1*cdf0e10cSrcweir# 2*cdf0e10cSrcweir# OpenSSL example configuration file. 3*cdf0e10cSrcweir# This is mostly being used for generation of certificate requests. 4*cdf0e10cSrcweir# 5*cdf0e10cSrcweir 6*cdf0e10cSrcweir# This definition stops the following lines choking if HOME isn't 7*cdf0e10cSrcweir# defined. 8*cdf0e10cSrcweirHOME = . 9*cdf0e10cSrcweirRANDFILE = $ENV::HOME/.rnd 10*cdf0e10cSrcweir 11*cdf0e10cSrcweir# Extra OBJECT IDENTIFIER info: 12*cdf0e10cSrcweir#oid_file = $ENV::HOME/.oid 13*cdf0e10cSrcweiroid_section = new_oids 14*cdf0e10cSrcweir 15*cdf0e10cSrcweir# To use this configuration file with the "-extfile" option of the 16*cdf0e10cSrcweir# "openssl x509" utility, name here the section containing the 17*cdf0e10cSrcweir# X.509v3 extensions to use: 18*cdf0e10cSrcweir# extensions = 19*cdf0e10cSrcweir# (Alternatively, use a configuration file that has only 20*cdf0e10cSrcweir# X.509v3 extensions in its main [= default] section.) 21*cdf0e10cSrcweir 22*cdf0e10cSrcweir[ new_oids ] 23*cdf0e10cSrcweir 24*cdf0e10cSrcweir# We can add new OIDs in here for use by 'ca' and 'req'. 25*cdf0e10cSrcweir# Add a simple OID like this: 26*cdf0e10cSrcweir# testoid1=1.2.3.4 27*cdf0e10cSrcweir# Or use config file substitution like this: 28*cdf0e10cSrcweir# testoid2=${testoid1}.5.6 29*cdf0e10cSrcweir 30*cdf0e10cSrcweir#################################################################### 31*cdf0e10cSrcweir[ ca ] 32*cdf0e10cSrcweirdefault_ca = CA_default # The default ca section 33*cdf0e10cSrcweir 34*cdf0e10cSrcweir#################################################################### 35*cdf0e10cSrcweir[ CA_default ] 36*cdf0e10cSrcweir 37*cdf0e10cSrcweirdir = ./demoCA # Where everything is kept 38*cdf0e10cSrcweircerts = $dir/certs # Where the issued certs are kept 39*cdf0e10cSrcweircrl_dir = $dir/crl # Where the issued crl are kept 40*cdf0e10cSrcweirdatabase = $dir/index.txt # database index file. 41*cdf0e10cSrcweir#unique_subject = no # Set to 'no' to allow creation of 42*cdf0e10cSrcweir # several ctificates with same subject. 43*cdf0e10cSrcweirnew_certs_dir = $dir/newcerts # default place for new certs. 44*cdf0e10cSrcweir 45*cdf0e10cSrcweircertificate = $dir/cacert.pem # The CA certificate 46*cdf0e10cSrcweirserial = $dir/serial # The current serial number 47*cdf0e10cSrcweircrlnumber = $dir/crlnumber # the current crl number 48*cdf0e10cSrcweir # must be commented out to leave a V1 CRL 49*cdf0e10cSrcweircrl = $dir/crl.pem # The current CRL 50*cdf0e10cSrcweirprivate_key = $dir/private/cakey.pem # The private key 51*cdf0e10cSrcweirRANDFILE = $dir/private/.rand # private random number file 52*cdf0e10cSrcweir 53*cdf0e10cSrcweirx509_extensions = usr_cert # The extentions to add to the cert 54*cdf0e10cSrcweir 55*cdf0e10cSrcweir# Comment out the following two lines for the "traditional" 56*cdf0e10cSrcweir# (and highly broken) format. 57*cdf0e10cSrcweirname_opt = ca_default # Subject Name options 58*cdf0e10cSrcweircert_opt = ca_default # Certificate field options 59*cdf0e10cSrcweir 60*cdf0e10cSrcweir# Extension copying option: use with caution. 