samples/certs/rootB.cnf

changeset 0
f7d2d78eb424
equal deleted inserted replaced
-1:000000000000 0:f7d2d78eb424
1 #
2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
4 #
5
6 # This definition stops the following lines choking if HOME isn't
7 # defined.
8 HOME = .
9 RANDFILE = $ENV::HOME/.rnd
10
11 # Extra OBJECT IDENTIFIER info:
12 #oid_file = $ENV::HOME/.oid
13 oid_section = new_oids
14
15 # To use this configuration file with the "-extfile" option of the
16 # "openssl x509" utility, name here the section containing the
17 # X.509v3 extensions to use:
18 # extensions =
19 # (Alternatively, use a configuration file that has only
20 # X.509v3 extensions in its main [= default] section.)
21
22 [ new_oids ]
23
24 # We can add new OIDs in here for use by 'ca' and 'req'.
25 # Add a simple OID like this:
26 # testoid1=1.2.3.4
27 # Or use config file substitution like this:
28 # testoid2=${testoid1}.5.6
29
30 ####################################################################
31 [ ca ]
32 default_ca = CA_default # The default ca section
33
34 ####################################################################
35 [ CA_default ]
36
37 dir = ./demoCA # Where everything is kept
38 certs = $dir/certs # Where the issued certs are kept
39 crl_dir = $dir/crl # Where the issued crl are kept
40 database = $dir/index.txt # database index file.
41 #unique_subject = no # Set to 'no' to allow creation of
42 # several ctificates with same subject.
43 new_certs_dir = $dir/newcerts # default place for new certs.
44
45 certificate = $dir/cacert.pem # The CA certificate
46 serial = $dir/serial # The current serial number
47 crlnumber = $dir/crlnumber # the current crl number
48 # must be commented out to leave a V1 CRL
49 crl = $dir/crl.pem # The current CRL
50 private_key = $dir/private/cakey.pem # The private key
51 RANDFILE = $dir/private/.rand # private random number file
52
53 x509_extensions = usr_cert # The extentions to add to the cert
54
55 # Comment out the following two lines for the "traditional"
56 # (and highly broken) format.
57 name_opt = ca_default # Subject Name options
58 cert_opt = ca_default # Certificate field options
59
60 # Extension copying option: use with caution.
61 # copy_extensions = copy
62
63 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64 # so this is commented out by default to leave a V1 CRL.
65 # crlnumber must also be commented out to leave a V1 CRL.
66 # crl_extensions = crl_ext
67
68 default_days = 365 # how long to certify for
69 default_crl_days= 30 # how long before next CRL
70 default_md = sha1 # which md to use.
71 preserve = no # keep passed DN ordering
72
73 # A few difference way of specifying how similar the request should look
74 # For type CA, the listed attributes must be the same, and the optional
75 # and supplied fields are just that :-)
76 policy = policy_match
77
78 # For the CA policy
79 [ policy_match ]
80 countryName = match
81 stateOrProvinceName = match
82 organizationName = match
83 organizationalUnitName = optional
84 commonName = supplied
85 emailAddress = optional
86
87 # For the 'anything' policy
88 # At this point in time, you must list all acceptable 'object'
89 # types.
90 [ policy_anything ]
91 countryName = optional
92 stateOrProvinceName = optional
93 localityName = optional
94 organizationName = optional
95 organizationalUnitName = optional
96 commonName = supplied
97 emailAddress = optional
98
99 ####################################################################
100 [ req ]
101 default_bits = 1024
102 default_keyfile = privkey.pem
103 distinguished_name = req_distinguished_name
104 attributes = req_attributes
105 x509_extensions = v3_ca # The extentions to add to the self signed cert
106
107 # Passwords for private keys if not present they will be prompted for
108 # input_password = secret
109 # output_password = secret
110
111 # This sets a mask for permitted string types. There are several options.
112 # default: PrintableString, T61String, BMPString.
113 # pkix : PrintableString, BMPString.
114 # utf8only: only UTF8Strings.
115 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116 # MASK:XXXX a literal mask value.
117 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118 # so use this option with caution!
119 string_mask = nombstr
120
121 # req_extensions = v3_req # The extensions to add to a certificate request
122
123 [ req_distinguished_name ]
124 countryName = Country Name (2 letter code)
125 countryName_default = BR
126 countryName_min = 2
127 countryName_max = 2
128
129 stateOrProvinceName = State or Province Name (full name)
130 stateOrProvinceName_default = Espirito Santo
131
132 localityName = Locality Name (eg, city)
133 localityName_default = Santo Antonio do Canaa
134
135 0.organizationName = Organization Name (eg, company)
136 0.organizationName_default = Sao Tonico Ltda
137
138 # we can do this but it is not needed normally :-)
139 #1.organizationName = Second Organization Name (eg, company)
140 #1.organizationName_default = World Wide Web Pty Ltd
141
142 organizationalUnitName = Organizational Unit Name (eg, section)
143 organizationalUnitName_default = Department of Computer Science
144
145 commonName = Common Name (eg, YOUR name)
146 commonName_default = Root B
147 commonName_max = 64
148
149 emailAddress = Email Address
150 emailAddress_max = 64
151
152 # SET-ex3 = SET extension number 3
153
154 [ req_attributes ]
155 challengePassword = A challenge password
156 challengePassword_min = 4
157 challengePassword_max = 20
158
159 unstructuredName = An optional company name
160
161 [ usr_cert ]
162
163 # These extensions are added when 'ca' signs a request.
