1# 2# OpenSSL example configuration file. 3# This is mostly being used for generation of certificate requests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12#oid_file = $ENV::HOME/.oid 13oid_section = new_oids 14 15# To use this configuration file with the "-extfile" option of the 16# "openssl x509" utility, name here the section containing the 17# X.509v3 extensions to use: 18# extensions = 19# (Alternatively, use a configuration file that has only 20# X.509v3 extensions in its main [= default] section.) 21 22[ new_oids ] 23 24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25# Add a simple OID like this: 26# testoid1=1.2.3.4 27# Or use config file substitution like this: 28# testoid2=${testoid1}.5.6 29 30# Policies used by the TSA examples. 31tsa_policy1 = 1.2.3.4.1 32tsa_policy2 = 1.2.3.4.5.6 33tsa_policy3 = 1.2.3.4.5.7 34 35#################################################################### 36[ ca ] 37default_ca = CA_default # The default ca section 38 39#################################################################### 40[ CA_default ] 41 42dir = . # Where everything is kept 43certs = $dir # Where the issued certs are kept 44crl_dir = $dir # Where the issued crl are kept 45database = $dir/index.txt # database index file. 46#unique_subject = no # Set to 'no' to allow creation of 47 # several ctificates with same subject. 48new_certs_dir = $dir # default place for new certs. 49 50certificate = $dir/ca.pem # The CA certificate 51serial = $dir/serial # The current serial number 52crlnumber = $dir/crlnumber # the current crl number 53 # must be commented out to leave a V1 CRL 54crl = $dir/crl.pem # The current CRL 55private_key = $dir/private/cakey.pem# The private key 56RANDFILE = $dir/private/.rand # private random number file 57 58x509_extensions = usr_cert # The extentions to add to the cert 59 60# Comment out the following two lines for the "traditional" 61# (and highly broken) format. 62name_opt = ca_default # Subject Name options 63cert_opt = ca_default # Certificate field options 64 65# Extension copying option: use with caution. 66# copy_extensions = copy 67 68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69# so this is commented out by default to leave a V1 CRL. 70# crlnumber must also be commented out to leave a V1 CRL. 71# crl_extensions = crl_ext 72 73default_days = 365 # how long to certify for 74default_crl_days= 30 # how long before next CRL 75default_md = default # use public key default MD 76preserve = no # keep passed DN ordering 77 78# A few difference way of specifying how similar the request should look 79# For type CA, the listed attributes must be the same, and the optional 80# and supplied fields are just that :-) 81policy = policy_anything 82 83# For the CA policy 84[ policy_match ] 85countryName = match 86stateOrProvinceName = match 87organizationName = match 88organizationalUnitName = optional 89commonName = supplied 90emailAddress = optional 91 92# For the 'anything' policy 93# At this point in time, you must list all acceptable 'object' 94# types. 95[ policy_anything ] 96countryName = optional 97stateOrProvinceName = optional 98localityName = optional 99organizationName = optional 100organizationalUnitName = optional 101commonName = supplied 102emailAddress = optional 103 104#################################################################### 105[ req ] 106default_bits = 2048 107default_keyfile = privkey.pem 108distinguished_name = req_distinguished_name 109attributes = req_attributes 110x509_extensions = v3_ca # The extentions to add to the self signed cert 111 112# Passwords for private keys if not present they will be prompted for 113# input_password = secret 114# output_password = secret 115 116# This sets a mask for permitted string types. There are several options. 117# default: PrintableString, T61String, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004) 119# utf8only: only UTF8Strings (PKIX recommendation after 2004). 120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 121# MASK:XXXX a literal mask value. 122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 123string_mask = utf8only 124 125# req_extensions = v3_req # The extensions to add to a certificate request 126 127[ req_distinguished_name ] 128countryName = Country Name (2 letter code) 129countryName_default = AU 130countryName_min = 2 131countryName_max = 2 132 133stateOrProvinceName = State or Province Name (full name) 134stateOrProvinceName_default = Some-State 135 136localityName = Locality Name (eg, city) 137 1380.organizationName = Organization Name (eg, company) 1390.organizationName_default = Internet Widgits Pty Ltd 140 141# we can do this but it is not needed normally :-) 142#1.organizationName = Second Organization Name (eg, company) 143#1.organizationName_default = World Wide Web Pty Ltd 144 145organizationalUnitName = Organizational Unit Name (eg, section) 146#organizationalUnitName_default = 147 148commonName = Common Name (e.g. server FQDN or YOUR name) 149commonName_max = 64 150 151emailAddress = Email Address 152emailAddress_max = 64 153 154# SET-ex3 = SET extension number 3 155 156[ req_attributes ] 157challengePassword = A challenge password 158challengePassword_min = 4 159challengePassword_max = 20 160 161unstructuredName = An optional company name 162 163[ usr_cert ] 164 165# These extensions are added when 'ca' signs a request. 166 167# This goes against PKIX guidelines but some CAs do it and some software 168# requires this to avoid interpreting an end user certificate as a CA. 169 170basicConstraints=CA:FALSE 171 172# Here are some examples of the usage of nsCertType. If it is omitted 173# the certificate can be used for anything *except* object signing. 174 175# This is OK for an SSL server. 