61*cdf0e10cSrcweir# copy_extensions = copy 62*cdf0e10cSrcweir 63*cdf0e10cSrcweir# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64*cdf0e10cSrcweir# so this is commented out by default to leave a V1 CRL. 65*cdf0e10cSrcweir# crlnumber must also be commented out to leave a V1 CRL. 66*cdf0e10cSrcweir# crl_extensions = crl_ext 67*cdf0e10cSrcweir 68*cdf0e10cSrcweirdefault_days = 365 # how long to certify for 69*cdf0e10cSrcweirdefault_crl_days= 30 # how long before next CRL 70*cdf0e10cSrcweirdefault_md = sha1 # which md to use. 71*cdf0e10cSrcweirpreserve = no # keep passed DN ordering 72*cdf0e10cSrcweir 73*cdf0e10cSrcweir# A few difference way of specifying how similar the request should look 74*cdf0e10cSrcweir# For type CA, the listed attributes must be the same, and the optional 75*cdf0e10cSrcweir# and supplied fields are just that :-) 76*cdf0e10cSrcweirpolicy = policy_match 77*cdf0e10cSrcweir 78*cdf0e10cSrcweir# For the CA policy 79*cdf0e10cSrcweir[ policy_match ] 80*cdf0e10cSrcweircountryName = match 81*cdf0e10cSrcweirstateOrProvinceName = match 82*cdf0e10cSrcweirorganizationName = match 83*cdf0e10cSrcweirorganizationalUnitName = optional 84*cdf0e10cSrcweircommonName = supplied 85*cdf0e10cSrcweiremailAddress = optional 86*cdf0e10cSrcweir 87*cdf0e10cSrcweir# For the 'anything' policy 88*cdf0e10cSrcweir# At this point in time, you must list all acceptable 'object' 89*cdf0e10cSrcweir# types. 90*cdf0e10cSrcweir[ policy_anything ] 91*cdf0e10cSrcweircountryName = optional 92*cdf0e10cSrcweirstateOrProvinceName = optional 93*cdf0e10cSrcweirlocalityName = optional 94*cdf0e10cSrcweirorganizationName = optional 95*cdf0e10cSrcweirorganizationalUnitName = optional 96*cdf0e10cSrcweircommonName = supplied 97*cdf0e10cSrcweiremailAddress = optional 98*cdf0e10cSrcweir 99*cdf0e10cSrcweir#################################################################### 100*cdf0e10cSrcweir[ req ] 101*cdf0e10cSrcweirdefault_bits = 1024 102*cdf0e10cSrcweirdefault_keyfile = privkey.pem 103*cdf0e10cSrcweirdistinguished_name = req_distinguished_name 104*cdf0e10cSrcweirattributes = req_attributes 105*cdf0e10cSrcweirx509_extensions = v3_ca # The extentions to add to the self signed cert 106*cdf0e10cSrcweir 107*cdf0e10cSrcweir# Passwords for private keys if not present they will be prompted for 108*cdf0e10cSrcweir# input_password = secret 109*cdf0e10cSrcweir# output_password = secret 110*cdf0e10cSrcweir 111*cdf0e10cSrcweir# This sets a mask for permitted string types. There are several options. 112*cdf0e10cSrcweir# default: PrintableString, T61String, BMPString. 113*cdf0e10cSrcweir# pkix : PrintableString, BMPString. 114*cdf0e10cSrcweir# utf8only: only UTF8Strings. 115*cdf0e10cSrcweir# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 116*cdf0e10cSrcweir# MASK:XXXX a literal mask value. 117*cdf0e10cSrcweir# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 118*cdf0e10cSrcweir# so use this option with caution! 119*cdf0e10cSrcweirstring_mask = nombstr 120*cdf0e10cSrcweir 121*cdf0e10cSrcweir# req_extensions = v3_req # The extensions to add to a certificate request 122*cdf0e10cSrcweir 123*cdf0e10cSrcweir[ req_distinguished_name ] 124*cdf0e10cSrcweircountryName = Country Name (2 letter code) 125*cdf0e10cSrcweircountryName_default = DE 126*cdf0e10cSrcweircountryName_min = 2 127*cdf0e10cSrcweircountryName_max = 2 128*cdf0e10cSrcweir 129*cdf0e10cSrcweirstateOrProvinceName = State or Province Name (full name) 130*cdf0e10cSrcweirstateOrProvinceName_default = Hamburg 131*cdf0e10cSrcweir 132*cdf0e10cSrcweirlocalityName = Locality Name (eg, city) 133*cdf0e10cSrcweir 134*cdf0e10cSrcweir0.organizationName = Organization Name (eg, company) 135*cdf0e10cSrcweir0.organizationName_default = OpenOffice.org 136*cdf0e10cSrcweir 137*cdf0e10cSrcweir# we can do this but it is not needed normally :-) 138*cdf0e10cSrcweir#1.organizationName = Second Organization Name (eg, company) 