• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# OpenSSL example configuration file.
3# See doc/man5/config.pod for more info.
4#
5# This is mostly being used for generation of certificate requests,
6# but may be used for auto loading of providers
7
8# Note that you can include other files from the main configuration
9# file using the .include directive.
10#.include filename
11
12# This definition stops the following lines choking if HOME isn't
13# defined.
14HOME			= .
15
16 # Use this in order to automatically load providers.
17openssl_conf = openssl_init
18
19# Comment out the next line to ignore configuration errors
20config_diagnostics = 1
21
22# Extra OBJECT IDENTIFIER info:
23# oid_file       = $ENV::HOME/.oid
24oid_section = new_oids
25
26# To use this configuration file with the "-extfile" option of the
27# "openssl x509" utility, name here the section containing the
28# X.509v3 extensions to use:
29# extensions		=
30# (Alternatively, use a configuration file that has only
31# X.509v3 extensions in its main [= default] section.)
32
33[ new_oids ]
34# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
35# Add a simple OID like this:
36# testoid1=1.2.3.4
37# Or use config file substitution like this:
38# testoid2=${testoid1}.5.6
39
40# Policies used by the TSA examples.
41tsa_policy1 = 1.2.3.4.1
42tsa_policy2 = 1.2.3.4.5.6
43tsa_policy3 = 1.2.3.4.5.7
44
45# For FIPS
46# Optionally include a file that is generated by the OpenSSL fipsinstall
47# application. This file contains configuration data required by the OpenSSL
48# fips provider. It contains a named section e.g. [fips_sect] which is
49# referenced from the [provider_sect] below.
50# Refer to the OpenSSL security policy for more information.
51# .include fipsmodule.cnf
52
53[openssl_init]
54providers = provider_sect
55
56# List of providers to load
57[provider_sect]
58default = default_sect
59# The fips section name should match the section name inside the
60# included fipsmodule.cnf.
61# fips = fips_sect
62
63# If no providers are activated explicitly, the default one is activated implicitly.
64# See man 7 OSSL_PROVIDER-default for more details.
65#
66# If you add a section explicitly activating any other provider(s), you most
67# probably need to explicitly activate the default provider, otherwise it
68# becomes unavailable in openssl.  As a consequence applications depending on
69# OpenSSL may not work correctly which could lead to significant system
70# problems including inability to remotely access the system.
71[default_sect]
72# activate = 1
73
74
75####################################################################
76[ ca ]
77default_ca	= CA_default		# The default ca section
78
79####################################################################
80[ CA_default ]
81
82dir		= ./demoCA		# Where everything is kept
83certs		= $dir/certs		# Where the issued certs are kept
84crl_dir		= $dir/crl		# Where the issued crl are kept
85database	= $dir/index.txt	# database index file.
86#unique_subject	= no			# Set to 'no' to allow creation of
87					# several certs with same subject.
88new_certs_dir	= $dir/newcerts		# default place for new certs.
89
90certificate	= $dir/cacert.pem 	# The CA certificate
91serial		= $dir/serial 		# The current serial number
92crlnumber	= $dir/crlnumber	# the current crl number
93					# must be commented out to leave a V1 CRL
94crl		= $dir/crl.pem 		# The current CRL
95private_key	= $dir/private/cakey.pem# The private key
96
97x509_extensions	= usr_cert		# The extensions to add to the cert
98
99# Comment out the following two lines for the "traditional"
100# (and highly broken) format.
101name_opt 	= ca_default		# Subject Name options
102cert_opt 	= ca_default		# Certificate field options
103
104# Extension copying option: use with caution.
105# copy_extensions = copy
106
107# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
108# so this is commented out by default to leave a V1 CRL.
109# crlnumber must also be commented out to leave a V1 CRL.
