« back to all changes in this revision
Viewing changes to conf/openssl.cnf
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Bazaar Package Importer
- Author(s): Lars Bahner
- Date: 2003-12-02 19:39:35 UTC
- Revision ID: james.westby@ubuntu.com-20031202193935-fzzt289mntvy6a8q
Tags: upstream-20031118
Import upstream version 20031118
- files added:
- bin
- cgi-bin
- conf
- docs
- help
- htdocs
- htdocs/help
- htdocs/ssi
- pylib
- pylib/openssl
- sbin
added
removed
conf/openssl.cnf
1
#
2
# OpenSSL configuration file: Two-level hierarchy
3
#
4
# Root-+
5
# |
6
# +-UserCerts (end user certs for S/MIME e-mail protection and
7
# | client authentication)
8
# |
9
# +-AuthCerts (solely for strong authentication with SSL/TLS)
10
# |
11
# +-ServerCerts (solely for server certificates with SSL/TLS)
12
# |
13
# +-CodeSigning (solely for code signing, Authenticode etc.)
14
15
RANDFILE = "$ENV::HOME/.rnd"
16
oid_file = /etc/openssl/.oid
17
oid_section = new_oids
18
19
[ new_oids ]
20
21
# We can add new OIDs in here for use by 'ca' and 'req'.
22
# Add a simple OID like this:
23
# testoid1=1.2.3.4
24
# Or use config file substitution like this:
25
# testoid2=${testoid1}.5.6
26
dnQualifier = 2.5.4.46
27
surName = 2.5.4.4
28
givenName = 2.5.4.42
29
initials = 2.5.4.43
30
generationQualifier = 2.5.4.44
31
userID = 0.9.2342.19200300.100.1.1
32
33
####################################################################
34
[ ca ]
35
36
Root = CA_Root
37
EmailCerts = CA_EmailCerts
38
AuthCerts = CA_AuthCerts
39
CodeSigning = CA_CodeSigning
40
ServerCerts = CA_ServerCerts
41
42
####################################################################
43
44
[ CA_Root ]
45
dir = /usr/local/myCA/Root# Where everything is kept
46
certs = $dir/certs # Where the issued certs are kept
47
crl_dir = $dir/crl # Where the issued crl are kept
48
database = $dir/index.txt # database index file.
49
new_certs_dir = $dir/newcerts # default place for new certs.
50
pend_reqs_dir = "" # default place for new unconfirmed cert reqs.
51
new_reqs_dir = "" # default place for new cert reqs.
52
certificate = $dir/cacert.pem # The CA certificate
53
serial = $dir/serial # The current serial number
54
crl = $dir/crl.pem # The current CRL
55
private_key = $dir/private/cakey.pem# The private key
56
RANDFILE = $dir/private/.rand # private random number file
57
default_days = 730 # how long to certify for
58
default_crl_days= 5 # how long before next CRL
59
default_md = sha1 # which md to use.
60
preserve = no # keep passed DN ordering
61
policy = policy_CA
62
ca_x509_extfile = /etc/openssl/cacert_Root.cnf
63
x509_extensions = x509v3_ext_CA # This section is only used for
64
# displaying the params in ca-index.py
65
66
[ CA_EmailCerts ]
67
dir = /usr/local/myCA/EmailCerts # Where everything is kept
68
certs = $dir/certs # Where the issued certs are kept
69
crl_dir = $dir/crl # Where the issued crl are kept
70
database = $dir/index.txt # database index file.
71
new_certs_dir = $dir/newcerts # default place for new certs.
72
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
73
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
74
certificate = $dir/cacert.pem # The CA certificate
75
serial = $dir/serial # The current serial number
76
crl = $dir/crl.pem # The current CRL
77
private_key = $dir/private/cakey.pem# The private key
78
RANDFILE = $dir/private/.rand # private random number file
79
default_days = 200 # how long to certify for
80
default_crl_days= 2 # how long before next CRL
81
default_md = sha1 # which md to use.
