1*cdf0e10cSrcweir#
2*cdf0e10cSrcweir# OpenSSL example configuration file.
3*cdf0e10cSrcweir# This is mostly being used for generation of certificate requests.
4*cdf0e10cSrcweir#
5*cdf0e10cSrcweir
6*cdf0e10cSrcweir# This definition stops the following lines choking if HOME isn't
7*cdf0e10cSrcweir# defined.
8*cdf0e10cSrcweirHOME			= .
9*cdf0e10cSrcweirRANDFILE		= $ENV::HOME/.rnd
10*cdf0e10cSrcweir
11*cdf0e10cSrcweir# Extra OBJECT IDENTIFIER info:
12*cdf0e10cSrcweir#oid_file		= $ENV::HOME/.oid
13*cdf0e10cSrcweiroid_section		= new_oids
14*cdf0e10cSrcweir
15*cdf0e10cSrcweir# To use this configuration file with the "-extfile" option of the
16*cdf0e10cSrcweir# "openssl x509" utility, name here the section containing the
17*cdf0e10cSrcweir# X.509v3 extensions to use:
18*cdf0e10cSrcweir# extensions		=
19*cdf0e10cSrcweir# (Alternatively, use a configuration file that has only
20*cdf0e10cSrcweir# X.509v3 extensions in its main [= default] section.)
21*cdf0e10cSrcweir
22*cdf0e10cSrcweir[ new_oids ]
23*cdf0e10cSrcweir
24*cdf0e10cSrcweir# We can add new OIDs in here for use by 'ca' and 'req'.
25*cdf0e10cSrcweir# Add a simple OID like this:
26*cdf0e10cSrcweir# testoid1=1.2.3.4
27*cdf0e10cSrcweir# Or use config file substitution like this:
28*cdf0e10cSrcweir# testoid2=${testoid1}.5.6
29*cdf0e10cSrcweir
30*cdf0e10cSrcweir####################################################################
31*cdf0e10cSrcweir[ ca ]
32*cdf0e10cSrcweirdefault_ca	= CA_default		# The default ca section
33*cdf0e10cSrcweir
34*cdf0e10cSrcweir####################################################################
35*cdf0e10cSrcweir[ CA_default ]
36*cdf0e10cSrcweir
37*cdf0e10cSrcweirdir		= ./demoCA		# Where everything is kept
38*cdf0e10cSrcweircerts		= $dir/certs		# Where the issued certs are kept
39*cdf0e10cSrcweircrl_dir		= $dir/crl		# Where the issued crl are kept
40*cdf0e10cSrcweirdatabase	= $dir/index.txt	# database index file.
41*cdf0e10cSrcweir#unique_subject	= no			# Set to 'no' to allow creation of
42*cdf0e10cSrcweir					# several ctificates with same subject.
43*cdf0e10cSrcweirnew_certs_dir	= $dir/newcerts		# default place for new certs.
44*cdf0e10cSrcweir
45*cdf0e10cSrcweircertificate	= $dir/cacert.pem 	# The CA certificate
46*cdf0e10cSrcweirserial		= $dir/serial	# The current serial number
47*cdf0e10cSrcweircrlnumber	= $dir/crlnumber	# the current crl number
48*cdf0e10cSrcweir					# must be commented out to leave a V1 CRL
49*cdf0e10cSrcweircrl		= $dir/crl.pem 		# The current CRL
50*cdf0e10cSrcweirprivate_key	= $dir/private/cakey.pem 	# The private key
51*cdf0e10cSrcweirRANDFILE	= $dir/private/.rand	 	# private random number file
52*cdf0e10cSrcweir
53*cdf0e10cSrcweirx509_extensions	= usr_cert		# The extentions to add to the cert
54*cdf0e10cSrcweir
55*cdf0e10cSrcweir# Comment out the following two lines for the "traditional"
56*cdf0e10cSrcweir# (and highly broken) format.
57*cdf0e10cSrcweirname_opt 	= ca_default		# Subject Name options
58*cdf0e10cSrcweircert_opt 	= ca_default		# Certificate field options
59*cdf0e10cSrcweir
60*cdf0e10cSrcweir# Extension copying option: use with caution.
61*cdf0e10cSrcweir# copy_extensions = copy
62*cdf0e10cSrcweir
63*cdf0e10cSrcweir# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64*cdf0e10cSrcweir# so this is commented out by default to leave a V1 CRL.
65*cdf0e10cSrcweir# crlnumber must also be commented out to leave a V1 CRL.
