1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file		= $ENV::HOME/.oid
13oid_section		= new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions		= 
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30# Policies used by the TSA examples.
31tsa_policy1 = 1.2.3.4.1
32tsa_policy2 = 1.2.3.4.5.6
33tsa_policy3 = 1.2.3.4.5.7
34
35####################################################################
36[ ca ]
37default_ca	= CA_default		# The default ca section
38
39####################################################################
40[ CA_default ]
41
42dir		= ./demoCA		# Where everything is kept
43certs		= $dir/certs		# Where the issued certs are kept
44crl_dir		= $dir/crl		# Where the issued crl are kept
45database	= $dir/index.txt	# database index file.
46#unique_subject	= no			# Set to 'no' to allow creation of
47					# several ctificates with same subject.
48new_certs_dir	= $dir/newcerts		# default place for new certs.
49
50certificate	= $dir/cacert.pem 	# The CA certificate
51serial		= $dir/serial 		# The current serial number
52crlnumber	= $dir/crlnumber	# the current crl number
53					# must be commented out to leave a V1 CRL
54crl		= $dir/crl.pem 		# The current CRL
55private_key	= $dir/private/cakey.pem# The private key
56RANDFILE	= $dir/private/.rand	# private random number file
57
58x509_extensions	= usr_cert		# The extentions to add to the cert
59
60# Comment out the following two lines for the "traditional"
61# (and highly broken) format.
62name_opt 	= ca_default		# Subject Name options
63cert_opt 	= ca_default		# Certificate field options
64
65# Extension copying option: use with caution.
66# copy_extensions = copy
67
68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
69# so this is commented out by default to leave a V1 CRL.
70# crlnumber must also be commented out to leave a V1 CRL.
71# crl_extensions	= crl_ext
72
73default_days	= 365			# how long to certify for
74default_crl_days= 30			# how long before next CRL
75default_md	= default		# use public key default MD
76preserve	= no			# keep passed DN ordering
77
78# A few difference way of specifying how similar the request should look
79# For type CA, the listed attributes must be the same, and the optional
80# and supplied fields are just that :-)
81policy		= policy_match
82
83# For the CA policy
84[ policy_match ]
85countryName		= match
86stateOrProvinceName	= match
87organizationName	= match
88organizationalUnitName	= optional
89commonName		= supplied
90emailAddress		= optional
91
92# For the 'anything' policy
93# At this point in time, you must list all acceptable 'object'
94# types.
95[ policy_anything ]
96countryName		= optional
97stateOrProvinceName	= optional
98localityName		= optional
99organizationName	= optional
100organizationalUnitName	= optional
101commonName		= supplied
102emailAddress		= optional
103
104####################################################################
105[ req ]
106default_bits		= 1024
107default_keyfile 	= privkey.pem
108distinguished_name	= req_distinguished_name
109attributes		= req_attributes
110x509_extensions	= v3_ca	# The extentions to add to the self signed cert
111
112# Passwords for private keys if not present they will be prompted for
113# input_password = secret
114# output_password = secret
115
116# This sets a mask for permitted string types. There are several options. 
117# default: PrintableString, T61String, BMPString.
118# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
119# utf8only: only UTF8Strings (PKIX recommendation after 2004).
120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
121# MASK:XXXX a literal mask value.
122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
123string_mask = utf8only
124
125# req_extensions = v3_req # The extensions to add to a certificate request
126
127[ req_distinguished_name ]
128countryName			= Country Name (2 letter code)
129countryName_default		= AU
130countryName_min			= 2
131countryName_max			= 2
132
133stateOrProvinceName		= State or Province Name (full name)
134stateOrProvinceName_default	= Some-State
135
136localityName			= Locality Name (eg, city)
137
1380.organizationName		= Organization Name (eg, company)
1390.organizationName_default	= Internet Widgits Pty Ltd
140
141# we can do this but it is not needed normally :-)
142#1.organizationName		= Second Organization Name (eg, company)
143#1.organizationName_default	= World Wide Web Pty Ltd
144
145organizationalUnitName		= Organizational Unit Name (eg, section)
146#organizationalUnitName_default	=
147
148commonName			= Common Name (e.g. server FQDN or YOUR name)
149commonName_max			= 64
150
151emailAddress			= Email Address
152emailAddress_max		= 64
153
154# SET-ex3			= SET extension number 3
155
156[ req_attributes ]
157challengePassword		= A challenge password
158challengePassword_min		= 4
159challengePassword_max		= 20
160
161unstructuredName		= An optional company name
162
163[ usr_cert ]
164
165# These extensions are added when 'ca' signs a request.
166
167# This goes against PKIX guidelines but some CAs do it and some software
168# requires this to avoid interpreting an end user certificate as a CA.
169
170basicConstraints=CA:FALSE
171
172# Here are some examples of the usage of nsCertType. If it is omitted
173# the certificate can be used for anything *except* object signing.
174
175# This is OK for an SSL server.
176# nsCertType			= server
177
178# For an object signing certificate this would be used.
