2
# OpenSSL configuration file: Two-level hierarchy
6
# +-UserCerts (end user certs for S/MIME e-mail protection and
7
# | client authentication)
9
# +-AuthCerts (solely for strong authentication with SSL/TLS)
11
# +-ServerCerts (solely for server certificates with SSL/TLS)
13
# +-CodeSigning (solely for code signing, Authenticode etc.)
15
RANDFILE = "$ENV::HOME/.rnd"
16
oid_file = /etc/openssl/.oid
17
oid_section = new_oids
21
# We can add new OIDs in here for use by 'ca' and 'req'.
22
# Add a simple OID like this:
24
# Or use config file substitution like this:
25
# testoid2=${testoid1}.5.6
26
dnQualifier = 2.5.4.46
30
generationQualifier = 2.5.4.44
31
userID = 0.9.2342.19200300.100.1.1
33
####################################################################
37
EmailCerts = CA_EmailCerts
38
AuthCerts = CA_AuthCerts
39
CodeSigning = CA_CodeSigning
40
ServerCerts = CA_ServerCerts
42
####################################################################
45
dir = /usr/local/myCA/Root# Where everything is kept
46
certs = $dir/certs # Where the issued certs are kept
47
crl_dir = $dir/crl # Where the issued crl are kept
48
database = $dir/index.txt # database index file.
49
new_certs_dir = $dir/newcerts # default place for new certs.
50
pend_reqs_dir = "" # default place for new unconfirmed cert reqs.
51
new_reqs_dir = "" # default place for new cert reqs.
52
certificate = $dir/cacert.pem # The CA certificate
53
serial = $dir/serial # The current serial number
54
crl = $dir/crl.pem # The current CRL
55
private_key = $dir/private/cakey.pem# The private key
56
RANDFILE = $dir/private/.rand # private random number file
57
default_days = 730 # how long to certify for
58
default_crl_days= 5 # how long before next CRL
59
default_md = sha1 # which md to use.
60
preserve = no # keep passed DN ordering
62
ca_x509_extfile = /etc/openssl/cacert_Root.cnf
63
x509_extensions = x509v3_ext_CA # This section is only used for
64
# displaying the params in ca-index.py
67
dir = /usr/local/myCA/EmailCerts # Where everything is kept
68
certs = $dir/certs # Where the issued certs are kept
69
crl_dir = $dir/crl # Where the issued crl are kept
70
database = $dir/index.txt # database index file.
71
new_certs_dir = $dir/newcerts # default place for new certs.
72
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
73
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
74
certificate = $dir/cacert.pem # The CA certificate
75
serial = $dir/serial # The current serial number
76
crl = $dir/crl.pem # The current CRL
77
private_key = $dir/private/cakey.pem# The private key
78
RANDFILE = $dir/private/.rand # private random number file
79
default_days = 200 # how long to certify for
80
default_crl_days= 2 # how long before next CRL
81
default_md = sha1 # which md to use.
82
preserve = no # keep passed DN ordering
83
policy = policy_EmailCerts
84
x509_extensions = x509v3_ext_EmailCerts
86
ca_x509_extfile = /etc/openssl/cacert_EmailCerts.cnf
91
dir = /usr/local/myCA/AuthCerts # Where everything is kept
92
certs = $dir/certs # Where the issued certs are kept
93
crl_dir = $dir/crl # Where the issued crl are kept
94
database = $dir/index.txt # database index file.
95
new_certs_dir = $dir/newcerts # default place for new certs.
96
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
97
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
98
certificate = $dir/cacert.pem # The CA certificate
99
serial = $dir/serial # The current serial number
100
crl = $dir/crl.pem # The current CRL
101
private_key = $dir/private/cakey.pem# The private key
102
RANDFILE = $dir/private/.rand # private random number file
103
default_days = 200 # how long to certify for
104
default_crl_days= 2 # how long before next CRL
105
default_md = sha1 # which md to use.