66*cdf0e10cSrcweir# crl_extensions	= crl_ext
67*cdf0e10cSrcweir
68*cdf0e10cSrcweirdefault_days	= 365			# how long to certify for
69*cdf0e10cSrcweirdefault_crl_days= 30			# how long before next CRL
70*cdf0e10cSrcweirdefault_md	= sha1			# which md to use.
71*cdf0e10cSrcweirpreserve	= no			# keep passed DN ordering
72*cdf0e10cSrcweir
73*cdf0e10cSrcweir# A few difference way of specifying how similar the request should look
74*cdf0e10cSrcweir# For type CA, the listed attributes must be the same, and the optional
75*cdf0e10cSrcweir# and supplied fields are just that :-)
76*cdf0e10cSrcweirpolicy		= policy_match
77*cdf0e10cSrcweir
78*cdf0e10cSrcweir# For the CA policy
79*cdf0e10cSrcweir[ policy_match ]
80*cdf0e10cSrcweircountryName		= match
81*cdf0e10cSrcweirstateOrProvinceName	= match
82*cdf0e10cSrcweirorganizationName	= match
83*cdf0e10cSrcweirorganizationalUnitName	= optional
84*cdf0e10cSrcweircommonName		= supplied
85*cdf0e10cSrcweiremailAddress		= optional
86*cdf0e10cSrcweir
87*cdf0e10cSrcweir# For the 'anything' policy
88*cdf0e10cSrcweir# At this point in time, you must list all acceptable 'object'
89*cdf0e10cSrcweir# types.
90*cdf0e10cSrcweir[ policy_anything ]
91*cdf0e10cSrcweircountryName		= optional
92*cdf0e10cSrcweirstateOrProvinceName	= optional
93*cdf0e10cSrcweirlocalityName		= optional
94*cdf0e10cSrcweirorganizationName	= optional
95*cdf0e10cSrcweirorganizationalUnitName	= optional
96*cdf0e10cSrcweircommonName		= supplied
97*cdf0e10cSrcweiremailAddress		= optional
98*cdf0e10cSrcweir
99*cdf0e10cSrcweir####################################################################
100*cdf0e10cSrcweir[ req ]
101*cdf0e10cSrcweirdefault_bits		= 1024
102*cdf0e10cSrcweirdefault_keyfile 	= privkey.pem
103*cdf0e10cSrcweirdistinguished_name	= req_distinguished_name
104*cdf0e10cSrcweirattributes		= req_attributes
105*cdf0e10cSrcweirx509_extensions	= v3_ca	# The extentions to add to the self signed cert
106*cdf0e10cSrcweir
107*cdf0e10cSrcweir# Passwords for private keys if not present they will be prompted for
108*cdf0e10cSrcweir# input_password = secret
109*cdf0e10cSrcweir# output_password = secret
110*cdf0e10cSrcweir
111*cdf0e10cSrcweir# This sets a mask for permitted string types. There are several options.
112*cdf0e10cSrcweir# default: PrintableString, T61String, BMPString.
113*cdf0e10cSrcweir# pkix	 : PrintableString, BMPString.
114*cdf0e10cSrcweir# utf8only: only UTF8Strings.
115*cdf0e10cSrcweir# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116*cdf0e10cSrcweir# MASK:XXXX a literal mask value.
117*cdf0e10cSrcweir# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118*cdf0e10cSrcweir# so use this option with caution!