110# crl_extensions	= crl_ext
111
112default_days	= 365			# how long to certify for
113default_crl_days= 30			# how long before next CRL
114default_md	= default		# use public key default MD
115preserve	= no			# keep passed DN ordering
116
117# A few difference way of specifying how similar the request should look
118# For type CA, the listed attributes must be the same, and the optional
119# and supplied fields are just that :-)
120policy		= policy_match
121
122# For the CA policy
123[ policy_match ]
124countryName		= match
125stateOrProvinceName	= match
126organizationName	= match
127organizationalUnitName	= optional
128commonName		= supplied
129emailAddress		= optional
130
131# For the 'anything' policy
132# At this point in time, you must list all acceptable 'object'
133# types.
134[ policy_anything ]
135countryName		= optional
136stateOrProvinceName	= optional
137localityName		= optional
138organizationName	= optional
139organizationalUnitName	= optional
140commonName		= supplied
141emailAddress		= optional
142
143####################################################################
144[ req ]
145default_bits		= 2048
146default_keyfile 	= privkey.pem
147distinguished_name	= req_distinguished_name
148attributes		= req_attributes
149x509_extensions	= v3_ca	# The extensions to add to the self signed cert
150
151# Passwords for private keys if not present they will be prompted for
152# input_password = secret
153# output_password = secret
154
155# This sets a mask for permitted string types. There are several options.
156# default: PrintableString, T61String, BMPString.
157# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
158# utf8only: only UTF8Strings (PKIX recommendation after 2004).
159# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
160# MASK:XXXX a literal mask value.
161# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
162string_mask = utf8only
163
164# req_extensions = v3_req # The extensions to add to a certificate request
165
166[ req_distinguished_name ]
167countryName			= Country Name (2 letter code)
168countryName_default		= AU
169countryName_min			= 2
170countryName_max			= 2
171
172stateOrProvinceName		= State or Province Name (full name)
173stateOrProvinceName_default	= Some-State
174
175localityName			= Locality Name (eg, city)
176
1770.organizationName		= Organization Name (eg, company)
1780.organizationName_default	= Internet Widgits Pty Ltd
179
180# we can do this but it is not needed normally :-)
181#1.organizationName		= Second Organization Name (eg, company)
182#1.organizationName_default	= World Wide Web Pty Ltd
183
184organizationalUnitName		= Organizational Unit Name (eg, section)
185#organizationalUnitName_default	=
186
187commonName			= Common Name (e.g. server FQDN or YOUR name)
188commonName_max			= 64
189
190emailAddress			= Email Address
191emailAddress_max		= 64
192
193# SET-ex3			= SET extension number 3
194
195[ req_attributes ]
196challengePassword		= A challenge password
197challengePassword_min		= 4
198challengePassword_max		= 20
199
200unstructuredName		= An optional company name
201
202[ usr_cert ]
203
204# These extensions are added when 'ca' signs a request.
205
206# This goes against PKIX guidelines but some CAs do it and some software
207# requires this to avoid interpreting an end user certificate as a CA.
208
209basicConstraints=CA:FALSE
210
211# This is typical in keyUsage for a client certificate.
212# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
213
214# PKIX recommendations harmless if included in all certificates.
215subjectKeyIdentifier=hash
216authorityKeyIdentifier=keyid,issuer
217
218# This stuff is for subjectAltName and issuerAltname.
219# Import the email address.
220# subjectAltName=email:copy
221# An alternative to produce certificates that aren't
222# deprecated according to PKIX.
223# subjectAltName=email:move
224
225# Copy subject details
226# issuerAltName=issuer:copy
227
228# This is required for TSA certificates.
229# extendedKeyUsage = critical,timeStamping
230
231[ v3_req ]
232
233# Extensions to add to a certificate request
234
235basicConstraints = CA:FALSE
236keyUsage = nonRepudiation, digitalSignature, keyEncipherment
237
238[ v3_ca ]
239
240
241# Extensions for a typical CA
242
243
244# PKIX recommendation.
245
246subjectKeyIdentifier=hash
247
248authorityKeyIdentifier=keyid:always,issuer
249
250basicConstraints = critical,CA:true
251
252# Key usage: this is typical for a CA certificate. However since it will
253# prevent it being used as an test self-signed certificate it is best
254# left out by default.