106
preserve = no # keep passed DN ordering
107
policy = policy_AuthCerts
108
x509_extensions = x509v3_ext_AuthCerts
110
ca_x509_extfile = /etc/openssl/cacert_AuthCerts.cnf
114
dir = /usr/local/myCA/CodeSigning # Where everything is kept
115
certs = $dir/certs # Where the issued certs are kept
116
crl_dir = $dir/crl # Where the issued crl are kept
117
database = $dir/index.txt # database index file.
118
new_certs_dir = $dir/newcerts # default place for new certs.
119
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
120
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
121
certificate = $dir/cacert.pem # The CA certificate
122
serial = $dir/serial # The current serial number
123
crl = $dir/crl.pem # The current CRL
124
private_key = $dir/private/cakey.pem# The private key
125
RANDFILE = $dir/private/.rand # private random number file
126
default_days = 200 # how long to certify for
127
default_crl_days= 5 # how long before next CRL
128
default_md = sha1 # which md to use.
129
preserve = no # keep passed DN ordering
130
policy = policy_CodeSigning
131
x509_extensions = x509v3_ext_CodeSigning
133
ca_x509_extfile = /etc/openssl/cacert_CodeSigning.cnf
137
dir = /usr/local/myCA/ServerCerts # Where everything is kept
138
certs = $dir/certs # Where the issued certs are kept
139
crl_dir = $dir/crl # Where the issued crl are kept
140
database = $dir/index.txt # database index file.
141
new_certs_dir = $dir/newcerts # default place for new certs.
142
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
143
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
144
certificate = $dir/cacert.pem # The CA certificate
145
serial = $dir/serial # The current serial number
146
crl = $dir/crl.pem # The current CRL
147
private_key = $dir/private/cakey.pem# The private key
148
RANDFILE = $dir/private/.rand # private random number file
149
default_days = 60 # how long to certify for
150
default_crl_days= 2 # how long before next CRL
151
default_md = sha1 # which md to use.
152
preserve = no # keep passed DN ordering
153
policy = policy_ServerCerts
154
x509_extensions = x509v3_ext_ServerCerts
156
ca_x509_extfile = /etc/openssl/cacert_ServerCerts.cnf
158
########################### Policies ###############################
160
[ policy_EmailCerts ]
161
countryName = optional
162
stateOrProvinceName = optional
163
localityName = optional
164
organizationName = supplied
165
organizationalUnitName = optional
166
commonName = supplied
167
emailAddress = supplied
170
organizationName = supplied
171
organizationalUnitName = optional
173
#emailAddress = supplied
175
[ policy_CodeSigning ]
177
stateOrProvinceName = match
179
organizationName = match
180
organizationalUnitName = optional
181
commonName = supplied
183
emailAddress = supplied
185
[ policy_ServerCerts ]
186
countryName = supplied
187
stateOrProvinceName = optional
188
localityName = supplied
189
organizationName = supplied
190
organizationalUnitName = optional
191
commonName = supplied
193
####################################################################
197
default_keyfile = privkey.pem
198
distinguished_name = req_distinguished_name
199
# attributes = req_attributes
201
[ req_distinguished_name ]
202
countryName = country ISO code
203
countryName_default = DE
206
countryName_regex = "[a-zA-Z][a-zA-Z]"
208
stateOrProvinceName = State/Province Name
209
stateOrProvinceName_default = ""
211
localityName = Location
212
localityName_default = Karlsruhe
214
organizationName = Organization
215
organizationName_default = "Your Organization"
217
organizationalUnitName = Organizational Unit Name
218
organizationalUnitName_default = Department One,Department Two,Department Three
220
commonName = Common Name
223
emailAddress = Email Address
224
emailAddress_default = ""
225
emailAddress_max = 64
226
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
229
challengePassword = A challenge password
230
challengePassword_min = 4
231
challengePassword_max = 20
233
# unstructuredName = An optional company name
235
####################################################################
238
distinguished_name = req_distinguished_name_EmailCerts
240
[ req_distinguished_name_EmailCerts ]
