1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file		= $ENV::HOME/.oid
13oid_section		= new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions		=
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca	= CA_default		# The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir		= ./demoCA		# Where everything is kept
38certs		= $dir/certs		# Where the issued certs are kept
39crl_dir		= $dir/crl		# Where the issued crl are kept
40database	= $dir/index.txt	# database index file.
41#unique_subject	= no			# Set to 'no' to allow creation of
42					# several ctificates with same subject.
43new_certs_dir	= $dir/newcerts		# default place for new certs.
44
45certificate	= $dir/cacert.pem 	# The CA certificate
46serial		= $dir/serial	# The current serial number
47crlnumber	= $dir/crlnumber	# the current crl number
48					# must be commented out to leave a V1 CRL
49crl		= $dir/crl.pem 		# The current CRL
50private_key	= $dir/private/cakey.pem 	# The private key
51RANDFILE	= $dir/private/.rand	 	# private random number file
52
53x509_extensions	= usr_cert		# The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt 	= ca_default		# Subject Name options
58cert_opt 	= ca_default		# Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions	= crl_ext
67
68default_days	= 365			# how long to certify for
69default_crl_days= 30			# how long before next CRL
70default_md	= sha1			# which md to use.
71preserve	= no			# keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy		= policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName		= match
81stateOrProvinceName	= match
82organizationName	= match
83organizationalUnitName	= optional
84commonName		= supplied
85emailAddress		= optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName		= optional
92stateOrProvinceName	= optional
93localityName		= optional
94organizationName	= optional
95organizationalUnitName	= optional
96commonName		= supplied
97emailAddress		= optional
98
99####################################################################
100[ req ]
101default_bits		= 1024
102default_keyfile 	= privkey.pem
103distinguished_name	= req_distinguished_name
104attributes		= req_attributes
105x509_extensions	= v3_ca	# The extentions to add to the self signed cert
106
107# Passwords for private keys if not present they will be prompted for
108# input_password = secret
109# output_password = secret
110
111# This sets a mask for permitted string types. There are several options.
112# default: PrintableString, T61String, BMPString.
113# pkix	 : PrintableString, BMPString.
114# utf8only: only UTF8Strings.
115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116# MASK:XXXX a literal mask value.
117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118# so use this option with caution!
119string_mask = nombstr
120
121# req_extensions = v3_req # The extensions to add to a certificate request
122
123[ req_distinguished_name ]
124countryName			= Country Name (2 letter code)
125countryName_default		= DE
126countryName_min			= 2
127countryName_max			= 2
128
129stateOrProvinceName		= State or Province Name (full name)
130stateOrProvinceName_default	= Hamburg
131
132localityName			= Locality Name (eg, city)
133
1340.organizationName		= Organization Name (eg, company)
1350.organizationName_default	= OpenOffice.org
136
137# we can do this but it is not needed normally :-)
138#1.organizationName		= Second Organization Name (eg, company)
139#1.organizationName_default	= World Wide Web Pty Ltd
140
141organizationalUnitName		= Organizational Unit Name (eg, section)
142organizationalUnitName_default	= Development
143
144commonName			= Common Name (eg, YOUR name)
145commonName_max			= 64
146
147emailAddress			= Email Address
148emailAddress_max		= 64
149
150# SET-ex3			= SET extension number 3
151
152[ req_attributes ]
153challengePassword		= A challenge password
154challengePassword_min		= 4
155challengePassword_max		= 20
156
157unstructuredName		= An optional company name
158
159[ usr_cert ]
160
161# These extensions are added when 'ca' signs a request.
162#authorityInfoAccess = OCSP;URI:http://localhost:8888/
163
164# This is typical in keyUsage for a client certificate.
165keyUsage = nonRepudiation, digitalSignature, keyEncipherment
166
167# This will be displayed in Netscape's comment listbox.
168nsComment			= "OpenSSL Generated Certificate"
169
170# PKIX recommendations harmless if included in all certificates.
171subjectKeyIdentifier=hash
172authorityKeyIdentifier=keyid,issuer
173
174# This stuff is for subjectAltName and issuerAltname.
175# Import the email address.
176# subjectAltName=email:copy
177# An alternative to produce certificates that aren't
178# deprecated according to PKIX.
179# subjectAltName=email:move
180
181# Copy subject details
182# issuerAltName=issuer:copy
183
184
185
186[ v3_req ]
187
188# Extensions to add to a certificate request
189
190basicConstraints = CA:FALSE
191keyUsage = nonRepudiation, digitalSignature, keyEncipherment
192#authorityInfoAccess = OCSP;URI:http://localhost:8888/
193
194[ v3_ca ]
195
196
197# Extensions for a typical CA
198
199
200# PKIX recommendation.
201
202subjectKeyIdentifier=hash
203
204authorityKeyIdentifier=keyid:always,issuer:always
205
206#authorityInfoAccess = OCSP;URI:http://localhost:8888
207crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_6.crl
208# This is what PKIX recommends but some broken software chokes on critical
209# extensions.
210#basicConstraints = critical,CA:true
211# So we do this instead.
212basicConstraints = critical, CA:true
213
214# Key usage: this is typical for a CA certificate. However since it will
215# prevent it being used as an test self-signed certificate it is best
216# left out by default.
217# keyUsage = cRLSign, keyCertSign
218
219# Some might want this also
220# nsCertType = sslCA, emailCA
221
222# Include email address in subject alt name: another PKIX recommendation
223# subjectAltName=email:copy
224# Copy issuer details
225# issuerAltName=issuer:copy
226
227# DER hex encoding of an extension: beware experts only!
228# obj=DER:02:03
229# Where 'obj' is a standard or added object
230# You can even override a supported extension:
231# basicConstraints= critical, DER:30:03:01:01:FF
232
233[ crl_ext ]
234
235# CRL extensions.
236# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
237
238# issuerAltName=issuer:copy
239authorityKeyIdentifier=keyid:always,issuer:always
240
241[ proxy_cert_ext ]
242# These extensions should be added when creating a proxy certificate
243
244# This goes against PKIX guidelines but some CAs do it and some software
245# requires this to avoid interpreting an end user certificate as a CA.
246
247basicConstraints=CA:FALSE
248
249# Here are some examples of the usage of nsCertType. If it is omitted
250# the certificate can be used for anything *except* object signing.
251
252# This is OK for an SSL server.
253# nsCertType			= server
254
255# For an object signing certificate this would be used.
256# nsCertType = objsign
257
258# For normal client use this is typical
259# nsCertType = client, email
260
261# and for everything including object signing:
262# nsCertType = client, email, objsign
263
264# This is typical in keyUsage for a client certificate.
265# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
266
267# This will be displayed in Netscape's comment listbox.
268nsComment			= "OpenSSL Generated Certificate"
269
270# PKIX recommendations harmless if included in all certificates.
271subjectKeyIdentifier=hash
272authorityKeyIdentifier=keyid,issuer:always
273
274# This stuff is for subjectAltName and issuerAltname.
275# Import the email address.
276# subjectAltName=email:copy
277# An alternative to produce certificates that aren't
278# deprecated according to PKIX.
279# subjectAltName=email:move
280
281# Copy subject details
282# issuerAltName=issuer:copy
283
284#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
285#nsBaseUrl
286#nsRevocationUrl
287#nsRenewalUrl
288#nsCaPolicyUrl
289#nsSslServerName
290
291# This really needs to be in place for it to be a proxy certificate.
292proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
293