2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
6 RANDFILE = $ENV::HOME/.rnd
7 oid_file = $ENV::HOME/.oid
9 ####################################################################
11 default_ca = CA_default # The default ca section
13 ####################################################################
16 dir = ./demoCA # Where everything is kept
17 certs = $dir/certs # Where the issued certs are kept
18 crl_dir = $dir/crl # Where the issued crl are kept
19 database = $dir/index.txt # database index file.
20 new_certs_dir = $dir/newcerts # default place for new certs.
22 certificate = $dir/cacert.pem # The CA certificate
23 serial = $dir/serial # The current serial number
24 crl = $dir/crl.pem # The current CRL
25 private_key = $dir/private/cakey.pem# The private key
26 RANDFILE = $dir/private/.rand # private random number file
28 x509_extensions = usr_cert # The extentions to add to the cert
29 default_days = 365 # how long to certify for
30 default_crl_days= 30 # how long before next CRL
31 default_md = md5 # which md to use.
32 preserve = no # keep passed DN ordering
34 # A few difference way of specifying how similar the request should look
35 # For type CA, the listed attributes must be the same, and the optional
36 # and supplied fields are just that :-)
42 stateOrProvinceName = match
43 organizationName = match
44 organizationalUnitName = optional
46 emailAddress = optional
48 # For the 'anything' policy
49 # At this point in time, you must list all acceptable 'object'
52 countryName = optional
53 stateOrProvinceName = optional
54 localityName = optional
55 organizationName = optional
56 organizationalUnitName = optional
58 emailAddress = optional
60 ####################################################################
63 default_keyfile = privkey.pem
64 distinguished_name = req_distinguished_name
65 attributes = req_attributes
66 x509_extensions = v3_ca # The extentions to add to the self signed cert
68 [ req_distinguished_name ]
69 countryName = Country Name (2 letter code)
70 countryName_default = AU
74 stateOrProvinceName = State or Province Name (full name)
75 stateOrProvinceName_default = Some-State
77 localityName = Locality Name (eg, city)
79 0.organizationName = Organization Name (eg, company)
80 0.organizationName_default = Internet Widgits Pty Ltd
82 # we can do this but it is not needed normally :-)
83 #1.organizationName = Second Organization Name (eg, company)
84 #1.organizationName_default = World Wide Web Pty Ltd
86 organizationalUnitName = Organizational Unit Name (eg, section)
87 #organizationalUnitName_default =
89 commonName = Common Name (eg, YOUR name)
92 emailAddress = Email Address
95 SET-ex3 = SET extension number 3
98 challengePassword = A challenge password
99 challengePassword_min = 4
100 challengePassword_max = 20
102 unstructuredName = An optional company name
106 # These extensions are added when 'ca' signs a request.
108 # This goes against PKIX guidelines but some CAs do it and some software
109 # requires this to avoid interpreting an end user certificate as a CA.
111 basicConstraints=CA:FALSE
113 # Here are some examples of the usage of nsCertType. If it is omitted
114 # the certificate can be used for anything *except* object signing.
116 # This is OK for an SSL server.
119 # For an object signing certificate this would be used.
120 #nsCertType = objsign
122 # For normal client use this is typical
123 #nsCertType = client, email
125 # This is typical also
127 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
129 nsComment = "OpenSSL Generated Certificate"
131 # PKIX recommendations
132 subjectKeyIdentifier=hash
133 authorityKeyIdentifier=keyid,issuer:always
135 # Import the email address.
137 subjectAltName=email:copy
139 # Copy subject details
141 issuerAltName=issuer:copy
143 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
152 # Extensions for a typical CA
154 # It's a CA certificate
155 basicConstraints = CA:true
157 # PKIX recommendation.
159 subjectKeyIdentifier=hash
161 authorityKeyIdentifier=keyid:always,issuer:always
163 # This is what PKIX recommends but some broken software chokes on critical
165 #basicConstraints = critical,CA:true
167 # Key usage: again this should really be critical.
168 keyUsage = cRLSign, keyCertSign
170 # Some might want this also
171 #nsCertType = sslCA, emailCA
173 # Include email address in subject alt name: another PKIX recommendation
174 subjectAltName=email:copy
175 # Copy issuer details
176 issuerAltName=issuer:copy
178 # RAW DER hex encoding of an extension: beware experts only!
180 # You can even override a supported extension:
181 # basicConstraints= critical, RAW:30:03:01:01:FF