241
countryName = country ISO code
242
countryName_default = "DE"
245
countryName_regex = "[a-zA-Z][a-zA-Z]"
247
stateOrProvinceName = State/Province Name
248
stateOrProvinceName_default = ""
250
localityName = Location
251
localityName_default = Karlsruhe
253
organizationName = Organization
254
organizationName_default = "Your Organization"
256
organizationalUnitName = Organizational Unit Name
257
organizationalUnitName_default = Department One,Department Two,Department Three
259
commonName = Common Name
262
emailAddress = Email Address
263
emailAddress_default = ""
264
emailAddress_max = 64
265
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
268
distinguished_name = req_distinguished_name_AuthCerts
270
[ req_distinguished_name_AuthCerts ]
272
organizationName = Organization
273
organizationName_default = "Your Organization"
278
emailAddress = Email Address
279
emailAddress_default = "@ms.inka.de"
280
emailAddress_max = 64
281
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
283
####################################################################
285
[ req_short_and_empty ]
286
distinguished_name = req_distinguished_name_short_and_empty
288
[ req_distinguished_name_short_and_empty ]
289
countryName = country ISO code
292
countryName_regex = "[a-zA-Z][a-zA-Z]"
294
stateOrProvinceName = State/Province Name
296
localityName = Location
298
organizationName = Organization
300
organizationalUnitName = Organizational Unit Name
302
commonName = Common Name
305
emailAddress = Email Address
306
emailAddress_max = 64
307
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
309
##############################################################################
312
basicConstraints = CA:true
313
keyUsage = cRLSign,keyCertSign
314
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl"
315
nsComment = "This certificate is used for issueing sub-CA certs."
316
nsBaseUrl = "https://localhost/"
317
nsCaRevocationUrl = pyca/get-cert.py/Root/crl.crl
318
nsRevocationUrl = pyca/ns-check-rev.py/Root?
319
nsRenewalUrl = pyca/ns-renewal.py/Root?
320
nsCaPolicyUrl = TestCA/policy/CA-policy.html
322
[ x509v3_ext_EmailCerts ]
324
subjectKeyIdentifier = hash
325
authorityKeyIdentifier = keyid:always,issuer:always
326
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
327
extendedKeyUsage = emailProtection
328
issuerAltName = URI:"https://localhost/pyca/get-cert.py/EmailCerts/ca.crt"
329
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/EmailCerts/crl.crl"
330
subjectAltName = email:copy
331
# Netscape-specific extensions
332
nsComment = "This certificate is used for e-mail."
333
nsBaseUrl = "https://localhost/"
334
nsCaRevocationUrl = pyca/get-cert.py/EmailCerts/crl.crl
335
nsRevocationUrl = pyca/ns-check-rev.py/EmailCerts?
336
nsRenewalUrl = pyca/ns-renewal.py/EmailCerts?
337
nsCaPolicyUrl = TestCA/policy/EmailCerts-policy.html
340
[ x509v3_ext_AuthCerts ]
342
subjectKeyIdentifier = hash
343
authorityKeyIdentifier = keyid:always,issuer:always
344
keyUsage = digitalSignature
345
extendedKeyUsage = clientAuth
346
issuerAltName = URI:"https://localhost/pyca/get-cert.py/AuthCerts/ca.crt"
347
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/AuthCerts/crl.crl"
348
# Netscape-specific extensions
349
nsComment = "This certificate is used for strong authentication."
350
nsBaseUrl = "https://localhost/"
351
nsCaRevocationUrl = pyca/get-cert.py/AuthCerts/crl.crl
352
nsRevocationUrl = pyca/ns-check-rev.py/AuthCerts?
353
nsRenewalUrl = pyca/ns-renewal.py/AuthCerts?
354
nsCaPolicyUrl = TestCA/policy/AuthCerts-policy.html
357
[ x509v3_ext_CodeSigning ]
359
subjectKeyIdentifier = hash
360
authorityKeyIdentifier = keyid:always,issuer:always
361
keyUsage = digitalSignature
362
extendedKeyUsage = codeSigning
363
issuerAltName = URI:"https://localhost/pyca/get-cert.py/CodeSigning/ca.crt"
364
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/CodeSigning/crl.crl"
365
# Netscape-specific extensions
366
nsComment = "This certificate is used for CodeSigning signing."
367
nsBaseUrl = "https://localhost/"
368
nsCaRevocationUrl = pyca/get-cert.py/CodeSigning/crl.crl
369
nsRevocationUrl = pyca/ns-check-rev.py/CodeSigning?