119*cdf0e10cSrcweirstring_mask = nombstr
120*cdf0e10cSrcweir
121*cdf0e10cSrcweir# req_extensions = v3_req # The extensions to add to a certificate request
122*cdf0e10cSrcweir
123*cdf0e10cSrcweir[ req_distinguished_name ]
124*cdf0e10cSrcweircountryName			= Country Name (2 letter code)
125*cdf0e10cSrcweircountryName_default		= DE
126*cdf0e10cSrcweircountryName_min			= 2
127*cdf0e10cSrcweircountryName_max			= 2
128*cdf0e10cSrcweir
129*cdf0e10cSrcweirstateOrProvinceName		= State or Province Name (full name)
130*cdf0e10cSrcweirstateOrProvinceName_default	= Hamburg
131*cdf0e10cSrcweir
132*cdf0e10cSrcweirlocalityName			= Locality Name (eg, city)
133*cdf0e10cSrcweir
134*cdf0e10cSrcweir0.organizationName		= Organization Name (eg, company)
135*cdf0e10cSrcweir0.organizationName_default	= OpenOffice.org
136*cdf0e10cSrcweir
137*cdf0e10cSrcweir# we can do this but it is not needed normally :-)
138*cdf0e10cSrcweir#1.organizationName		= Second Organization Name (eg, company)
139*cdf0e10cSrcweir#1.organizationName_default	= World Wide Web Pty Ltd
140*cdf0e10cSrcweir
141*cdf0e10cSrcweirorganizationalUnitName		= Organizational Unit Name (eg, section)
142*cdf0e10cSrcweirorganizationalUnitName_default	= Development
143*cdf0e10cSrcweir
144*cdf0e10cSrcweircommonName			= Common Name (eg, YOUR name)
145*cdf0e10cSrcweircommonName_max			= 64
146*cdf0e10cSrcweir
147*cdf0e10cSrcweiremailAddress			= Email Address
148*cdf0e10cSrcweiremailAddress_max		= 64
149*cdf0e10cSrcweir
150*cdf0e10cSrcweir# SET-ex3			= SET extension number 3
151*cdf0e10cSrcweir
152*cdf0e10cSrcweir[ req_attributes ]
153*cdf0e10cSrcweirchallengePassword		= A challenge password
154*cdf0e10cSrcweirchallengePassword_min		= 4
155*cdf0e10cSrcweirchallengePassword_max		= 20
156*cdf0e10cSrcweir
157*cdf0e10cSrcweirunstructuredName		= An optional company name
158*cdf0e10cSrcweir
159*cdf0e10cSrcweir[ usr_cert ]
160*cdf0e10cSrcweir
161*cdf0e10cSrcweir# These extensions are added when 'ca' signs a request.
162*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
163*cdf0e10cSrcweir
164*cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
165*cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
166*cdf0e10cSrcweir
167*cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
168*cdf0e10cSrcweirnsComment			= "OpenSSL Generated Certificate"
169*cdf0e10cSrcweir
170*cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
171*cdf0e10cSrcweirsubjectKeyIdentifier=hash
172*cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer
173*cdf0e10cSrcweir
174*cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
175*cdf0e10cSrcweir# Import the email address.
176*cdf0e10cSrcweir# subjectAltName=email:copy
177*cdf0e10cSrcweir# An alternative to produce certificates that aren't
178*cdf0e10cSrcweir# deprecated according to PKIX.
179*cdf0e10cSrcweir# subjectAltName=email:move
180*cdf0e10cSrcweir
181*cdf0e10cSrcweir# Copy subject details
182*cdf0e10cSrcweir# issuerAltName=issuer:copy
183*cdf0e10cSrcweir
184*cdf0e10cSrcweir
185*cdf0e10cSrcweir
186*cdf0e10cSrcweir[ v3_req ]
187*cdf0e10cSrcweir
188*cdf0e10cSrcweir# Extensions to add to a certificate request
189*cdf0e10cSrcweir
190*cdf0e10cSrcweirbasicConstraints = CA:FALSE
191*cdf0e10cSrcweirkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
192*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888/
193*cdf0e10cSrcweir
194*cdf0e10cSrcweir[ v3_ca ]
195*cdf0e10cSrcweir
196*cdf0e10cSrcweir
197*cdf0e10cSrcweir# Extensions for a typical CA
198*cdf0e10cSrcweir
199*cdf0e10cSrcweir
200*cdf0e10cSrcweir# PKIX recommendation.
201*cdf0e10cSrcweir
202*cdf0e10cSrcweirsubjectKeyIdentifier=hash
203*cdf0e10cSrcweir
204*cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
205*cdf0e10cSrcweir
206*cdf0e10cSrcweir#authorityInfoAccess = OCSP;URI:http://localhost:8888
207*cdf0e10cSrcweir#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Root_7.crl
208*cdf0e10cSrcweir# This is what PKIX recommends but some broken software chokes on critical
209*cdf0e10cSrcweir# extensions.
210*cdf0e10cSrcweir#basicConstraints = critical,CA:true
211*cdf0e10cSrcweir# So we do this instead.
212*cdf0e10cSrcweirbasicConstraints = critical, CA:true
213*cdf0e10cSrcweir
214*cdf0e10cSrcweir# Key usage: this is typical for a CA certificate. However since it will
215*cdf0e10cSrcweir# prevent it being used as an test self-signed certificate it is best
216*cdf0e10cSrcweir# left out by default.
