source: trunk/server/fedora/config/etc/pki/tls/openssl.cnf @ 2719

Last change on this file since 2719 was 2692, checked in by btidor, 10 years ago
Use SHA-256 to sign CSRs (in case it makes a difference)
File size: 9.4 KB
Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file               = $ENV::HOME/.oid
13oid_section             = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca      = CA_default            # The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir             = ../../CA              # Where everything is kept
38certs           = $dir/certs            # Where the issued certs are kept
39crl_dir         = $dir/crl              # Where the issued crl are kept
40database        = $dir/index.txt        # database index file.
41#unique_subject = no                    # Set to 'no' to allow creation of
42                                        # several ctificates with same subject.
43new_certs_dir   = $dir/newcerts         # default place for new certs.
44
45certificate     = $dir/cacert.pem       # The CA certificate
46serial          = $dir/serial           # The current serial number
47crlnumber       = $dir/crlnumber        # the current crl number
48                                        # must be commented out to leave a V1 CRL
49crl             = $dir/crl.pem          # The current CRL
50private_key     = $dir/private/cakey.pem# The private key
51RANDFILE        = $dir/private/.rand    # private random number file
52
53x509_extensions = usr_cert              # The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt        = ca_default            # Subject Name options
58cert_opt        = ca_default            # Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions        = crl_ext
67
68default_days    = 365                   # how long to certify for
69default_crl_days= 30                    # how long before next CRL
70default_md      = sha1                  # which md to use.
71preserve        = no                    # keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy          = policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName             = match
81stateOrProvinceName     = match
82organizationName        = match
83organizationalUnitName  = optional
84commonName              = supplied
85emailAddress            = optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName             = optional
92stateOrProvinceName     = optional
93localityName            = optional
94organizationName        = optional
95organizationalUnitName  = optional
96commonName              = supplied
97emailAddress            = optional
98
99####################################################################
100[ req ]
101default_bits            = 1024
102default_md              = sha256
103default_keyfile         = privkey.pem
104distinguished_name      = req_distinguished_name
105attributes              = req_attributes
106x509_extensions = v3_ca # The extentions to add to the self signed cert
107
108# Passwords for private keys if not present they will be prompted for
109# input_password = secret
110# output_password = secret
111
112# This sets a mask for permitted string types. There are several options.
113# default: PrintableString, T61String, BMPString.
114# pkix   : PrintableString, BMPString.
115# utf8only: only UTF8Strings.
116# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
117# MASK:XXXX a literal mask value.
118# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
119# so use this option with caution!
120# we use PrintableString+UTF8String mask so if pure ASCII texts are used
121# the resulting certificates are compatible with Netscape
122string_mask = MASK:0x2002
123
124# req_extensions = v3_req # The extensions to add to a certificate request
125
126[ req_distinguished_name ]
127countryName                     = Country Name (2 letter code)
128countryName_default             = US
129countryName_min                 = 2
130countryName_max                 = 2
131
132stateOrProvinceName             = State or Province Name (full name)
133stateOrProvinceName_default     = Massachusetts
134
135localityName                    = Locality Name (eg, city)
136localityName_default            = Cambridge
137
1380.organizationName              = Organization Name (eg, company)
1390.organizationName_default      = Massachusetts Institute of Technology
140
141# we can do this but it is not needed normally :-)
142#1.organizationName             = Second Organization Name (eg, company)
143#1.organizationName_default     = World Wide Web Pty Ltd
144
145organizationalUnitName          = OU
146organizationalUnitName_default  = scripts.mit.edu web hosting service
147
148commonName                      = Common Name (eg, your name or your server\'s hostname)
149commonName_max                  = 64
150
151emailAddress                    = Email Address
152emailAddress_max                = 64
153emailAddress_default            = scripts@mit.edu
154
155# SET-ex3                       = SET extension number 3
156
157[ req_attributes ]
158challengePassword               = A challenge password
159challengePassword_min           = 4
160challengePassword_max           = 20
161
162unstructuredName                = An optional company name
163
164[ usr_cert ]
165
166# These extensions are added when 'ca' signs a request.
167
168# This goes against PKIX guidelines but some CAs do it and some software
169# requires this to avoid interpreting an end user certificate as a CA.