82
preserve = no # keep passed DN ordering
83
policy = policy_EmailCerts
84
x509_extensions = x509v3_ext_EmailCerts
85
signedby = Root
86
ca_x509_extfile = /etc/openssl/cacert_EmailCerts.cnf
87
req = req_EmailCerts
88
min_key_size = 768
89
90
[ CA_AuthCerts ]
91
dir = /usr/local/myCA/AuthCerts # Where everything is kept
92
certs = $dir/certs # Where the issued certs are kept
93
crl_dir = $dir/crl # Where the issued crl are kept
94
database = $dir/index.txt # database index file.
95
new_certs_dir = $dir/newcerts # default place for new certs.
96
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
97
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
98
certificate = $dir/cacert.pem # The CA certificate
99
serial = $dir/serial # The current serial number
100
crl = $dir/crl.pem # The current CRL
101
private_key = $dir/private/cakey.pem# The private key
102
RANDFILE = $dir/private/.rand # private random number file
103
default_days = 200 # how long to certify for
104
default_crl_days= 2 # how long before next CRL
105
default_md = sha1 # which md to use.
106
preserve = no # keep passed DN ordering
107
policy = policy_AuthCerts
108
x509_extensions = x509v3_ext_AuthCerts
109
signedby = Root
110
ca_x509_extfile = /etc/openssl/cacert_AuthCerts.cnf
111
req = req_AuthCerts
112
113
[ CA_CodeSigning ]
114
dir = /usr/local/myCA/CodeSigning # Where everything is kept
115
certs = $dir/certs # Where the issued certs are kept
116
crl_dir = $dir/crl # Where the issued crl are kept
117
database = $dir/index.txt # database index file.
118
new_certs_dir = $dir/newcerts # default place for new certs.
119
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
120
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
121
certificate = $dir/cacert.pem # The CA certificate
122
serial = $dir/serial # The current serial number
123
crl = $dir/crl.pem # The current CRL
124
private_key = $dir/private/cakey.pem# The private key
125
RANDFILE = $dir/private/.rand # private random number file
126
default_days = 200 # how long to certify for
127
default_crl_days= 5 # how long before next CRL
128
default_md = sha1 # which md to use.
129
preserve = no # keep passed DN ordering
130
policy = policy_CodeSigning
131
x509_extensions = x509v3_ext_CodeSigning
132
signedby = Root
133
ca_x509_extfile = /etc/openssl/cacert_CodeSigning.cnf
134
req = req_EmailCerts
135
136
[ CA_ServerCerts ]
137
dir = /usr/local/myCA/ServerCerts # Where everything is kept
138
certs = $dir/certs # Where the issued certs are kept
139
crl_dir = $dir/crl # Where the issued crl are kept
140
database = $dir/index.txt # database index file.
141
new_certs_dir = $dir/newcerts # default place for new certs.
142
pend_reqs_dir = $dir/pendreqs # default place for new unconfirmed cert reqs.
143
new_reqs_dir = $dir/newreqs # default place for new cert reqs.
144
certificate = $dir/cacert.pem # The CA certificate
145
serial = $dir/serial # The current serial number
146
crl = $dir/crl.pem # The current CRL
147
private_key = $dir/private/cakey.pem# The private key
148
RANDFILE = $dir/private/.rand # private random number file
149
default_days = 60 # how long to certify for
150
default_crl_days= 2 # how long before next CRL
151
default_md = sha1 # which md to use.
