1############################################################### 2# 3# Licensed to the Apache Software Foundation (ASF) under one 4# or more contributor license agreements. See the NOTICE file 5# distributed with this work for additional information 6# regarding copyright ownership. The ASF licenses this file 7# to you under the Apache License, Version 2.0 (the 8# "License"); you may not use this file except in compliance 9# with the License. You may obtain a copy of the License at 10# 11# http://www.apache.org/licenses/LICENSE-2.0 12# 13# Unless required by applicable law or agreed to in writing, 14# software distributed under the License is distributed on an 15# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16# KIND, either express or implied. See the License for the 17# specific language governing permissions and limitations 18# under the License. 19# 20############################################################### 21 22# 23# OpenSSL example configuration file. 24# This is mostly being used for generation of certificate requests. 25# 26 27# This definition stops the following lines choking if HOME isn't 28# defined. 29HOME = . 30RANDFILE = $ENV::HOME/.rnd 31 32# Extra OBJECT IDENTIFIER info: 33#oid_file = $ENV::HOME/.oid 34oid_section = new_oids 35 36# To use this configuration file with the "-extfile" option of the 37# "openssl x509" utility, name here the section containing the 38# X.509v3 extensions to use: 39# extensions = 40# (Alternatively, use a configuration file that has only 41# X.509v3 extensions in its main [= default] section.) 42 43[ new_oids ] 44 45# We can add new OIDs in here for use by 'ca' and 'req'. 46# Add a simple OID like this: 47# testoid1=1.2.3.4 48# Or use config file substitution like this: 49# testoid2=${testoid1}.5.6 50 51#################################################################### 52[ ca ] 53default_ca = CA_default # The default ca section 54 55#################################################################### 56[ CA_default ] 57 58dir = ./demoCA # Where everything is kept 59certs = $dir/certs # Where the issued certs are kept 60crl_dir = $dir/crl # Where the issued crl are kept 61database = $dir/index.txt # database index file. 62#unique_subject = no # Set to 'no' to allow creation of 63 # several ctificates with same subject. 64new_certs_dir = $dir/newcerts # default place for new certs. 65 66certificate = $dir/cacert.pem # The CA certificate 67serial = $dir/serial # The current serial number 68crlnumber = $dir/crlnumber # the current crl number 69 # must be commented out to leave a V1 CRL 70crl = $dir/crl.pem # The current CRL 71private_key = $dir/private/cakey.pem # The private key 72RANDFILE = $dir/private/.rand # private random number file 73 74x509_extensions = usr_cert # The extentions to add to the cert 75 76# Comment out the following two lines for the "traditional" 77# (and highly broken) format. 78name_opt = ca_default # Subject Name options 79cert_opt = ca_default # Certificate field options 80 81# Extension copying option: use with caution. 82# copy_extensions = copy 83 84# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 85# so this is commented out by default to leave a V1 CRL. 86# crlnumber must also be commented out to leave a V1 CRL. 87# crl_extensions = crl_ext 88 89default_days = 365 # how long to certify for 90default_crl_days= 30 # how long before next CRL 91default_md = sha1 # which md to use. 92preserve = no # keep passed DN ordering 93 94# A few difference way of specifying how similar the request should look 95# For type CA, the listed attributes must be the same, and the optional 96# and supplied fields are just that :-) 97policy = policy_match 98 99# For the CA policy 100[ policy_match ] 101countryName = match 102stateOrProvinceName = match 103organizationName = match 104organizationalUnitName = optional 105commonName = supplied 106emailAddress = optional 107 108# For the 'anything' policy 109# At this point in time, you must list all acceptable 'object' 110# types. 111[ policy_anything ] 112countryName = optional 113stateOrProvinceName = optional 114localityName = optional 115organizationName = optional 116organizationalUnitName = optional 117commonName = supplied 118emailAddress = optional 119 120#################################################################### 121[ req ] 122default_bits = 1024 123default_keyfile = privkey.pem 124distinguished_name = req_distinguished_name 125attributes = req_attributes 126x509_extensions = v3_ca # The extentions to add to the self signed cert 127 128# Passwords for private keys if not present they will be prompted for 129# input_password = secret 130# output_password = secret 131 132# This sets a mask for permitted string types. There are several options. 133# default: PrintableString, T61String, BMPString. 134# pkix : PrintableString, BMPString. 135# utf8only: only UTF8Strings. 136# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 137# MASK:XXXX a literal mask value. 138# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 139# so use this option with caution! 