source: lab.git/TipAndDoc/openssl/openssl.cnf @ 29f68714

trunk
Last change on this file since 29f68714 was 8333ea0, checked in by mitty <mitty@…>, 14 years ago

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@92 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

  • Property mode set to 100644
File size: 9.2 KB
Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME            = .
9RANDFILE        = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file       = $ENV::HOME/.oid
13oid_section     = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions        =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca  = CA_default        # The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir     = ./demoCA      # Where everything is kept
38certs       = $dir/certs        # Where the issued certs are kept
39crl_dir     = $dir/crl      # Where the issued crl are kept
40database    = $dir/index.txt    # database index file.
41#unique_subject = no            # Set to 'no' to allow creation of
42                    # several ctificates with same subject.
43new_certs_dir   = $dir/newcerts     # default place for new certs.
44
45certificate = $dir/cacert.pem   # The CA certificate
46serial      = $dir/serial       # The current serial number
47crlnumber   = $dir/crlnumber    # the current crl number
48                    # must be commented out to leave a V1 CRL
49crl     = $dir/crl.pem      # The current CRL
50private_key = $dir/private/cakey.pem# The private key
51RANDFILE    = $dir/private/.rand    # private random number file
52
53x509_extensions = usr_cert      # The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt    = ca_default        # Subject Name options
58cert_opt    = ca_default        # Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions    = crl_ext
67
68default_days    = 3650          # how long to certify for
69default_crl_days= 30            # how long before next CRL
70default_md  = sha1          # which md to use.
71preserve    = no            # keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy      = policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName     = match
81stateOrProvinceName = match
82organizationName    = match
83organizationalUnitName  = optional
84commonName      = supplied
85emailAddress        = optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName     = optional
92stateOrProvinceName = optional
93localityName        = optional
94organizationName    = optional
95organizationalUnitName  = optional
96commonName      = supplied
97emailAddress        = optional
98
99####################################################################
100[ req ]
101default_bits        = 1024
102default_keyfile     = privkey.pem
103distinguished_name  = req_distinguished_name
104attributes      = req_attributes
105x509_extensions = v3_ca # The extentions to add to the self signed cert
106
107# Passwords for private keys if not present they will be prompted for
108# input_password = secret
109# output_password = secret
110
111# This sets a mask for permitted string types. There are several options.
112# default: PrintableString, T61String, BMPString.
113# pkix   : PrintableString, BMPString.
114# utf8only: only UTF8Strings.
115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116# MASK:XXXX a literal mask value.
117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118# so use this option with caution!
119string_mask = nombstr
120
121# req_extensions = v3_req # The extensions to add to a certificate request
122
123[ req_distinguished_name ]
124countryName         = Country Name (2 letter code)
125countryName_default     = AU
126countryName_min         = 2
127countryName_max         = 2
128
129stateOrProvinceName     = State or Province Name (full name)
130stateOrProvinceName_default = Some-State
131
132localityName            = Locality Name (eg, city)
133
1340.organizationName      = Organization Name (eg, company)
1350.organizationName_default  = Internet Widgits Pty Ltd
136
137# we can do this but it is not needed normally :-)
138#1.organizationName     = Second Organization Name (eg, company)
139#1.organizationName_default = World Wide Web Pty Ltd
140
141organizationalUnitName      = Organizational Unit Name (eg, section)
142#organizationalUnitName_default =
143
144commonName          = Common Name (eg, YOUR name)
145commonName_max          = 64
146
147emailAddress            = Email Address
148emailAddress_max        = 64
149
150# SET-ex3           = SET extension number 3
151
152[ req_attributes ]
153challengePassword       = A challenge password
154challengePassword_min       = 4
155challengePassword_max       = 20
156
157unstructuredName        = An optional company name
158
159[ usr_cert ]
160