255# keyUsage = cRLSign, keyCertSign
256
257# Include email address in subject alt name: another PKIX recommendation
258# subjectAltName=email:copy
259# Copy issuer details
260# issuerAltName=issuer:copy
261
262# DER hex encoding of an extension: beware experts only!
263# obj=DER:02:03
264# Where 'obj' is a standard or added object
265# You can even override a supported extension:
266# basicConstraints= critical, DER:30:03:01:01:FF
267
268[ crl_ext ]
269
270# CRL extensions.
271# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
272
273# issuerAltName=issuer:copy
274authorityKeyIdentifier=keyid:always
275
276[ proxy_cert_ext ]
277# These extensions should be added when creating a proxy certificate
278
279# This goes against PKIX guidelines but some CAs do it and some software
280# requires this to avoid interpreting an end user certificate as a CA.
281
282basicConstraints=CA:FALSE
283
284# This is typical in keyUsage for a client certificate.
285# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
286
287# PKIX recommendations harmless if included in all certificates.
288subjectKeyIdentifier=hash
289authorityKeyIdentifier=keyid,issuer
290
291# This stuff is for subjectAltName and issuerAltname.
292# Import the email address.
293# subjectAltName=email:copy
294# An alternative to produce certificates that aren't
295# deprecated according to PKIX.
296# subjectAltName=email:move
297
298# Copy subject details
299# issuerAltName=issuer:copy
300
301# This really needs to be in place for it to be a proxy certificate.
302proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
303
304####################################################################
305[ tsa ]
306
307default_tsa = tsa_config1	# the default TSA section
308
309[ tsa_config1 ]
310
311# These are used by the TSA reply generation only.
312dir		= ./demoCA		# TSA root directory
313serial		= $dir/tsaserial	# The current serial number (mandatory)
314crypto_device	= builtin		# OpenSSL engine to use for signing
315signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
316					# (optional)
317certs		= $dir/cacert.pem	# Certificate chain to include in reply
318					# (optional)
319signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
320signer_digest  = sha256			# Signing digest to use. (Optional)
321default_policy	= tsa_policy1		# Policy if request did not specify it
322					# (optional)
323other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
324digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
325accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
326clock_precision_digits  = 0	# number of digits after dot. (optional)
327ordering		= yes	# Is ordering defined for timestamps?
328				# (optional, default: no)
329tsa_name		= yes	# Must the TSA name be included in the reply?
330				# (optional, default: no)
331ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
332				# (optional, default: no)
333ess_cert_id_alg		= sha1	# algorithm to compute certificate
334				# identifier (optional, default: sha1)
335
336[insta] # CMP using Insta Demo CA
337# Message transfer
338server = pki.certificate.fi:8700
339# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
340# tls_use = 0
341path = pkix/
342
343# Server authentication
344recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
345ignore_keyusage = 1 # potentially needed quirk
346unprotected_errors = 1 # potentially needed quirk
347extracertsout = insta.extracerts.pem
348
349# Client authentication
350ref = 3078 # user identification
351secret = pass:insta # can be used for both client and server side
352
353# Generic message options
354cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
355
356# Certificate enrollment
357subject = "/CN=openssl-cmp-test"
358newkey = insta.priv.pem
359out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
360certout = insta.cert.pem
361
362[pbm] # Password-based protection for Insta CA
363# Server and client authentication
364ref = $insta::ref # 3078
365secret = $insta::secret # pass:insta
366
367[signature] # Signature-based protection for Insta CA
368# Server authentication
369trusted = $insta::out_trusted # apps/insta.ca.crt
370
371# Client authentication
372secret = # disable PBM
373key = $insta::newkey # insta.priv.pem
374cert = $insta::certout # insta.cert.pem
375
376[ir]
377cmd = ir
378
379[cr]
380cmd = cr
381
382[kur]
383# Certificate update
384cmd = kur
385oldcert = $insta::certout # insta.cert.pem
386
387[rr]
388# Certificate revocation
389cmd = rr
390oldcert = $insta::certout # insta.cert.pem
391