140string_mask = nombstr 141 142# req_extensions = v3_req # The extensions to add to a certificate request 143 144[ req_distinguished_name ] 145countryName = Country Name (2 letter code) 146countryName_default = DE 147countryName_min = 2 148countryName_max = 2 149 150stateOrProvinceName = State or Province Name (full name) 151stateOrProvinceName_default = Hamburg 152 153localityName = Locality Name (eg, city) 154 1550.organizationName = Organization Name (eg, company) 1560.organizationName_default = OpenOffice.org 157 158# we can do this but it is not needed normally :-) 159#1.organizationName = Second Organization Name (eg, company) 160#1.organizationName_default = World Wide Web Pty Ltd 161 162organizationalUnitName = Organizational Unit Name (eg, section) 163organizationalUnitName_default = Development 164 165commonName = Common Name (eg, YOUR name) 166commonName_max = 64 167 168emailAddress = Email Address 169emailAddress_max = 64 170 171# SET-ex3 = SET extension number 3 172 173[ req_attributes ] 174challengePassword = A challenge password 175challengePassword_min = 4 176challengePassword_max = 20 177 178unstructuredName = An optional company name 179 180[ usr_cert ] 181 182# These extensions are added when 'ca' signs a request. 183#authorityInfoAccess = OCSP;URI:http://localhost:8889 184authorityInfoAccess = caIssuers;URI:http://localhost:8910/demoCA/Sub_CA_1_Root_10.crt 185crlDistributionPoints=URI:http://localhost:8902/demoCA/crl/Sub_CA_1_Root_10.crl 186# This is typical in keyUsage for a client certificate. 187keyUsage = nonRepudiation, digitalSignature, keyEncipherment 188 189# This will be displayed in Netscape's comment listbox. 190#nsComment = "OpenSSL Generated Certificate" 191 192# PKIX recommendations harmless if included in all certificates. 193subjectKeyIdentifier=hash 194authorityKeyIdentifier=keyid,issuer 195 196# This stuff is for subjectAltName and issuerAltname. 197# Import the email address. 198# subjectAltName=email:copy 199# An alternative to produce certificates that aren't 200# deprecated according to PKIX. 201# subjectAltName=email:move 202 203# Copy subject details 204# issuerAltName=issuer:copy 205 206 207 208[ v3_req ] 209 210# Extensions to add to a certificate request 211 212basicConstraints = CA:FALSE 213keyUsage = nonRepudiation, digitalSignature, keyEncipherment 214#authorityInfoAccess = OCSP;URI:http://localhost:8888/ 215 216[ v3_ca ] 217 218 219# Extensions for a typical CA 220 221 222# PKIX recommendation. 223 224subjectKeyIdentifier=hash 225 226authorityKeyIdentifier=keyid:always,issuer:always 227 228#authorityInfoAccess = OCSP;URI:http://localhost:8888 229#crlDistributionPoints=URI:http://localhost:8901/demoCA/crl/Test_CA_2009.2.crl 230# This is what PKIX recommends but some broken software chokes on critical 231# extensions. 232#basicConstraints = critical,CA:true 233# So we do this instead. 234basicConstraints = critical, CA:true 235 236# Key usage: this is typical for a CA certificate. However since it will 237# prevent it being used as an test self-signed certificate it is best 238# left out by default. 239# keyUsage = cRLSign, keyCertSign 240 241# Some might want this also 242# nsCertType = sslCA, emailCA 243 244# Include email address in subject alt name: another PKIX recommendation 245# subjectAltName=email:copy 246# Copy issuer details 247# issuerAltName=issuer:copy 248 249# DER hex encoding of an extension: beware experts only! 250# obj=DER:02:03 251# Where 'obj' is a standard or added object 252# You can even override a supported extension: 253# basicConstraints= critical, DER:30:03:01:01:FF 254 255[ crl_ext ] 256 257# CRL extensions. 258# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 259 260# issuerAltName=issuer:copy 261authorityKeyIdentifier=keyid:always,issuer:always 262 263[ proxy_cert_ext ] 264# These extensions should be added when creating a proxy certificate 265 266# This goes against PKIX guidelines but some CAs do it and some software 267# requires this to avoid interpreting an end user certificate as a CA. 268 269basicConstraints=CA:FALSE 270 271# Here are some examples of the usage of nsCertType. If it is omitted 272# the certificate can be used for anything *except* object signing. 273 274# This is OK for an SSL server. 275# nsCertType = server 276 277# For an object signing certificate this would be used. 278# nsCertType = objsign 279 280# For normal client use this is typical 281# nsCertType = client, email 282 283# and for everything including object signing: 284# nsCertType = client, email, objsign 285 286# This is typical in keyUsage for a client certificate. 287# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 288 289# This will be displayed in Netscape's comment listbox. 290nsComment = "OpenSSL Generated Certificate" 291 292# PKIX recommendations harmless if included in all certificates. 293subjectKeyIdentifier=hash 294authorityKeyIdentifier=keyid,issuer:always 295 296# This stuff is for subjectAltName and issuerAltname. 297# Import the email address. 298# subjectAltName=email:copy 299# An alternative to produce certificates that aren't 300# deprecated according to PKIX. 301# subjectAltName=email:move 302 303# Copy subject details 304# issuerAltName=issuer:copy 305 306#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 307#nsBaseUrl 308#nsRevocationUrl 309#nsRenewalUrl 310#nsCaPolicyUrl 311#nsSslServerName 312 313# This really needs to be in place for it to be a proxy certificate. 314proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 315