2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
6 RANDFILE = $ENV::HOME.rnd
7 oid_file = $ENV::HOME.oid
12 # We can add new OIDs in here for use by 'ca' and 'req'.
13 # Add a simple OID like this:
15 # Or use config file substitution like this:
16 # testoid2=${testoid1}.5.6
18 ####################################################################
20 default_ca = CA_default # The default ca section
22 ####################################################################
25 dir = sys\$disk:[.demoCA # Where everything is kept
26 certs = $dir.certs] # Where the issued certs are kept
27 crl_dir = $dir.crl] # Where the issued crl are kept
28 database = $dir]index.txt # database index file.
29 new_certs_dir = $dir.newcerts] # default place for new certs.
31 certificate = $dir]cacert.pem # The CA certificate
32 serial = $dir]serial. # The current serial number
33 crl = $dir]crl.pem # The current CRL
34 private_key = $dir.private]cakey.pem# The private key
35 RANDFILE = $dir.private].rand # private random number file
37 x509_extensions = usr_cert # The extentions to add to the cert
38 default_days = 365 # how long to certify for
39 default_crl_days= 30 # how long before next CRL
40 default_md = md5 # which md to use.
41 preserve = no # keep passed DN ordering
43 # A few difference way of specifying how similar the request should look
44 # For type CA, the listed attributes must be the same, and the optional
45 # and supplied fields are just that :-)
51 stateOrProvinceName = match
52 organizationName = match
53 organizationalUnitName = optional
55 emailAddress = optional
57 # For the 'anything' policy
58 # At this point in time, you must list all acceptable 'object'
61 countryName = optional
62 stateOrProvinceName = optional
63 localityName = optional
64 organizationName = optional
65 organizationalUnitName = optional
67 emailAddress = optional
69 ####################################################################
72 default_keyfile = privkey.pem
73 distinguished_name = req_distinguished_name
74 attributes = req_attributes
75 x509_extensions = v3_ca # The extentions to add to the self signed cert
77 [ req_distinguished_name ]
78 countryName = Country Name (2 letter code)
79 countryName_default = AU
83 stateOrProvinceName = State or Province Name (full name)
84 stateOrProvinceName_default = Some-State
86 localityName = Locality Name (eg, city)
88 0.organizationName = Organization Name (eg, company)
89 0.organizationName_default = Internet Widgits Pty Ltd
91 # we can do this but it is not needed normally :-)
92 #1.organizationName = Second Organization Name (eg, company)
93 #1.organizationName_default = World Wide Web Pty Ltd
95 organizationalUnitName = Organizational Unit Name (eg, section)
96 #organizationalUnitName_default =
98 commonName = Common Name (eg, YOUR name)
101 emailAddress = Email Address
102 emailAddress_max = 40
104 # SET-ex3 = SET extension number 3
107 challengePassword = A challenge password
108 challengePassword_min = 4
109 challengePassword_max = 20
111 unstructuredName = An optional company name
115 # These extensions are added when 'ca' signs a request.
117 # This goes against PKIX guidelines but some CAs do it and some software
118 # requires this to avoid interpreting an end user certificate as a CA.
120 basicConstraints=CA:FALSE
122 # Here are some examples of the usage of nsCertType. If it is omitted
123 # the certificate can be used for anything *except* object signing.
125 # This is OK for an SSL server.
128 # For an object signing certificate this would be used.
129 #nsCertType = objsign
131 # For normal client use this is typical
132 #nsCertType = client, email
134 # This is typical also
136 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
138 nsComment = "OpenSSL Generated Certificate"
140 # PKIX recommendations
141 subjectKeyIdentifier=hash
142 authorityKeyIdentifier=keyid,issuer:always
144 # Import the email address.
146 subjectAltName=email:copy
148 # Copy subject details
150 issuerAltName=issuer:copy
152 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
161 # Extensions for a typical CA
163 # It's a CA certificate
164 basicConstraints = CA:true
166 # PKIX recommendation.
168 subjectKeyIdentifier=hash
170 authorityKeyIdentifier=keyid:always,issuer:always
172 # This is what PKIX recommends but some broken software chokes on critical
174 #basicConstraints = critical,CA:true
176 # Key usage: again this should really be critical.
177 keyUsage = cRLSign, keyCertSign
179 # Some might want this also
180 #nsCertType = sslCA, emailCA
182 # Include email address in subject alt name: another PKIX recommendation
183 subjectAltName=email:copy
184 # Copy issuer details
185 issuerAltName=issuer:copy
187 # RAW DER hex encoding of an extension: beware experts only!
189 # You can even override a supported extension:
190 # basicConstraints= critical, RAW:30:03:01:01:FF