170
171basicConstraints=CA:FALSE
172
173# Here are some examples of the usage of nsCertType. If it is omitted
174# the certificate can be used for anything *except* object signing.
175
176# This is OK for an SSL server.
177# nsCertType                    = server
178
179# For an object signing certificate this would be used.
180# nsCertType = objsign
181
182# For normal client use this is typical
183# nsCertType = client, email
184
185# and for everything including object signing:
186# nsCertType = client, email, objsign
187
188# This is typical in keyUsage for a client certificate.
189# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
190
191# This will be displayed in Netscape's comment listbox.
192nsComment                       = "OpenSSL Generated Certificate"
193
194# PKIX recommendations harmless if included in all certificates.
195subjectKeyIdentifier=hash
196authorityKeyIdentifier=keyid,issuer
197
198# This stuff is for subjectAltName and issuerAltname.
199# Import the email address.
200# subjectAltName=email:copy
201# An alternative to produce certificates that aren't
202# deprecated according to PKIX.
203# subjectAltName=email:move
204
205# Copy subject details
206# issuerAltName=issuer:copy
207
208#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
209#nsBaseUrl
210#nsRevocationUrl
211#nsRenewalUrl
212#nsCaPolicyUrl
213#nsSslServerName
214
215[ v3_req ]
216
217# Extensions to add to a certificate request
218
219basicConstraints = CA:FALSE
220keyUsage = nonRepudiation, digitalSignature, keyEncipherment
221
222[ v3_ca ]
223
224
225# Extensions for a typical CA
226
227
228# PKIX recommendation.
229
230subjectKeyIdentifier=hash
231
232authorityKeyIdentifier=keyid:always,issuer:always
233
234# This is what PKIX recommends but some broken software chokes on critical
235# extensions.
236#basicConstraints = critical,CA:true
237# So we do this instead.
238basicConstraints = CA:true
239
240# Key usage: this is typical for a CA certificate. However since it will
241# prevent it being used as an test self-signed certificate it is best
242# left out by default.
243# keyUsage = cRLSign, keyCertSign
244
245# Some might want this also
246# nsCertType = sslCA, emailCA
247
248# Include email address in subject alt name: another PKIX recommendation
249# subjectAltName=email:copy
250# Copy issuer details
251# issuerAltName=issuer:copy
252
253# DER hex encoding of an extension: beware experts only!
254# obj=DER:02:03
255# Where 'obj' is a standard or added object
256# You can even override a supported extension:
257# basicConstraints= critical, DER:30:03:01:01:FF
258
259[ crl_ext ]
260
261# CRL extensions.
262# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
263
264# issuerAltName=issuer:copy
265authorityKeyIdentifier=keyid:always,issuer:always
266
267[ proxy_cert_ext ]
268# These extensions should be added when creating a proxy certificate
269
270# This goes against PKIX guidelines but some CAs do it and some software
271# requires this to avoid interpreting an end user certificate as a CA.
272
273basicConstraints=CA:FALSE
274
275# Here are some examples of the usage of nsCertType. If it is omitted
276# the certificate can be used for anything *except* object signing.
277
278# This is OK for an SSL server.
279# nsCertType                    = server
280
281# For an object signing certificate this would be used.
282# nsCertType = objsign
283
284# For normal client use this is typical
285# nsCertType = client, email
286
287# and for everything including object signing:
288# nsCertType = client, email, objsign
289
290# This is typical in keyUsage for a client certificate.
291# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
292
293# This will be displayed in Netscape's comment listbox.
294nsComment                       = "OpenSSL Generated Certificate"
295
296# PKIX recommendations harmless if included in all certificates.
297subjectKeyIdentifier=hash
298authorityKeyIdentifier=keyid,issuer:always
299
300# This stuff is for subjectAltName and issuerAltname.
301# Import the email address.
302# subjectAltName=email:copy
303# An alternative to produce certificates that aren't
304# deprecated according to PKIX.
305# subjectAltName=email:move
306
307# Copy subject details
308# issuerAltName=issuer:copy
309
310#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
311#nsBaseUrl
312#nsRevocationUrl
313#nsRenewalUrl
314#nsCaPolicyUrl
315#nsSslServerName
316
317# This really needs to be in place for it to be a proxy certificate.
318proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracBrowser for help on using the repository browser.