179# nsCertType = objsign
180
181# For normal client use this is typical
182# nsCertType = client, email
183
184# and for everything including object signing:
185# nsCertType = client, email, objsign
186
187# This is typical in keyUsage for a client certificate.
188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
189
190# This will be displayed in Netscape's comment listbox.
191nsComment			= "OpenSSL Generated Certificate"
192
193# PKIX recommendations harmless if included in all certificates.
194subjectKeyIdentifier=hash
195authorityKeyIdentifier=keyid,issuer
196
197# This stuff is for subjectAltName and issuerAltname.
198# Import the email address.
199# subjectAltName=email:copy
200# An alternative to produce certificates that aren't
201# deprecated according to PKIX.
202# subjectAltName=email:move
203
204# Copy subject details
205# issuerAltName=issuer:copy
206
207#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
208#nsBaseUrl
209#nsRevocationUrl
210#nsRenewalUrl
211#nsCaPolicyUrl
212#nsSslServerName
213
214# This is required for TSA certificates.
215# extendedKeyUsage = critical,timeStamping
216
217[ v3_req ]
218
219# Extensions to add to a certificate request
220
221basicConstraints = CA:FALSE
222keyUsage = nonRepudiation, digitalSignature, keyEncipherment
223
224[ v3_ca ]
225
226
227# Extensions for a typical CA
228
229
230# PKIX recommendation.
231
232subjectKeyIdentifier=hash
233
234authorityKeyIdentifier=keyid:always,issuer
235
236# This is what PKIX recommends but some broken software chokes on critical
237# extensions.
238#basicConstraints = critical,CA:true
239# So we do this instead.
240basicConstraints = CA:true
241
242# Key usage: this is typical for a CA certificate. However since it will
243# prevent it being used as an test self-signed certificate it is best
244# left out by default.
245# keyUsage = cRLSign, keyCertSign
246
247# Some might want this also
248# nsCertType = sslCA, emailCA
249
250# Include email address in subject alt name: another PKIX recommendation
251# subjectAltName=email:copy
252# Copy issuer details
253# issuerAltName=issuer:copy
254
255# DER hex encoding of an extension: beware experts only!
256# obj=DER:02:03
257# Where 'obj' is a standard or added object
258# You can even override a supported extension:
259# basicConstraints= critical, DER:30:03:01:01:FF
260
261[ crl_ext ]
262
263# CRL extensions.
264# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
265
266# issuerAltName=issuer:copy
267authorityKeyIdentifier=keyid:always
268
269[ proxy_cert_ext ]
270# These extensions should be added when creating a proxy certificate
271
272# This goes against PKIX guidelines but some CAs do it and some software
273# requires this to avoid interpreting an end user certificate as a CA.
274
275basicConstraints=CA:FALSE
276
277# Here are some examples of the usage of nsCertType. If it is omitted
278# the certificate can be used for anything *except* object signing.
279
280# This is OK for an SSL server.
281# nsCertType			= server
282
283# For an object signing certificate this would be used.
284# nsCertType = objsign
285
286# For normal client use this is typical
287# nsCertType = client, email
288
289# and for everything including object signing:
290# nsCertType = client, email, objsign
291
292# This is typical in keyUsage for a client certificate.
293# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
294
295# This will be displayed in Netscape's comment listbox.
296nsComment			= "OpenSSL Generated Certificate"
297
298# PKIX recommendations harmless if included in all certificates.
299subjectKeyIdentifier=hash
300authorityKeyIdentifier=keyid,issuer
301
302# This stuff is for subjectAltName and issuerAltname.
303# Import the email address.
304# subjectAltName=email:copy
305# An alternative to produce certificates that aren't
306# deprecated according to PKIX.
307# subjectAltName=email:move
308
309# Copy subject details
310# issuerAltName=issuer:copy
311
312#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
313#nsBaseUrl
314#nsRevocationUrl
315#nsRenewalUrl
316#nsCaPolicyUrl
317#nsSslServerName
318
319# This really needs to be in place for it to be a proxy certificate.
320proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
321
322####################################################################
323[ tsa ]
324
325default_tsa = tsa_config1	# the default TSA section
326
327[ tsa_config1 ]
328
329# These are used by the TSA reply generation only.
330dir		= ./demoCA		# TSA root directory
331serial		= $dir/tsaserial	# The current serial number (mandatory)
332crypto_device	= builtin		# OpenSSL engine to use for signing
333signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
334					# (optional)
335certs		= $dir/cacert.pem	# Certificate chain to include in reply
336					# (optional)
337signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
338
339default_policy	= tsa_policy1		# Policy if request did not specify it
340					# (optional)
341other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
342digests		= md5, sha1		# Acceptable message digests (mandatory)
343accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
344clock_precision_digits  = 0	# number of digits after dot. (optional)
345ordering		= yes	# Is ordering defined for timestamps?
346				# (optional, default: no)
347tsa_name		= yes	# Must the TSA name be included in the reply?
348				# (optional, default: no)
349ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
350				# (optional, default: no)
351