
155cdf0e10cSrcweir0.organizationName		= Organization Name (eg, company)
156cdf0e10cSrcweir0.organizationName_default	= OpenOffice.org
157cdf0e10cSrcweir
158cdf0e10cSrcweir# we can do this but it is not needed normally :-)
159cdf0e10cSrcweir#1.organizationName		= Second Organization Name (eg, company)
160cdf0e10cSrcweir#1.organizationName_default	= World Wide Web Pty Ltd
161cdf0e10cSrcweir
162cdf0e10cSrcweirorganizationalUnitName		= Organizational Unit Name (eg, section)
163cdf0e10cSrcweirorganizationalUnitName_default	= Development
164cdf0e10cSrcweir
165cdf0e10cSrcweircommonName			= Common Name (eg, YOUR name)
166cdf0e10cSrcweircommonName_max			= 64
167cdf0e10cSrcweir
168cdf0e10cSrcweiremailAddress			= Email Address
169cdf0e10cSrcweiremailAddress_max		= 64
170cdf0e10cSrcweir
171cdf0e10cSrcweir# SET-ex3			= SET extension number 3
172cdf0e10cSrcweir
173cdf0e10cSrcweir[ req_attributes ]
174cdf0e10cSrcweirchallengePassword		= A challenge password
175cdf0e10cSrcweirchallengePassword_min		= 4
176cdf0e10cSrcweirchallengePassword_max		= 20
177cdf0e10cSrcweir
178cdf0e10cSrcweirunstructuredName		= An optional company name
179cdf0e10cSrcweir
180cdf0e10cSrcweir[ usr_cert ]
181cdf0e10cSrcweir
182cdf0e10cSrcweir# These extensions are added when 'ca' signs a request.
183cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
184cdf0e10cSrcweir
185cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
186cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
187cdf0e10cSrcweir
188cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
189cdf0e10cSrcweirnsComment			= "OpenSSL Generated Certificate"
190cdf0e10cSrcweir
191cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
192cdf0e10cSrcweirsubjectKeyIdentifier=hash
193cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer
194cdf0e10cSrcweir
195cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
196cdf0e10cSrcweir# Import the email address.
197cdf0e10cSrcweir# subjectAltName=email:copy
198cdf0e10cSrcweir# An alternative to produce certificates that aren't
199cdf0e10cSrcweir# deprecated according to PKIX.
200cdf0e10cSrcweir# subjectAltName=email:move
201cdf0e10cSrcweir
202cdf0e10cSrcweir# Copy subject details
203cdf0e10cSrcweir# issuerAltName=issuer:copy
204cdf0e10cSrcweir
205cdf0e10cSrcweir
206cdf0e10cSrcweir
207cdf0e10cSrcweir[ v3_req ]
208cdf0e10cSrcweir
209cdf0e10cSrcweir# Extensions to add to a certificate request
210cdf0e10cSrcweir
211cdf0e10cSrcweirbasicConstraints = CA:FALSE
212cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
213cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
214cdf0e10cSrcweir
215cdf0e10cSrcweir[ v3_ca ]
216cdf0e10cSrcweir
217cdf0e10cSrcweir
218cdf0e10cSrcweir# Extensions for a typical CA
219cdf0e10cSrcweir
220cdf0e10cSrcweir
221cdf0e10cSrcweir# PKIX recommendation.
222cdf0e10cSrcweir
223cdf0e10cSrcweirsubjectKeyIdentifier=hash
224cdf0e10cSrcweir
225cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
226cdf0e10cSrcweir
227cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888
228cdf0e10cSrcweircrlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_5.crl
229cdf0e10cSrcweir# This is what PKIX recommends but some broken software chokes on critical
230cdf0e10cSrcweir# extensions.
231cdf0e10cSrcweir#basicConstraints = critical,CA:true
232cdf0e10cSrcweir# So we do this instead.
233cdf0e10cSrcweirbasicConstraints = critical, CA:true
234cdf0e10cSrcweir
235cdf0e10cSrcweir# Key usage: this is typical for a CA certificate. However since it will
236cdf0e10cSrcweir# prevent it being used as an test self-signed certificate it is best
237cdf0e10cSrcweir# left out by default.
