1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# OpenSSL example configuration file. 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is mostly being used for generation of certificate requests. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This definition stops the following lines choking if HOME isn't 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# defined. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectHOME = . 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectRANDFILE = $ENV::HOME/.rnd 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Extra OBJECT IDENTIFIER info: 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#oid_file = $ENV::HOME/.oid 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectoid_section = new_oids 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# To use this configuration file with the "-extfile" option of the 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# "openssl x509" utility, name here the section containing the 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# X.509v3 extensions to use: 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# extensions = 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# (Alternatively, use a configuration file that has only 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# X.509v3 extensions in its main [= default] section.) 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ new_oids ] 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 24221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Add a simple OID like this: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# testoid1=1.2.3.4 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Or use config file substitution like this: 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# testoid2=${testoid1}.5.6 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 30221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# Policies used by the TSA examples. 31221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromtsa_policy1 = 1.2.3.4.1 32221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromtsa_policy2 = 1.2.3.4.5.6 33221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromtsa_policy3 = 1.2.3.4.5.7 34221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#################################################################### 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ ca ] 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdefault_ca = CA_default # The default ca section 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#################################################################### 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ CA_default ] 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdir = ./demoCA # Where everything is kept 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcerts = $dir/certs # Where the issued certs are kept 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcrl_dir = $dir/crl # Where the issued crl are kept 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdatabase = $dir/index.txt # database index file. 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#unique_subject = no # Set to 'no' to allow creation of 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # several ctificates with same subject. 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectnew_certs_dir = $dir/newcerts # default place for new certs. 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcertificate = $dir/cacert.pem # The CA certificate 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectserial = $dir/serial # The current serial number 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcrlnumber = $dir/crlnumber # the current crl number 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project # must be commented out to leave a V1 CRL 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcrl = $dir/crl.pem # The current CRL 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectprivate_key = $dir/private/cakey.pem# The private key 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectRANDFILE = $dir/private/.rand # private random number file 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectx509_extensions = usr_cert # The extentions to add to the cert 59656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Comment out the following two lines for the "traditional" 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# (and highly broken) format. 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectname_opt = ca_default # Subject Name options 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectcert_opt = ca_default # Certificate field options 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Extension copying option: use with caution. 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# copy_extensions = copy 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# so this is commented out by default to leave a V1 CRL. 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# crlnumber must also be commented out to leave a V1 CRL. 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# crl_extensions = crl_ext 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdefault_days = 365 # how long to certify for 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdefault_crl_days= 30 # how long before next CRL 75221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromdefault_md = default # use public key default MD 76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectpreserve = no # keep passed DN ordering 77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# A few difference way of specifying how similar the request should look 79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For type CA, the listed attributes must be the same, and the optional 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# and supplied fields are just that :-) 81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectpolicy = policy_match 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For the CA policy 84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ policy_match ] 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName = match 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectstateOrProvinceName = match 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectorganizationName = match 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectorganizationalUnitName = optional 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcommonName = supplied 90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectemailAddress = optional 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For the 'anything' policy 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# At this point in time, you must list all acceptable 'object' 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# types. 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ policy_anything ] 96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName = optional 97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectstateOrProvinceName = optional 98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectlocalityName = optional 99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectorganizationName = optional 100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectorganizationalUnitName = optional 101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcommonName = supplied 102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectemailAddress = optional 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#################################################################### 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ req ] 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdefault_bits = 1024 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdefault_keyfile = privkey.pem 108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectdistinguished_name = req_distinguished_name 109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectattributes = req_attributes 110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectx509_extensions = v3_ca # The extentions to add to the self signed cert 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Passwords for private keys if not present they will be prompted for 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# input_password = secret 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# output_password = secret 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This sets a mask for permitted string types. There are several options. 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# default: PrintableString, T61String, BMPString. 118221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 119221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# utf8only: only UTF8Strings (PKIX recommendation after 2004). 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# MASK:XXXX a literal mask value. 122221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 123221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstring_mask = utf8only 124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# req_extensions = v3_req # The extensions to add to a certificate request 126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ req_distinguished_name ] 128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName = Country Name (2 letter code) 129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName_default = AU 130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName_min = 2 131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcountryName_max = 2 132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectstateOrProvinceName = State or Province Name (full name) 134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectstateOrProvinceName_default = Some-State 135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectlocalityName = Locality Name (eg, city) 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project0.organizationName = Organization Name (eg, company) 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project0.organizationName_default = Internet Widgits Pty Ltd 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# we can do this but it is not needed normally :-) 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#1.organizationName = Second Organization Name (eg, company) 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#1.organizationName_default = World Wide Web Pty Ltd 144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectorganizationalUnitName = Organizational Unit Name (eg, section) 146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#organizationalUnitName_default = 147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1487b476c43f6a45574eb34697244b592e7b09f05a3Brian CarlstromcommonName = Common Name (e.g. server FQDN or YOUR name) 149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectcommonName_max = 64 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectemailAddress = Email Address 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectemailAddress_max = 64 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# SET-ex3 = SET extension number 3 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ req_attributes ] 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectchallengePassword = A challenge password 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectchallengePassword_min = 4 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectchallengePassword_max = 20 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectunstructuredName = An optional company name 162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ usr_cert ] 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# These extensions are added when 'ca' signs a request. 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This goes against PKIX guidelines but some CAs do it and some software 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# requires this to avoid interpreting an end user certificate as a CA. 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectbasicConstraints=CA:FALSE 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Here are some examples of the usage of nsCertType. If it is omitted 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# the certificate can be used for anything *except* object signing. 