152
preserve = no # keep passed DN ordering
153
policy = policy_ServerCerts
154
x509_extensions = x509v3_ext_ServerCerts
155
signedby = Root
156
ca_x509_extfile = /etc/openssl/cacert_ServerCerts.cnf
157
158
########################### Policies ###############################
159
160
[ policy_EmailCerts ]
161
countryName = optional
162
stateOrProvinceName = optional
163
localityName = optional
164
organizationName = supplied
165
organizationalUnitName = optional
166
commonName = supplied
167
emailAddress = supplied
168
169
[ policy_AuthCerts ]
170
organizationName = supplied
171
organizationalUnitName = optional
172
userID = supplied
173
#emailAddress = supplied
174
175
[ policy_CodeSigning ]
176
countryName = match
177
stateOrProvinceName = match
178
localityName = match
179
organizationName = match
180
organizationalUnitName = optional
181
commonName = supplied
182
userID = optional
183
emailAddress = supplied
184
185
[ policy_ServerCerts ]
186
countryName = supplied
187
stateOrProvinceName = optional
188
localityName = supplied
189
organizationName = supplied
190
organizationalUnitName = optional
191
commonName = supplied
192
193
####################################################################
194
195
[ req ]
196
default_bits = 1024
197
default_keyfile = privkey.pem
198
distinguished_name = req_distinguished_name
199
# attributes = req_attributes
200
201
[ req_distinguished_name ]
202
countryName = country ISO code
203
countryName_default = DE
204
countryName_min = 2
205
countryName_max = 2
206
countryName_regex = "[a-zA-Z][a-zA-Z]"
207
208
stateOrProvinceName = State/Province Name
209
stateOrProvinceName_default = ""
210
211
localityName = Location
212
localityName_default = Karlsruhe
213
214
organizationName = Organization
215
organizationName_default = "Your Organization"
216
217
organizationalUnitName = Organizational Unit Name
218
organizationalUnitName_default = Department One,Department Two,Department Three
219
220
commonName = Common Name
221
commonName_max = 64
222
223
emailAddress = Email Address
224
emailAddress_default = ""
225
emailAddress_max = 64
226
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
227
228
[ req_attributes ]
229
challengePassword = A challenge password
230
challengePassword_min = 4
231
challengePassword_max = 20
232
233
# unstructuredName = An optional company name
234
235
####################################################################
236
237
[ req_EmailCerts ]
238
distinguished_name = req_distinguished_name_EmailCerts
239
240
[ req_distinguished_name_EmailCerts ]
241
countryName = country ISO code
242
countryName_default = "DE"
243
countryName_min = 2
244
countryName_max = 2
245
countryName_regex = "[a-zA-Z][a-zA-Z]"
246
247
stateOrProvinceName = State/Province Name
248
stateOrProvinceName_default = ""
249
250
localityName = Location
251
localityName_default = Karlsruhe
252
253
organizationName = Organization
254
organizationName_default = "Your Organization"
255
256
organizationalUnitName = Organizational Unit Name
257
organizationalUnitName_default = Department One,Department Two,Department Three
258
259
commonName = Common Name
260
commonName_max = 64
261
262
emailAddress = Email Address
263
emailAddress_default = ""
264
emailAddress_max = 64
265
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
266
267
[ req_AuthCerts ]
268
distinguished_name = req_distinguished_name_AuthCerts
269
270
[ req_distinguished_name_AuthCerts ]
271
272
organizationName = Organization
273
organizationName_default = "Your Organization"
274
275
userID = "User ID"
276
userID_max = 8
277
278
emailAddress = Email Address
279
emailAddress_default = "@ms.inka.de"
280
emailAddress_max = 64
281
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
282
283
####################################################################
284
285
[ req_short_and_empty ]
286
distinguished_name = req_distinguished_name_short_and_empty
287
288
[ req_distinguished_name_short_and_empty ]
289
countryName = country ISO code
290
countryName_min = 2
291
countryName_max = 2
292
countryName_regex = "[a-zA-Z][a-zA-Z]"
293
294
stateOrProvinceName = State/Province Name
295
296
localityName = Location
297
298
organizationName = Organization
299
300
organizationalUnitName = Organizational Unit Name
301
302
commonName = Common Name
303
commonName_max = 64
304
305
emailAddress = Email Address
306
emailAddress_max = 64
307
emailAddress_regex = "^([\w@.=/_ +-]+)@([\w-]+)(\.[\w-]+)*$"
308
309
##############################################################################
310
311
[ x509v3_ext_CA ]
312
basicConstraints = CA:true
313
keyUsage = cRLSign,keyCertSign
314
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl"
315
nsComment = "This certificate is used for issueing sub-CA certs."