238cdf0e10cSrcweir# keyUsage = cRLSign, keyCertSign
239cdf0e10cSrcweir
240cdf0e10cSrcweir# Some might want this also
241cdf0e10cSrcweir# nsCertType = sslCA, emailCA
242cdf0e10cSrcweir
243cdf0e10cSrcweir# Include email address in subject alt name: another PKIX recommendation
244cdf0e10cSrcweir# subjectAltName=email:copy
245cdf0e10cSrcweir# Copy issuer details
246cdf0e10cSrcweir# issuerAltName=issuer:copy
247cdf0e10cSrcweir
248cdf0e10cSrcweir# DER hex encoding of an extension: beware experts only!
249cdf0e10cSrcweir# obj=DER:02:03
250cdf0e10cSrcweir# Where 'obj' is a standard or added object
251cdf0e10cSrcweir# You can even override a supported extension:
252cdf0e10cSrcweir# basicConstraints= critical, DER:30:03:01:01:FF
253cdf0e10cSrcweir
254cdf0e10cSrcweir[ crl_ext ]
255cdf0e10cSrcweir
256cdf0e10cSrcweir# CRL extensions.
257cdf0e10cSrcweir# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258cdf0e10cSrcweir
259cdf0e10cSrcweir# issuerAltName=issuer:copy
260cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
261cdf0e10cSrcweir
262cdf0e10cSrcweir[ proxy_cert_ext ]
263cdf0e10cSrcweir# These extensions should be added when creating a proxy certificate
264cdf0e10cSrcweir
265cdf0e10cSrcweir# This goes against PKIX guidelines but some CAs do it and some software
266cdf0e10cSrcweir# requires this to avoid interpreting an end user certificate as a CA.
267cdf0e10cSrcweir
268cdf0e10cSrcweirbasicConstraints=CA:FALSE
269cdf0e10cSrcweir
270cdf0e10cSrcweir# Here are some examples of the usage of nsCertType. If it is omitted
271cdf0e10cSrcweir# the certificate can be used for anything *except* object signing.
272cdf0e10cSrcweir
273cdf0e10cSrcweir# This is OK for an SSL server.
274cdf0e10cSrcweir# nsCertType			= server
275cdf0e10cSrcweir
276cdf0e10cSrcweir# For an object signing certificate this would be used.
277cdf0e10cSrcweir# nsCertType = objsign
278cdf0e10cSrcweir
279cdf0e10cSrcweir# For normal client use this is typical
280cdf0e10cSrcweir# nsCertType = client, email
281cdf0e10cSrcweir
282cdf0e10cSrcweir# and for everything including object signing:
283cdf0e10cSrcweir# nsCertType = client, email, objsign
284cdf0e10cSrcweir
285cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
286cdf0e10cSrcweir# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287cdf0e10cSrcweir
288cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
289cdf0e10cSrcweirnsComment			= "OpenSSL Generated Certificate"
290cdf0e10cSrcweir
291cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
292cdf0e10cSrcweirsubjectKeyIdentifier=hash
293cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer:always
294cdf0e10cSrcweir
295cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
296cdf0e10cSrcweir# Import the email address.
297cdf0e10cSrcweir# subjectAltName=email:copy
298cdf0e10cSrcweir# An alternative to produce certificates that aren't
299cdf0e10cSrcweir# deprecated according to PKIX.
300cdf0e10cSrcweir# subjectAltName=email:move
301cdf0e10cSrcweir
302cdf0e10cSrcweir# Copy subject details
303cdf0e10cSrcweir# issuerAltName=issuer:copy
304cdf0e10cSrcweir
305cdf0e10cSrcweir#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
306cdf0e10cSrcweir#nsBaseUrl
307cdf0e10cSrcweir#nsRevocationUrl
308cdf0e10cSrcweir#nsRenewalUrl
309cdf0e10cSrcweir#nsCaPolicyUrl
310cdf0e10cSrcweir#nsSslServerName
311cdf0e10cSrcweir
312cdf0e10cSrcweir# This really needs to be in place for it to be a proxy certificate.
313cdf0e10cSrcweirproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
314