139*cdf0e10cSrcweir#1.organizationName_default = World Wide Web Pty Ltd 140*cdf0e10cSrcweir 141*cdf0e10cSrcweirorganizationalUnitName = Organizational Unit Name (eg, section) 142*cdf0e10cSrcweirorganizationalUnitName_default = Development 143*cdf0e10cSrcweir 144*cdf0e10cSrcweircommonName = Common Name (eg, YOUR name) 145*cdf0e10cSrcweircommonName_max = 64 146*cdf0e10cSrcweir 147*cdf0e10cSrcweiremailAddress = Email Address 148*cdf0e10cSrcweiremailAddress_max = 64 149*cdf0e10cSrcweir 150*cdf0e10cSrcweir# SET-ex3 = SET extension number 3 151*cdf0e10cSrcweir 152*cdf0e10cSrcweir[ req_attributes ] 153*cdf0e10cSrcweirchallengePassword = A challenge password 154*cdf0e10cSrcweirchallengePassword_min = 4 155*cdf0e10cSrcweirchallengePassword_max = 20 156*cdf0e10cSrcweir 157*cdf0e10cSrcweirunstructuredName = An optional company name 158*cdf0e10cSrcweir 159*cdf0e10cSrcweir[ usr_cert ] 160*cdf0e10cSrcweir 161*cdf0e10cSrcweir# These extensions are added when 'ca' signs a request. 162*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 163*cdf0e10cSrcweir 164*cdf0e10cSrcweir# This is typical in keyUsage for a client certificate. 165*cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 166*cdf0e10cSrcweir 167*cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox. 168*cdf0e10cSrcweirnsComment = "OpenSSL Generated Certificate" 169*cdf0e10cSrcweir 170*cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates. 171*cdf0e10cSrcweirsubjectKeyIdentifier=hash 172*cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer 173*cdf0e10cSrcweir 174*cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname. 175*cdf0e10cSrcweir# Import the email address. 176*cdf0e10cSrcweir# subjectAltName=email:copy 177*cdf0e10cSrcweir# An alternative to produce certificates that aren't 178*cdf0e10cSrcweir# deprecated according to PKIX. 179*cdf0e10cSrcweir# subjectAltName=email:move 180*cdf0e10cSrcweir 181*cdf0e10cSrcweir# Copy subject details 182*cdf0e10cSrcweir# issuerAltName=issuer:copy 183*cdf0e10cSrcweir 184*cdf0e10cSrcweir 185*cdf0e10cSrcweir 186*cdf0e10cSrcweir[ v3_req ] 187*cdf0e10cSrcweir 188*cdf0e10cSrcweir# Extensions to add to a certificate request 189*cdf0e10cSrcweir 190*cdf0e10cSrcweirbasicConstraints = CA:FALSE 191*cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 192*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 193*cdf0e10cSrcweir 194*cdf0e10cSrcweir[ v3_ca ] 195*cdf0e10cSrcweir 196*cdf0e10cSrcweir 197*cdf0e10cSrcweir# Extensions for a typical CA 198*cdf0e10cSrcweir 199*cdf0e10cSrcweir 200*cdf0e10cSrcweir# PKIX recommendation. 201*cdf0e10cSrcweir 202*cdf0e10cSrcweirsubjectKeyIdentifier=hash 203*cdf0e10cSrcweir 204*cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always 205*cdf0e10cSrcweir 206*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888 207*cdf0e10cSrcweir#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl 208*cdf0e10cSrcweir# This is what PKIX recommends but some broken software chokes on critical 209*cdf0e10cSrcweir# extensions. 210*cdf0e10cSrcweir#basicConstraints = critical,CA:true 211*cdf0e10cSrcweir# So we do this instead. 212*cdf0e10cSrcweirbasicConstraints = critical, CA:true 213*cdf0e10cSrcweir 214*cdf0e10cSrcweir# Key usage: this is typical for a CA certificate. However since it will 215*cdf0e10cSrcweir# prevent it being used as an test self-signed certificate it is best 216*cdf0e10cSrcweir# left out by default. 