370
nsRenewalUrl = pyca/ns-renewal.py/CodeSigning?
371
nsCaPolicyUrl = TestCA/policy/CodeSigning-policy.html
374
[ x509v3_ext_ServerCerts ]
376
subjectKeyIdentifier = hash
377
authorityKeyIdentifier = keyid:always,issuer:always
378
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/ServerCerts/crl.crl"
379
keyUsage = keyEncipherment
380
extendedKeyUsage = serverAuth,nsSGC,msSGC
381
# Netscape-specific extensions
382
nsComment = "This certificate is used for SSL ServerCerts."
383
nsBaseUrl = "https://localhost/"
384
nsCaRevocationUrl = pyca/get-cert.py/ServerCerts/crl.crl
385
nsRevocationUrl = pyca/ns-check-rev.py/ServerCerts?
386
nsRenewalUrl = pyca/ns-renewal.py/ServerCerts?
387
nsCaPolicyUrl = TestCA/policy/ServerCerts-policy.html
390
# [ pyca ] is a proprietary, non-OpenSSL section for the pyca-package
391
# on http://www.pyca.de/
397
# Base-URL for the other URL addresses
398
# This is meant as fallback option if the CA-specific
399
# attribute nsBaseUrl is not set
400
nsBaseUrl = "https://localhost/"
402
# Relative URL address of ca-index.py
403
nsCAIndexUrl = pyca/ca-index.py
405
# Relative URL address of client-enroll.py
406
nsEnrollUrl = pyca/client-enroll.py
408
# Relative URL address of get-cert.py
409
nsGetCertUrl = pyca/get-cert.py
411
# Relative URL address of view-cert.py
412
nsViewCertUrl = pyca/view-cert.py
414
# Pathname of the openssl executable
415
OpenSSLExec = /usr/bin/openssl
417
# Username of caadmin
418
userCAAdmin = caadmin
420
# Username of WWW Server
423
# Username of mail delivery demon
424
userMailDaemon = daemon
426
# Preferred HTTP method for submitting form parameters
429
# Relative URL address of help texts (e.g. client-enroll-help.html)
430
HelpUrl = inkasite/python/pyca/help/
432
# The default SMTP mail relay
433
MailRelay = localhost
435
# Directory for temporary files
438
# Path to file for log output of ca-certreq-mail.py.
439
# The directory must be writeable for the user defined with parameter
441
caCertConfirmReqLog = /var/log/pyca/ca-certreq-mail.out
443
# Pathname for the error log file.
444
# stderr is used as default, if empty or not defined.
445
#ErrorLog = /var/log/pyca/httpd_error_log
447
# E-mail address of the mail dialogue script for certificate requests
448
# if empty, no mail dialogue is initiated.
449
caCertReqMailAdr = confirm-cert-req@ms.inka.de
451
# Central e-mail address of the CA's administrator.
452
# This is used as From: address if the subject name of a CA cert does
453
# not contain an Email attribute.
454
caAdminMailAdr = caadmin@ms.inka.de
456
# Amount of time [h] how long a pending certificate request is stored
457
# in caPendCertReqDir without being confirmed by e-mail.
458
# Set to zero (this is the default) to disable automatic deletion of
459
# unconfirmed certificate requests by ca-cycle-pub.py.
460
caPendCertReqValid = 24
462
# List CA names for which certificate requests can only be created
463
# from an internal network (see caInternalIPAdr and caInternalDomains).
464
# The integrity of your PKI should not be based on such mechanisms!
465
caInternalCertTypes = CodeSigning
467
# List of network addresses/-masks which are considered internal
468
caInternalIPAdr = 127.0.0.0/255.0.0.0,10.0.0.0/255.0.0.0
470
# List of email address domains which are handled as internal
471
caInternalDomains = pyca.de
473
# List of CA names for which handling of intermediate CA certs should
475
caIntermediateCACerts = EmailCerts
477
# All parameters for <BODY> tag (quote " with ��).
478
htmlBodyParam = �TEXT="#000000" LINK="Red" VLINK="Green" BGCOLOR="#FFFFFF"