217*cdf0e10cSrcweir# keyUsage = cRLSign, keyCertSign
218*cdf0e10cSrcweir
219*cdf0e10cSrcweir# Some might want this also
220*cdf0e10cSrcweir# nsCertType = sslCA, emailCA
221*cdf0e10cSrcweir
222*cdf0e10cSrcweir# Include email address in subject alt name: another PKIX recommendation
223*cdf0e10cSrcweir# subjectAltName=email:copy
224*cdf0e10cSrcweir# Copy issuer details
225*cdf0e10cSrcweir# issuerAltName=issuer:copy
226*cdf0e10cSrcweir
227*cdf0e10cSrcweir# DER hex encoding of an extension: beware experts only!
228*cdf0e10cSrcweir# obj=DER:02:03
229*cdf0e10cSrcweir# Where 'obj' is a standard or added object
230*cdf0e10cSrcweir# You can even override a supported extension:
231*cdf0e10cSrcweir# basicConstraints= critical, DER:30:03:01:01:FF
232*cdf0e10cSrcweir
233*cdf0e10cSrcweir[ crl_ext ]
234*cdf0e10cSrcweir
235*cdf0e10cSrcweir# CRL extensions.
236*cdf0e10cSrcweir# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
237*cdf0e10cSrcweir
238*cdf0e10cSrcweir# issuerAltName=issuer:copy
239*cdf0e10cSrcweirauthorityKeyIdentifier=keyid:always,issuer:always
240*cdf0e10cSrcweir
241*cdf0e10cSrcweir[ proxy_cert_ext ]
242*cdf0e10cSrcweir# These extensions should be added when creating a proxy certificate
243*cdf0e10cSrcweir
244*cdf0e10cSrcweir# This goes against PKIX guidelines but some CAs do it and some software
245*cdf0e10cSrcweir# requires this to avoid interpreting an end user certificate as a CA.
246*cdf0e10cSrcweir
247*cdf0e10cSrcweirbasicConstraints=CA:FALSE
248*cdf0e10cSrcweir
249*cdf0e10cSrcweir# Here are some examples of the usage of nsCertType. If it is omitted
250*cdf0e10cSrcweir# the certificate can be used for anything *except* object signing.
251*cdf0e10cSrcweir
252*cdf0e10cSrcweir# This is OK for an SSL server.
253*cdf0e10cSrcweir# nsCertType			= server
254*cdf0e10cSrcweir
255*cdf0e10cSrcweir# For an object signing certificate this would be used.
256*cdf0e10cSrcweir# nsCertType = objsign
257*cdf0e10cSrcweir
258*cdf0e10cSrcweir# For normal client use this is typical
259*cdf0e10cSrcweir# nsCertType = client, email
260*cdf0e10cSrcweir
261*cdf0e10cSrcweir# and for everything including object signing:
262*cdf0e10cSrcweir# nsCertType = client, email, objsign
263*cdf0e10cSrcweir
264*cdf0e10cSrcweir# This is typical in keyUsage for a client certificate.
265*cdf0e10cSrcweir# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
266*cdf0e10cSrcweir
267*cdf0e10cSrcweir# This will be displayed in Netscape's comment listbox.
268*cdf0e10cSrcweirnsComment			= "OpenSSL Generated Certificate"
269*cdf0e10cSrcweir
270*cdf0e10cSrcweir# PKIX recommendations harmless if included in all certificates.
271*cdf0e10cSrcweirsubjectKeyIdentifier=hash
272*cdf0e10cSrcweirauthorityKeyIdentifier=keyid,issuer:always
273*cdf0e10cSrcweir
274*cdf0e10cSrcweir# This stuff is for subjectAltName and issuerAltname.
275*cdf0e10cSrcweir# Import the email address.
276*cdf0e10cSrcweir# subjectAltName=email:copy
277*cdf0e10cSrcweir# An alternative to produce certificates that aren't
278*cdf0e10cSrcweir# deprecated according to PKIX.
279*cdf0e10cSrcweir# subjectAltName=email:move
280*cdf0e10cSrcweir
281*cdf0e10cSrcweir# Copy subject details
282*cdf0e10cSrcweir# issuerAltName=issuer:copy
283*cdf0e10cSrcweir
284*cdf0e10cSrcweir#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
285*cdf0e10cSrcweir#nsBaseUrl
286*cdf0e10cSrcweir#nsRevocationUrl
287*cdf0e10cSrcweir#nsRenewalUrl
288*cdf0e10cSrcweir#nsCaPolicyUrl
289*cdf0e10cSrcweir#nsSslServerName
290*cdf0e10cSrcweir
291*cdf0e10cSrcweir# This really needs to be in place for it to be a proxy certificate.
292*cdf0e10cSrcweirproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
293