source: server/fedora/config/etc/pki/tls/openssl.cnf @ 1084

Last change on this file since 1084 was 1084, checked in by mitchb, 14 years ago
Add openssl.cnf file, so we can track our standard CSR fields
File size: 9.4 KB
Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file               = $ENV::HOME/.oid
13oid_section             = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca      = CA_default            # The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir             = ../../CA              # Where everything is kept
38certs           = $dir/certs            # Where the issued certs are kept
39crl_dir         = $dir/crl              # Where the issued crl are kept
40database        = $dir/index.txt        # database index file.
41#unique_subject = no                    # Set to 'no' to allow creation of
42                                        # several ctificates with same subject.
43new_certs_dir   = $dir/newcerts         # default place for new certs.
44
45certificate     = $dir/cacert.pem       # The CA certificate
46serial          = $dir/serial           # The current serial number
47crlnumber       = $dir/crlnumber        # the current crl number
48                                        # must be commented out to leave a V1 CRL
49crl             = $dir/crl.pem          # The current CRL
50private_key     = $dir/private/cakey.pem# The private key
51RANDFILE        = $dir/private/.rand    # private random number file
52
53x509_extensions = usr_cert              # The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt        = ca_default            # Subject Name options
58cert_opt        = ca_default            # Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions        = crl_ext
67
68default_days    = 365                   # how long to certify for
69default_crl_days= 30                    # how long before next CRL
70default_md      = sha1                  # which md to use.
71preserve        = no                    # keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy          = policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName             = match
81stateOrProvinceName     = match
82organizationName        = match
83organizationalUnitName  = optional
84commonName              = supplied
85emailAddress            = optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName             = optional
92stateOrProvinceName     = optional
93localityName            = optional
94organizationName        = optional
95organizationalUnitName  = optional
96commonName              = supplied
97emailAddress            = optional
98
99####################################################################
100[ req ]
101default_bits            = 1024
102default_md              = sha1
103default_keyfile         = privkey.pem
104distinguished_name      = req_distinguished_name
105attributes              = req_attributes
106x509_extensions = v3_ca # The extentions to add to the self signed cert
107
108# Passwords for private keys if not present they will be prompted for
109# input_password = secret
110# output_password = secret
111
112# This sets a mask for permitted string types. There are several options.
113# default: PrintableString, T61String, BMPString.
114# pkix   : PrintableString, BMPString.
115# utf8only: only UTF8Strings.
116# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
117# MASK:XXXX a literal mask value.
118# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
119# so use this option with caution!
120# we use PrintableString+UTF8String mask so if pure ASCII texts are used
121# the resulting certificates are compatible with Netscape
122string_mask = MASK:0x2002
123
124# req_extensions = v3_req # The extensions to add to a certificate request
125
126[ req_distinguished_name ]
127countryName                     = Country Name (2 letter code)
128countryName_default             = GB
129countryName_min                 = 2
130countryName_max                 = 2
131
132stateOrProvinceName             = State or Province Name (full name)
133stateOrProvinceName_default     = Berkshire
134
135localityName                    = Locality Name (eg, city)
136localityName_default            = Newbury
137
1380.organizationName              = Organization Name (eg, company)
1390.organizationName_default      = My Company Ltd
140
141# we can do this but it is not needed normally :-)
142#1.organizationName             = Second Organization Name (eg, company)
143#1.organizationName_default     = World Wide Web Pty Ltd
144
145organizationalUnitName          = Organizational Unit Name (eg, section)
146#organizationalUnitName_default =
147
148commonName                      = Common Name (eg, your name or your server\'s hostname)
149commonName_max                  = 64
150
151emailAddress                    = Email Address
152emailAddress_max                = 64
153
154# SET-ex3                       = SET extension number 3
155
156[ req_attributes ]
157challengePassword               = A challenge password
158challengePassword_min           = 4
159challengePassword_max           = 20
160
161unstructuredName                = An optional company name
162
163[ usr_cert ]
164
165# These extensions are added when 'ca' signs a request.
166
167# This goes against PKIX guidelines but some CAs do it and some software
168# requires this to avoid interpreting an end user certificate as a CA.