316
nsBaseUrl = "https://localhost/"
317
nsCaRevocationUrl = pyca/get-cert.py/Root/crl.crl
318
nsRevocationUrl = pyca/ns-check-rev.py/Root?
319
nsRenewalUrl = pyca/ns-renewal.py/Root?
320
nsCaPolicyUrl = TestCA/policy/CA-policy.html
321
322
[ x509v3_ext_EmailCerts ]
323
# PKIX extensions
324
subjectKeyIdentifier = hash
325
authorityKeyIdentifier = keyid:always,issuer:always
326
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
327
extendedKeyUsage = emailProtection
328
issuerAltName = URI:"https://localhost/pyca/get-cert.py/EmailCerts/ca.crt"
329
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/EmailCerts/crl.crl"
330
subjectAltName = email:copy
331
# Netscape-specific extensions
332
nsComment = "This certificate is used for e-mail."
333
nsBaseUrl = "https://localhost/"
334
nsCaRevocationUrl = pyca/get-cert.py/EmailCerts/crl.crl
335
nsRevocationUrl = pyca/ns-check-rev.py/EmailCerts?
336
nsRenewalUrl = pyca/ns-renewal.py/EmailCerts?
337
nsCaPolicyUrl = TestCA/policy/EmailCerts-policy.html
338
nsCertType = email
339
340
[ x509v3_ext_AuthCerts ]
341
# PKIX extensions
342
subjectKeyIdentifier = hash
343
authorityKeyIdentifier = keyid:always,issuer:always
344
keyUsage = digitalSignature
345
extendedKeyUsage = clientAuth
346
issuerAltName = URI:"https://localhost/pyca/get-cert.py/AuthCerts/ca.crt"
347
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/AuthCerts/crl.crl"
348
# Netscape-specific extensions
349
nsComment = "This certificate is used for strong authentication."
350
nsBaseUrl = "https://localhost/"
351
nsCaRevocationUrl = pyca/get-cert.py/AuthCerts/crl.crl
352
nsRevocationUrl = pyca/ns-check-rev.py/AuthCerts?
353
nsRenewalUrl = pyca/ns-renewal.py/AuthCerts?
354
nsCaPolicyUrl = TestCA/policy/AuthCerts-policy.html
355
nsCertType = client
356
357
[ x509v3_ext_CodeSigning ]
358
# PKIX extensions
359
subjectKeyIdentifier = hash
360
authorityKeyIdentifier = keyid:always,issuer:always
361
keyUsage = digitalSignature
362
extendedKeyUsage = codeSigning
363
issuerAltName = URI:"https://localhost/pyca/get-cert.py/CodeSigning/ca.crt"
364
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/CodeSigning/crl.crl"
365
# Netscape-specific extensions
366
nsComment = "This certificate is used for CodeSigning signing."
367
nsBaseUrl = "https://localhost/"
368
nsCaRevocationUrl = pyca/get-cert.py/CodeSigning/crl.crl
369
nsRevocationUrl = pyca/ns-check-rev.py/CodeSigning?
370
nsRenewalUrl = pyca/ns-renewal.py/CodeSigning?
371
nsCaPolicyUrl = TestCA/policy/CodeSigning-policy.html
372
nsCertType = objsign
373
374
[ x509v3_ext_ServerCerts ]
375
# PKIX extensions
376
subjectKeyIdentifier = hash
377
authorityKeyIdentifier = keyid:always,issuer:always
378
crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/ServerCerts/crl.crl"
379
keyUsage = keyEncipherment
380
extendedKeyUsage = serverAuth,nsSGC,msSGC
381
# Netscape-specific extensions
382
nsComment = "This certificate is used for SSL ServerCerts."