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is OK for an SSL server. 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = server 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For an object signing certificate this would be used. 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = objsign 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For normal client use this is typical 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = client, email 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# and for everything including object signing: 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = client, email, objsign 186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is typical in keyUsage for a client certificate. 188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This will be displayed in Netscape's comment listbox. 191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectnsComment = "OpenSSL Generated Certificate" 192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# PKIX recommendations harmless if included in all certificates. 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectsubjectKeyIdentifier=hash 195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectauthorityKeyIdentifier=keyid,issuer 196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This stuff is for subjectAltName and issuerAltname. 198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Import the email address. 199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# subjectAltName=email:copy 200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# An alternative to produce certificates that aren't 201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# deprecated according to PKIX. 202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# subjectAltName=email:move 203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Copy subject details 205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# issuerAltName=issuer:copy 206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsBaseUrl 209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsRevocationUrl 210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsRenewalUrl 211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsCaPolicyUrl 212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsSslServerName 213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 214221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# This is required for TSA certificates. 215221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# extendedKeyUsage = critical,timeStamping 216221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ v3_req ] 218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Extensions to add to a certificate request 220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 221656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectbasicConstraints = CA:FALSE 222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ v3_ca ] 225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Extensions for a typical CA 228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# PKIX recommendation. 231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectsubjectKeyIdentifier=hash 233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 234221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromauthorityKeyIdentifier=keyid:always,issuer 235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is what PKIX recommends but some broken software chokes on critical 237656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# extensions. 238656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#basicConstraints = critical,CA:true 239656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# So we do this instead. 240656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectbasicConstraints = CA:true 241656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Key usage: this is typical for a CA certificate. However since it will 243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# prevent it being used as an test self-signed certificate it is best 244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# left out by default. 245656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# keyUsage = cRLSign, keyCertSign 246656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 247656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Some might want this also 248656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = sslCA, emailCA 249656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 250656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Include email address in subject alt name: another PKIX recommendation 251656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# subjectAltName=email:copy 252656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Copy issuer details 253656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# issuerAltName=issuer:copy 254656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 255656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# DER hex encoding of an extension: beware experts only! 256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# obj=DER:02:03 257656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Where 'obj' is a standard or added object 258656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# You can even override a supported extension: 259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# basicConstraints= critical, DER:30:03:01:01:FF 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 261656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ crl_ext ] 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# CRL extensions. 264656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# issuerAltName=issuer:copy 267221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromauthorityKeyIdentifier=keyid:always 268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project[ proxy_cert_ext ] 270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# These extensions should be added when creating a proxy certificate 271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This goes against PKIX guidelines but some CAs do it and some software 273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# requires this to avoid interpreting an end user certificate as a CA. 274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectbasicConstraints=CA:FALSE 276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 277656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Here are some examples of the usage of nsCertType. If it is omitted 278656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# the certificate can be used for anything *except* object signing. 279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is OK for an SSL server. 281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = server 282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For an object signing certificate this would be used. 284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = objsign 285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# For normal client use this is typical 287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = client, email 288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# and for everything including object signing: 290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# nsCertType = client, email, objsign 291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This is typical in keyUsage for a client certificate. 293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This will be displayed in Netscape's comment listbox. 296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectnsComment = "OpenSSL Generated Certificate" 297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 298656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# PKIX recommendations harmless if included in all certificates. 299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectsubjectKeyIdentifier=hash 300221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromauthorityKeyIdentifier=keyid,issuer 301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This stuff is for subjectAltName and issuerAltname. 303656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Import the email address. 304656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# subjectAltName=email:copy 305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# An alternative to produce certificates that aren't 306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# deprecated according to PKIX. 307656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# subjectAltName=email:move 308656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 309656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# Copy subject details 310656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# issuerAltName=issuer:copy 311656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 312656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 313656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsBaseUrl 314656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsRevocationUrl 315656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsRenewalUrl 316656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsCaPolicyUrl 317656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#nsSslServerName 318656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 319656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project# This really needs to be in place for it to be a proxy certificate. 320656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 321221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 322221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#################################################################### 323221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom[ tsa ] 324221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 325221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromdefault_tsa = tsa_config1 # the default TSA section 326221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 327221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom[ tsa_config1 ] 328221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 329221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom# These are used by the TSA reply generation only. 330221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromdir = ./demoCA # TSA root directory 331221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromserial = $dir/tsaserial # The current serial number (mandatory) 332221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromcrypto_device = builtin # OpenSSL engine to use for signing 333221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromsigner_cert = $dir/tsacert.pem # The TSA signing certificate 334221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional) 335221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromcerts = $dir/cacert.pem # Certificate chain to include in reply 336221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional) 337221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromsigner_key = $dir/private/tsakey.pem # The TSA private key (optional) 338221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 339221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromdefault_policy = tsa_policy1 # Policy if request did not specify it 340221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional) 341221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 342221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromdigests = md5, sha1 # Acceptable message digests (mandatory) 343221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 344221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromclock_precision_digits = 0 # number of digits after dot. (optional) 345221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromordering = yes # Is ordering defined for timestamps? 346221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional, default: no) 347221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromtsa_name = yes # Must the TSA name be included in the reply? 348221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional, default: no) 349221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromess_cert_id_chain = no # Must the ESS cert id chain be included? 350221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom # (optional, default: no) 351