176# nsCertType = server 177 178# For an object signing certificate this would be used. 179# nsCertType = objsign 180 181# For normal client use this is typical 182# nsCertType = client, email 183 184# and for everything including object signing: 185# nsCertType = client, email, objsign 186 187# This is typical in keyUsage for a client certificate. 188keyUsage = nonRepudiation, digitalSignature, keyEncipherment 189 190# This will be displayed in Netscape's comment listbox. 191#nsComment = "OpenSSL Generated Certificate" 192 193# PKIX recommendations harmless if included in all certificates. 194subjectKeyIdentifier=hash 195authorityKeyIdentifier=keyid,issuer 196 197# This stuff is for subjectAltName and issuerAltname. 198# Import the email address. 199subjectAltName=email:copy 200# An alternative to produce certificates that aren't 201# deprecated according to PKIX. 202# subjectAltName=email:move 203 204# Copy subject details 205issuerAltName=issuer:copy 206 207#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 208#nsBaseUrl 209#nsRevocationUrl 210#nsRenewalUrl 211#nsCaPolicyUrl 212#nsSslServerName 213 214# This is required for TSA certificates. 215# extendedKeyUsage = critical,timeStamping 216 217[ v3_req ] 218 219# Extensions to add to a certificate request 220 221basicConstraints = CA:FALSE 222keyUsage = nonRepudiation, digitalSignature, keyEncipherment 223subjectAltName = @alt_names 224 225[ v3_ca ] 226 227 228# Extensions for a typical CA 229 230 231# PKIX recommendation. 232 233subjectKeyIdentifier=hash 234 235authorityKeyIdentifier=keyid:always,issuer 236 237# This is what PKIX recommends but some broken software chokes on critical 238# extensions. 239#basicConstraints = critical,CA:true 240# So we do this instead. 241basicConstraints = CA:true 242 243# Key usage: this is typical for a CA certificate. However since it will 244# prevent it being used as an test self-signed certificate it is best 245# left out by default. 246# keyUsage = cRLSign, keyCertSign 247 248# Some might want this also 249# nsCertType = sslCA, emailCA 250 251# Include email address in subject alt name: another PKIX recommendation 252# subjectAltName=email:copy 253# Copy issuer details 254# issuerAltName=issuer:copy 255subjectAltName = @alt_names 256 257# DER hex encoding of an extension: beware experts only! 258# obj=DER:02:03 259# Where 'obj' is a standard or added object 260# You can even override a supported extension: 261# basicConstraints= critical, DER:30:03:01:01:FF 262 263[ crl_ext ] 264 265# CRL extensions. 266# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 267 268# issuerAltName=issuer:copy 269authorityKeyIdentifier=keyid:always 270 271[ proxy_cert_ext ] 272# These extensions should be added when creating a proxy certificate 273 274# This goes against PKIX guidelines but some CAs do it and some software 275# requires this to avoid interpreting an end user certificate as a CA. 276 277basicConstraints=CA:FALSE 278 279# Here are some examples of the usage of nsCertType. If it is omitted 280# the certificate can be used for anything *except* object signing. 281 282# This is OK for an SSL server. 283# nsCertType = server 284 285# For an object signing certificate this would be used. 286# nsCertType = objsign 287 288# For normal client use this is typical 289# nsCertType = client, email 290 291# and for everything including object signing: 292# nsCertType = client, email, objsign 293 294# This is typical in keyUsage for a client certificate. 295# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 296 297# This will be displayed in Netscape's comment listbox. 298nsComment = "OpenSSL Generated Certificate" 299 300# PKIX recommendations harmless if included in all certificates. 301subjectKeyIdentifier=hash 302authorityKeyIdentifier=keyid,issuer 303 304# This stuff is for subjectAltName and issuerAltname. 305# Import the email address. 306# subjectAltName=email:copy 307# An alternative to produce certificates that aren't 308# deprecated according to PKIX. 309# subjectAltName=email:move 310 311# Copy subject details 312# issuerAltName=issuer:copy 313 314#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 315#nsBaseUrl 316#nsRevocationUrl 317#nsRenewalUrl 318#nsCaPolicyUrl 319#nsSslServerName 320 321# This really needs to be in place for it to be a proxy certificate. 322proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 323 324#################################################################### 325[ tsa ] 326 327default_tsa = tsa_config1 # the default TSA section 328 329[ tsa_config1 ] 330 331# These are used by the TSA reply generation only. 332dir = ./demoCA # TSA root directory 333serial = $dir/tsaserial # The current serial number (mandatory) 334crypto_device = builtin # OpenSSL engine to use for signing 335signer_cert = $dir/tsacert.pem # The TSA signing certificate 336 # (optional) 337certs = $dir/cacert.pem # Certificate chain to include in reply 338 # (optional) 339signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 340 341default_policy = tsa_policy1 # Policy if request did not specify it 342 # (optional) 343other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 344digests = md5, sha1 # Acceptable message digests (mandatory) 345accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 346clock_precision_digits = 0 # number of digits after dot. (optional) 347ordering = yes # Is ordering defined for timestamps? 348 # (optional, default: no) 349tsa_name = yes # Must the TSA name be included in the reply? 350 # (optional, default: no) 351ess_cert_id_chain = no # Must the ESS cert id chain be included? 352 # (optional, default: no) 353 354[alt_names] 355DNS.1 = *.test.google.fr 356DNS.2 = waterzooi.test.google.be 357DNS.3 = *.test.youtube.com 358IP.1 = "192.168.1.3" 359 360