164
165 # This goes against PKIX guidelines but some CAs do it and some software
166 # requires this to avoid interpreting an end user certificate as a CA.
167
168 basicConstraints=CA:FALSE
169
170 # Here are some examples of the usage of nsCertType. If it is omitted
171 # the certificate can be used for anything *except* object signing.
172
173 # This is OK for an SSL server.
174 # nsCertType = server
175
176 # For an object signing certificate this would be used.
177 # nsCertType = objsign
178
179 # For normal client use this is typical
180 # nsCertType = client, email
181
182 # and for everything including object signing:
183 # nsCertType = client, email, objsign
184
185 # This is typical in keyUsage for a client certificate.
186 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
187
188 # This will be displayed in Netscape's comment listbox.
189 nsComment = "OpenSSL Generated Certificate"
190
191 # PKIX recommendations harmless if included in all certificates.
192 subjectKeyIdentifier=hash
193 authorityKeyIdentifier=keyid,issuer
194
195 # This stuff is for subjectAltName and issuerAltname.
196 # Import the email address.
197 # subjectAltName=email:copy
198 # An alternative to produce certificates that aren't
199 # deprecated according to PKIX.
200 # subjectAltName=email:move
201
202 # Copy subject details
203 # issuerAltName=issuer:copy
204
205 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
206 #nsBaseUrl
207 #nsRevocationUrl
208 #nsRenewalUrl
209 #nsCaPolicyUrl
210 #nsSslServerName
211
212 [ v3_req ]
213
214 # Extensions to add to a certificate request
215
216 basicConstraints = CA:FALSE
217 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
218
219 [ v3_ca ]
220
221
222 # Extensions for a typical CA
223
224
225 # PKIX recommendation.
226
227 subjectKeyIdentifier=hash
228
229 authorityKeyIdentifier=keyid:always,issuer:always
230
231 # This is what PKIX recommends but some broken software chokes on critical
232 # extensions.
233 #basicConstraints = critical,CA:true
234 # So we do this instead.
235 basicConstraints = CA:true
236
237 # Key usage: this is typical for a CA certificate. However since it will
238 # prevent it being used as an test self-signed certificate it is best
239 # left out by default.
240 # keyUsage = cRLSign, keyCertSign
241
242 # Some might want this also
243 # nsCertType = sslCA, emailCA
244
245 # Include email address in subject alt name: another PKIX recommendation
246 # subjectAltName=email:copy
247 # Copy issuer details
248 # issuerAltName=issuer:copy
249
250 # DER hex encoding of an extension: beware experts only!
251 # obj=DER:02:03
252 # Where 'obj' is a standard or added object
253 # You can even override a supported extension:
254 # basicConstraints= critical, DER:30:03:01:01:FF
255
256 [ crl_ext ]
257
258 # CRL extensions.
259 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
260
261 # issuerAltName=issuer:copy
262 authorityKeyIdentifier=keyid:always,issuer:always
263
264 [ proxy_cert_ext ]
265 # These extensions should be added when creating a proxy certificate
266
267 # This goes against PKIX guidelines but some CAs do it and some software
268 # requires this to avoid interpreting an end user certificate as a CA.
269
270 basicConstraints=CA:FALSE
271
272 # Here are some examples of the usage of nsCertType. If it is omitted
273 # the certificate can be used for anything *except* object signing.
274
275 # This is OK for an SSL server.
276 # nsCertType = server
277
278 # For an object signing certificate this would be used.
279 # nsCertType = objsign
280
281 # For normal client use this is typical
282 # nsCertType = client, email
283
284 # and for everything including object signing:
285 # nsCertType = client, email, objsign
286
287 # This is typical in keyUsage for a client certificate.
288 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
289
290 # This will be displayed in Netscape's comment listbox.
291 nsComment = "OpenSSL Generated Certificate"
292
293 # PKIX recommendations harmless if included in all certificates.
294 subjectKeyIdentifier=hash
295 authorityKeyIdentifier=keyid,issuer:always
296
297 # This stuff is for subjectAltName and issuerAltname.
298 # Import the email address.
299 # subjectAltName=email:copy
300 # An alternative to produce certificates that aren't
301 # deprecated according to PKIX.
302 # subjectAltName=email:move
303
304 # Copy subject details
305 # issuerAltName=issuer:copy
306
307 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
308 #nsBaseUrl
309 #nsRevocationUrl
310 #nsRenewalUrl
311 #nsCaPolicyUrl
312 #nsSslServerName
313
314 # This really needs to be in place for it to be a proxy certificate.
315 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

mercurial