383
nsBaseUrl = "https://localhost/"
384
nsCaRevocationUrl = pyca/get-cert.py/ServerCerts/crl.crl
385
nsRevocationUrl = pyca/ns-check-rev.py/ServerCerts?
386
nsRenewalUrl = pyca/ns-renewal.py/ServerCerts?
387
nsCaPolicyUrl = TestCA/policy/ServerCerts-policy.html
388
nsCertType = server
389
390
# [ pyca ] is a proprietary, non-OpenSSL section for the pyca-package
391
# on http://www.pyca.de/
392
393
[ pyca ]
394
395
caCertFormat = DER
396
397
# Base-URL for the other URL addresses
398
# This is meant as fallback option if the CA-specific
399
# attribute nsBaseUrl is not set
400
nsBaseUrl = "https://localhost/"
401
402
# Relative URL address of ca-index.py
403
nsCAIndexUrl = pyca/ca-index.py
404
405
# Relative URL address of client-enroll.py
406
nsEnrollUrl = pyca/client-enroll.py
407
408
# Relative URL address of get-cert.py
409
nsGetCertUrl = pyca/get-cert.py
410
411
# Relative URL address of view-cert.py
412
nsViewCertUrl = pyca/view-cert.py
413
414
# Pathname of the openssl executable
415
OpenSSLExec = /usr/bin/openssl
416
417
# Username of caadmin
418
userCAAdmin = caadmin
419
420
# Username of WWW Server
421
userWWWRun = wwwrun
422
423
# Username of mail delivery demon
424
userMailDaemon = daemon
425
426
# Preferred HTTP method for submitting form parameters
427
ScriptMethod = POST
428
429
# Relative URL address of help texts (e.g. client-enroll-help.html)
430
HelpUrl = inkasite/python/pyca/help/
431
432
# The default SMTP mail relay
433
MailRelay = localhost
434
435
# Directory for temporary files
436
TmpDir = /tmp
437
438
# Path to file for log output of ca-certreq-mail.py.
439
# The directory must be writeable for the user defined with parameter
440
# userMailDaemon
441
caCertConfirmReqLog = /var/log/pyca/ca-certreq-mail.out
442
443
# Pathname for the error log file.
444
# stderr is used as default, if empty or not defined.
445
#ErrorLog = /var/log/pyca/httpd_error_log
446
447
# E-mail address of the mail dialogue script for certificate requests
448
# if empty, no mail dialogue is initiated.
449
caCertReqMailAdr = confirm-cert-req@ms.inka.de
450
451
# Central e-mail address of the CA's administrator.
452
# This is used as From: address if the subject name of a CA cert does
453
# not contain an Email attribute.
454
caAdminMailAdr = caadmin@ms.inka.de
455
456
# Amount of time [h] how long a pending certificate request is stored
457
# in caPendCertReqDir without being confirmed by e-mail.
458
# Set to zero (this is the default) to disable automatic deletion of
459
# unconfirmed certificate requests by ca-cycle-pub.py.
460
caPendCertReqValid = 24
461
462
# List CA names for which certificate requests can only be created
463
# from an internal network (see caInternalIPAdr and caInternalDomains).
464
# The integrity of your PKI should not be based on such mechanisms!
465
caInternalCertTypes = CodeSigning
466
467
# List of network addresses/-masks which are considered internal
468
caInternalIPAdr = 127.0.0.0/255.0.0.0,10.0.0.0/255.0.0.0
469
470
# List of email address domains which are handled as internal
471
caInternalDomains = pyca.de
472
473
# List of CA names for which handling of intermediate CA certs should
474
# be provided.
475
caIntermediateCACerts = EmailCerts
476
477
# All parameters for <BODY> tag (quote " with ��).
478
htmlBodyParam = �TEXT="#000000" LINK="Red" VLINK="Green" BGCOLOR="#FFFFFF"�
Loggerhead is a web-based interface for Breezy
Version: 2.0.1