169
170basicConstraints=CA:FALSE
171
172# Here are some examples of the usage of nsCertType. If it is omitted
173# the certificate can be used for anything *except* object signing.
174
175# This is OK for an SSL server.
176# nsCertType                    = server
177
178# For an object signing certificate this would be used.
179# nsCertType = objsign
180
181# For normal client use this is typical
182# nsCertType = client, email
183
184# and for everything including object signing:
185# nsCertType = client, email, objsign
186
187# This is typical in keyUsage for a client certificate.
188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
189
190# This will be displayed in Netscape's comment listbox.
191nsComment                       = "OpenSSL Generated Certificate"
192
193# PKIX recommendations harmless if included in all certificates.
194subjectKeyIdentifier=hash
195authorityKeyIdentifier=keyid,issuer
196
197# This stuff is for subjectAltName and issuerAltname.
198# Import the email address.
199# subjectAltName=email:copy
200# An alternative to produce certificates that aren't
201# deprecated according to PKIX.
202# subjectAltName=email:move
203
204# Copy subject details
205# issuerAltName=issuer:copy
206
207#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
208#nsBaseUrl
209#nsRevocationUrl
210#nsRenewalUrl
211#nsCaPolicyUrl
212#nsSslServerName
213
214[ v3_req ]
215
216# Extensions to add to a certificate request
217
218basicConstraints = CA:FALSE
219keyUsage = nonRepudiation, digitalSignature, keyEncipherment
220
221[ v3_ca ]
222
223
224# Extensions for a typical CA
225
226
227# PKIX recommendation.
228
229subjectKeyIdentifier=hash
230
231authorityKeyIdentifier=keyid:always,issuer:always
232
233# This is what PKIX recommends but some broken software chokes on critical
234# extensions.
235#basicConstraints = critical,CA:true
236# So we do this instead.
237basicConstraints = CA:true
238
239# Key usage: this is typical for a CA certificate. However since it will
240# prevent it being used as an test self-signed certificate it is best
241# left out by default.
242# keyUsage = cRLSign, keyCertSign
243
244# Some might want this also
245# nsCertType = sslCA, emailCA
246
247# Include email address in subject alt name: another PKIX recommendation
248# subjectAltName=email:copy
249# Copy issuer details
250# issuerAltName=issuer:copy
251
252# DER hex encoding of an extension: beware experts only!
253# obj=DER:02:03
254# Where 'obj' is a standard or added object
255# You can even override a supported extension:
256# basicConstraints= critical, DER:30:03:01:01:FF
257
258[ crl_ext ]
259
260# CRL extensions.
261# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
262
263# issuerAltName=issuer:copy
264authorityKeyIdentifier=keyid:always,issuer:always
265
266[ proxy_cert_ext ]
267# These extensions should be added when creating a proxy certificate
268
269# This goes against PKIX guidelines but some CAs do it and some software
270# requires this to avoid interpreting an end user certificate as a CA.
271
272basicConstraints=CA:FALSE
273
274# Here are some examples of the usage of nsCertType. If it is omitted
275# the certificate can be used for anything *except* object signing.
276
277# This is OK for an SSL server.
278# nsCertType                    = server
279
280# For an object signing certificate this would be used.
281# nsCertType = objsign
282
283# For normal client use this is typical
284# nsCertType = client, email
285
286# and for everything including object signing:
287# nsCertType = client, email, objsign
288
289# This is typical in keyUsage for a client certificate.
290# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
291
292# This will be displayed in Netscape's comment listbox.
293nsComment                       = "OpenSSL Generated Certificate"
294
295# PKIX recommendations harmless if included in all certificates.
296subjectKeyIdentifier=hash
297authorityKeyIdentifier=keyid,issuer:always
298
299# This stuff is for subjectAltName and issuerAltname.
300# Import the email address.
301# subjectAltName=email:copy
302# An alternative to produce certificates that aren't
303# deprecated according to PKIX.
304# subjectAltName=email:move
305
306# Copy subject details
307# issuerAltName=issuer:copy
308
309#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
310#nsBaseUrl
311#nsRevocationUrl
312#nsRenewalUrl
313#nsCaPolicyUrl
314#nsSslServerName
315
316# This really needs to be in place for it to be a proxy certificate.
317proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracBrowser for help on using the repository browser.