161# These extensions are added when 'ca' signs a request.
162
163# This goes against PKIX guidelines but some CAs do it and some software
164# requires this to avoid interpreting an end user certificate as a CA.
165
166basicConstraints=CA:FALSE
167
168# Here are some examples of the usage of nsCertType. If it is omitted
169# the certificate can be used for anything *except* object signing.
170
171# This is OK for an SSL server.
172nsCertType          = server
173
174# For an object signing certificate this would be used.
175# nsCertType = objsign
176
177# For normal client use this is typical
178# nsCertType = client, email
179
180# and for everything including object signing:
181# nsCertType = client, email, objsign
182
183# This is typical in keyUsage for a client certificate.
184# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
185
186# This will be displayed in Netscape's comment listbox.
187nsComment           = "OpenSSL Generated Certificate"
188
189# PKIX recommendations harmless if included in all certificates.
190subjectKeyIdentifier=hash
191authorityKeyIdentifier=keyid,issuer
192
193# This stuff is for subjectAltName and issuerAltname.
194# Import the email address.
195# subjectAltName=email:copy
196# An alternative to produce certificates that aren't
197# deprecated according to PKIX.
198# subjectAltName=email:move
199
200# Copy subject details
201# issuerAltName=issuer:copy
202
203#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
204#nsBaseUrl
205#nsRevocationUrl
206#nsRenewalUrl
207#nsCaPolicyUrl
208#nsSslServerName
209
210[ v3_req ]
211
212# Extensions to add to a certificate request
213
214basicConstraints = CA:FALSE
215keyUsage = nonRepudiation, digitalSignature, keyEncipherment
216
217[ v3_ca ]
218
219
220# Extensions for a typical CA
221
222
223# PKIX recommendation.
224
225subjectKeyIdentifier=hash
226
227authorityKeyIdentifier=keyid:always,issuer:always
228
229# This is what PKIX recommends but some broken software chokes on critical
230# extensions.
231#basicConstraints = critical,CA:true
232# So we do this instead.
233basicConstraints = CA:true
234
235# Key usage: this is typical for a CA certificate. However since it will
236# prevent it being used as an test self-signed certificate it is best
237# left out by default.
238# keyUsage = cRLSign, keyCertSign
239
240# Some might want this also
241nsCertType = sslCA, emailCA
242
243# Include email address in subject alt name: another PKIX recommendation
244# subjectAltName=email:copy
245# Copy issuer details
246# issuerAltName=issuer:copy
247
248# DER hex encoding of an extension: beware experts only!
249# obj=DER:02:03
250# Where 'obj' is a standard or added object
251# You can even override a supported extension:
252# basicConstraints= critical, DER:30:03:01:01:FF
253
254[ crl_ext ]
255
256# CRL extensions.
257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258
259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always
261
262[ proxy_cert_ext ]
263# These extensions should be added when creating a proxy certificate
264
265# This goes against PKIX guidelines but some CAs do it and some software
266# requires this to avoid interpreting an end user certificate as a CA.
267
268basicConstraints=CA:FALSE
269
270# Here are some examples of the usage of nsCertType. If it is omitted
271# the certificate can be used for anything *except* object signing.
272
273# This is OK for an SSL server.
274# nsCertType            = server
275
276# For an object signing certificate this would be used.
277# nsCertType = objsign
278
279# For normal client use this is typical
280# nsCertType = client, email
281
282# and for everything including object signing:
283# nsCertType = client, email, objsign
284
285# This is typical in keyUsage for a client certificate.
286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287
288# This will be displayed in Netscape's comment listbox.
289nsComment           = "OpenSSL Generated Certificate"
290
291# PKIX recommendations harmless if included in all certificates.
292subjectKeyIdentifier=hash
293authorityKeyIdentifier=keyid,issuer:always
294
295# This stuff is for subjectAltName and issuerAltname.
296# Import the email address.
297# subjectAltName=email:copy
298# An alternative to produce certificates that aren't
299# deprecated according to PKIX.
300# subjectAltName=email:move
301
302# Copy subject details
303# issuerAltName=issuer:copy
304
305#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
306#nsBaseUrl
307#nsRevocationUrl
308#nsRenewalUrl
309#nsCaPolicyUrl
310#nsSslServerName
311
312# This really needs to be in place for it to be a proxy certificate.
313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracBrowser for help on using the repository browser.