2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
6 RANDFILE = $ENV::HOME/.rnd
7 oid_file = $ENV::HOME/.oid
12 # We can add new OIDs in here for use by 'ca' and 'req'.
13 # Add a simple OID like this:
15 # Or use config file substitution like this:
16 # testoid2=${testoid1}.5.6
18 ####################################################################
20 default_ca = CA_default # The default ca section
22 ####################################################################
25 dir = ./demoCA # Where everything is kept
26 certs = $dir/certs # Where the issued certs are kept
27 crl_dir = $dir/crl # Where the issued crl are kept
28 database = $dir/index.txt # database index file.
29 new_certs_dir = $dir/newcerts # default place for new certs.
31 certificate = $dir/cacert.pem # The CA certificate
32 serial = $dir/serial # The current serial number
33 crl = $dir/crl.pem # The current CRL
34 private_key = $dir/private/cakey.pem# The private key
35 RANDFILE = $dir/private/.rand # private random number file
37 x509_extensions = usr_cert # The extentions to add to the cert
38 crl_extensions = crl_ext # Extensions to add to CRL
39 default_days = 365 # how long to certify for
40 default_crl_days= 30 # how long before next CRL
41 default_md = md5 # which md to use.
42 preserve = no # keep passed DN ordering
44 # A few difference way of specifying how similar the request should look
45 # For type CA, the listed attributes must be the same, and the optional
46 # and supplied fields are just that :-)
52 stateOrProvinceName = match
53 organizationName = match
54 organizationalUnitName = optional
56 emailAddress = optional
58 # For the 'anything' policy
59 # At this point in time, you must list all acceptable 'object'
62 countryName = optional
63 stateOrProvinceName = optional
64 localityName = optional
65 organizationName = optional
66 organizationalUnitName = optional
68 emailAddress = optional
70 ####################################################################
73 default_keyfile = privkey.pem
74 distinguished_name = req_distinguished_name
75 attributes = req_attributes
76 x509_extensions = v3_ca # The extentions to add to the self signed cert
78 [ req_distinguished_name ]
79 countryName = Country Name (2 letter code)
80 countryName_default = AU
84 stateOrProvinceName = State or Province Name (full name)
85 stateOrProvinceName_default = Some-State
87 localityName = Locality Name (eg, city)
89 0.organizationName = Organization Name (eg, company)
90 0.organizationName_default = Internet Widgits Pty Ltd
92 # we can do this but it is not needed normally :-)
93 #1.organizationName = Second Organization Name (eg, company)
94 #1.organizationName_default = World Wide Web Pty Ltd
96 organizationalUnitName = Organizational Unit Name (eg, section)
97 #organizationalUnitName_default =
99 commonName = Common Name (eg, YOUR name)
102 emailAddress = Email Address
103 emailAddress_max = 40
105 # SET-ex3 = SET extension number 3
108 challengePassword = A challenge password
109 challengePassword_min = 4
110 challengePassword_max = 20
112 unstructuredName = An optional company name
116 # These extensions are added when 'ca' signs a request.
118 # This goes against PKIX guidelines but some CAs do it and some software
119 # requires this to avoid interpreting an end user certificate as a CA.
121 basicConstraints=CA:FALSE
123 # Here are some examples of the usage of nsCertType. If it is omitted
124 # the certificate can be used for anything *except* object signing.
126 # This is OK for an SSL server.
129 # For an object signing certificate this would be used.
130 #nsCertType = objsign
132 # For normal client use this is typical
133 #nsCertType = client, email
135 # This is typical also
137 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
139 nsComment = "OpenSSL Generated Certificate"
141 # PKIX recommendations
142 subjectKeyIdentifier=hash
143 authorityKeyIdentifier=keyid,issuer:always
145 # Import the email address.
147 subjectAltName=email:copy
149 # Copy subject details
151 issuerAltName=issuer:copy
153 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
162 # Extensions for a typical CA
164 # It's a CA certificate
165 basicConstraints = CA:true
167 # PKIX recommendation.
169 subjectKeyIdentifier=hash
171 authorityKeyIdentifier=keyid:always,issuer:always
173 # This is what PKIX recommends but some broken software chokes on critical
175 #basicConstraints = critical,CA:true
177 # Key usage: again this should really be critical.
178 keyUsage = cRLSign, keyCertSign
180 # Some might want this also
181 #nsCertType = sslCA, emailCA
183 # Include email address in subject alt name: another PKIX recommendation
184 subjectAltName=email:copy
185 # Copy issuer details
186 issuerAltName=issuer:copy
188 # RAW DER hex encoding of an extension: beware experts only!
190 # You can even override a supported extension:
191 # basicConstraints= critical, RAW:30:03:01:01:FF
196 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
198 issuerAltName=issuer:copy
199 authorityKeyIdentifier=keyid:always,issuer:always