2
# OpenSSL example configuration file.
3
# This is mostly being used for generation of certificate requests.
6
# This definition stops the following lines choking if HOME isn't
9
RANDFILE = $ENV::HOME/.rnd
11
# Extra OBJECT IDENTIFIER info:
12
#oid_file = $ENV::HOME/.oid
13
oid_section = new_oids
15
# To use this configuration file with the "-extfile" option of the
16
# "openssl x509" utility, name here the section containing the
17
# X.509v3 extensions to use:
19
# (Alternatively, use a configuration file that has only
20
# X.509v3 extensions in its main [= default] section.)
24
# We can add new OIDs in here for use by 'ca' and 'req'.
25
# Add a simple OID like this:
27
# Or use config file substitution like this:
28
# testoid2=${testoid1}.5.6
30
####################################################################
32
default_ca = CA_default # The default ca section
34
####################################################################
37
dir = ./demoCA # Where everything is kept
38
certs = $dir/certs # Where the issued certs are kept
39
crl_dir = $dir/crl # Where the issued crl are kept
40
database = $dir/index.txt # database index file.
41
#unique_subject = no # Set to 'no' to allow creation of
42
# several ctificates with same subject.
43
new_certs_dir = $dir/newcerts # default place for new certs.
45
certificate = $dir/cacert.pem # The CA certificate
46
serial = $dir/serial # The current serial number
47
crlnumber = $dir/crlnumber # the current crl number
48
# must be commented out to leave a V1 CRL
49
crl = $dir/crl.pem # The current CRL
50
private_key = $dir/private/cakey.pem# The private key
51
RANDFILE = $dir/private/.rand # private random number file
53
x509_extensions = usr_cert # The extentions to add to the cert
55
# Comment out the following two lines for the "traditional"
56
# (and highly broken) format.
57
name_opt = ca_default # Subject Name options
58
cert_opt = ca_default # Certificate field options
60
# Extension copying option: use with caution.
61
# copy_extensions = copy
63
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64
# so this is commented out by default to leave a V1 CRL.
65
# crlnumber must also be commented out to leave a V1 CRL.
66
# crl_extensions = crl_ext
68
default_days = 365 # how long to certify for
69
default_crl_days= 30 # how long before next CRL
70
default_md = sha1 # which md to use.
71
preserve = no # keep passed DN ordering
73
# A few difference way of specifying how similar the request should look
74
# For type CA, the listed attributes must be the same, and the optional
75
# and supplied fields are just that :-)
81
stateOrProvinceName = match
82
organizationName = match
83
organizationalUnitName = optional
85
emailAddress = optional
87
# For the 'anything' policy
88
# At this point in time, you must list all acceptable 'object'
91
countryName = optional
92
stateOrProvinceName = optional
93
localityName = optional
94
organizationName = optional
95
organizationalUnitName = optional
97
emailAddress = optional
99
####################################################################
102
default_keyfile = privkey.pem
103
distinguished_name = req_distinguished_name
104
attributes = req_attributes
105
x509_extensions = v3_ca # The extentions to add to the self signed cert
107
# Passwords for private keys if not present they will be prompted for
108
# input_password = secret
109
# output_password = secret
111
# This sets a mask for permitted string types. There are several options.
112
# default: PrintableString, T61String, BMPString.
113
# pkix : PrintableString, BMPString.
114
# utf8only: only UTF8Strings.
115
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116
# MASK:XXXX a literal mask value.
117
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118
# so use this option with caution!
119
string_mask = nombstr
121
# req_extensions = v3_req # The extensions to add to a certificate request
123
[ req_distinguished_name ]
124
countryName = Country Name (2 letter code)
125
countryName_default = AU
129
stateOrProvinceName = State or Province Name (full name)
130
stateOrProvinceName_default = Some-State
132
localityName = Locality Name (eg, city)
134
0.organizationName = Organization Name (eg, company)
135
0.organizationName_default = Internet Widgits Pty Ltd
137
# we can do this but it is not needed normally :-)
138
#1.organizationName = Second Organization Name (eg, company)
139
#1.organizationName_default = World Wide Web Pty Ltd
141
organizationalUnitName = Organizational Unit Name (eg, section)
142
#organizationalUnitName_default =
144
commonName = Common Name (eg, YOUR name)