217*cdf0e10cSrcweir# keyUsage = cRLSign, keyCertSign 218*cdf0e10cSrcweir 219*cdf0e10cSrcweir# Some might want this also 220*cdf0e10cSrcweir# nsCertType = sslCA, emailCA 221*cdf0e10cSrcweir 222*cdf0e10cSrcweir# Include email address in subject alt name: another PKIX recommendation 223*cdf0e10cSrcweir# subjectAltName=email:copy 224*cdf0e10cSrcweir# Copy issuer details 225*cdf0e10cSrcweir# issuerAltName=issuer:copy 226*cdf0e10cSrcweir 227*cdf0e10cSrcweir# DER hex encoding of an extension: beware experts only! 228*cdf0e10cSrcweir# obj=DER:02:03 229*cdf0e10cSrcweir# Where 'obj' is a standard or added object 230*cdf0e10cSrcweir# You can even override a supported extension: 231*cdf0e10cSrcweir# basicConstraints= critical, DER:30:03:01:01:FF 232*cdf0e10cSrcweir 233*cdf0e10cSrcweir[ crl_ext ] 234*cdf0e10cSrcweir 235*cdf0e10cSrcweir# CRL extensions. 236*cdf0e10cSrcweir# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 237*cdf0e10cSrcweir 238*cdf0e10cSrcweir# issuerAltName=issuer:copy 239*cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always 240*cdf0e10cSrcweir 241*cdf0e10cSrcweir[ proxy_cert_ext ] 242*cdf0e10cSrcweir# These extensions should be added when creating a proxy certificate 243*cdf0e10cSrcweir 244*cdf0e10cSrcweir# This goes against PKIX guidelines but some CAs do it and some software 245*cdf0e10cSrcweir# requires this to avoid interpreting an end user certificate as a CA. 246*cdf0e10cSrcweir 247*cdf0e10cSrcweirbasicConstraints=CA:FALSE 248*cdf0e10cSrcweir 249*cdf0e10cSrcweir# Here are some examples of the usage of nsCertType. If it is omitted 250*cdf0e10cSrcweir# the certificate can be used for anything *except* object signing. 251*cdf0e10cSrcweir 252*cdf0e10cSrcweir# This is OK for an SSL server. 253*cdf0e10cSrcweir# nsCertType = server 254*cdf0e10cSrcweir 255*cdf0e10cSrcweir# For an object signing certificate this would be used. 256*cdf0e10cSrcweir# nsCertType = objsign 257*cdf0e10cSrcweir 258*cdf0e10cSrcweir# For normal client use this is typical 259*cdf0e10cSrcweir# nsCertType = client, email 260*cdf0e10cSrcweir 261*cdf0e10cSrcweir# and for everything including object signing: 262*cdf0e10cSrcweir# nsCertType = client, email, objsign 263*cdf0e10cSrcweir 264*cdf0e10cSrcweir# This is typical in keyUsage for a client certificate. 265*cdf0e10cSrcweir# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 266*cdf0e10cSrcweir 267*cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox. 268*cdf0e10cSrcweirnsComment = "OpenSSL Generated Certificate" 269*cdf0e10cSrcweir 270*cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates. 271*cdf0e10cSrcweirsubjectKeyIdentifier=hash 272*cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer:always 273*cdf0e10cSrcweir 274*cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname. 275*cdf0e10cSrcweir# Import the email address. 276*cdf0e10cSrcweir# subjectAltName=email:copy 277*cdf0e10cSrcweir# An alternative to produce certificates that aren't 278*cdf0e10cSrcweir# deprecated according to PKIX. 279*cdf0e10cSrcweir# subjectAltName=email:move 280*cdf0e10cSrcweir 281*cdf0e10cSrcweir# Copy subject details 282*cdf0e10cSrcweir# issuerAltName=issuer:copy 283*cdf0e10cSrcweir 284*cdf0e10cSrcweir#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 285*cdf0e10cSrcweir#nsBaseUrl 286*cdf0e10cSrcweir#nsRevocationUrl 287*cdf0e10cSrcweir#nsRenewalUrl 288*cdf0e10cSrcweir#nsCaPolicyUrl 289*cdf0e10cSrcweir#nsSslServerName 290*cdf0e10cSrcweir 291*cdf0e10cSrcweir# This really needs to be in place for it to be a proxy certificate. 292*cdf0e10cSrcweirproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 293