147
emailAddress = Email Address
148
emailAddress_max = 64
150
# SET-ex3 = SET extension number 3
153
challengePassword = A challenge password
154
challengePassword_min = 4
155
challengePassword_max = 20
157
unstructuredName = An optional company name
161
# These extensions are added when 'ca' signs a request.
163
# This goes against PKIX guidelines but some CAs do it and some software
164
# requires this to avoid interpreting an end user certificate as a CA.
166
basicConstraints=CA:FALSE
168
# Here are some examples of the usage of nsCertType. If it is omitted
169
# the certificate can be used for anything *except* object signing.
171
# This is OK for an SSL server.
172
# nsCertType = server
174
# For an object signing certificate this would be used.
175
# nsCertType = objsign
177
# For normal client use this is typical
178
# nsCertType = client, email
180
# and for everything including object signing:
181
# nsCertType = client, email, objsign
183
# This is typical in keyUsage for a client certificate.
184
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
186
# This will be displayed in Netscape's comment listbox.
187
nsComment = "OpenSSL Generated Certificate"
189
# PKIX recommendations harmless if included in all certificates.
190
subjectKeyIdentifier=hash
191
authorityKeyIdentifier=keyid,issuer
193
# This stuff is for subjectAltName and issuerAltname.
194
# Import the email address.
195
# subjectAltName=email:copy
196
# An alternative to produce certificates that aren't
197
# deprecated according to PKIX.
198
# subjectAltName=email:move
200
# Copy subject details
201
# issuerAltName=issuer:copy
203
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
212
# Extensions to add to a certificate request
214
basicConstraints = CA:FALSE
215
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
220
# Extensions for a typical CA
223
# PKIX recommendation.
225
subjectKeyIdentifier=hash
227
authorityKeyIdentifier=keyid:always,issuer:always
229
# This is what PKIX recommends but some broken software chokes on critical
231
#basicConstraints = critical,CA:true
232
# So we do this instead.
233
basicConstraints = CA:true
235
# Key usage: this is typical for a CA certificate. However since it will
236
# prevent it being used as an test self-signed certificate it is best
237
# left out by default.
238
# keyUsage = cRLSign, keyCertSign
240
# Some might want this also
241
# nsCertType = sslCA, emailCA
243
# Include email address in subject alt name: another PKIX recommendation
244
# subjectAltName=email:copy
245
# Copy issuer details
246
# issuerAltName=issuer:copy
248
# DER hex encoding of an extension: beware experts only!
250
# Where 'obj' is a standard or added object
251
# You can even override a supported extension:
252
# basicConstraints= critical, DER:30:03:01:01:FF
257
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
259
# issuerAltName=issuer:copy
260
authorityKeyIdentifier=keyid:always,issuer:always
263
# These extensions should be added when creating a proxy certificate
265
# This goes against PKIX guidelines but some CAs do it and some software
266
# requires this to avoid interpreting an end user certificate as a CA.
268
basicConstraints=CA:FALSE
270
# Here are some examples of the usage of nsCertType. If it is omitted
271
# the certificate can be used for anything *except* object signing.
273
# This is OK for an SSL server.
274
# nsCertType = server
276
# For an object signing certificate this would be used.
277
# nsCertType = objsign
279
# For normal client use this is typical
280
# nsCertType = client, email
282
# and for everything including object signing:
283
# nsCertType = client, email, objsign
285
# This is typical in keyUsage for a client certificate.
286
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
288
# This will be displayed in Netscape's comment listbox.
289
nsComment = "OpenSSL Generated Certificate"
291
# PKIX recommendations harmless if included in all certificates.
292
subjectKeyIdentifier=hash
293
authorityKeyIdentifier=keyid,issuer:always
295
# This stuff is for subjectAltName and issuerAltname.
296
# Import the email address.
297
# subjectAltName=email:copy
298
# An alternative to produce certificates that aren't
299
# deprecated according to PKIX.
300
# subjectAltName=email:move
302
# Copy subject details
303
# issuerAltName=issuer:copy
305
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
312
# This really needs to be in place for it to be a proxy certificate.
313
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo