API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 13th, 2023
23
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.20 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5.  
  6. # This definition stops the following lines choking if HOME isn't
  7. # defined.
  8. HOME = .
  9. RANDFILE = $ENV::HOME/.rnd
  10.  
  11. # Extra OBJECT IDENTIFIER info:
  12. #oid_file = $ENV::HOME/.oid
  13. oid_section = new_oids
  14.  
  15. # To use this configuration file with the "-extfile" option of the
  16. # "openssl x509" utility, name here the section containing the
  17. # X.509v3 extensions to use:
  18. # extensions =
  19. # (Alternatively, use a configuration file that has only
  20. # X.509v3 extensions in its main [= default] section.)
  21.  
  22. [ new_oids ]
  23.  
  24. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  25. # Add a simple OID like this:
  26. # testoid1=1.2.3.4
  27. # Or use config file substitution like this:
  28. # testoid2=${testoid1}.5.6
  29.  
  30. # Policies used by the TSA examples.
  31. tsa_policy1 = 1.2.3.4.1
  32. tsa_policy2 = 1.2.3.4.5.6
  33. tsa_policy3 = 1.2.3.4.5.7
  34.  
  35. ####################################################################
  36. [ ca ]
  37. default_ca = CA_default # The default ca section
  38.  
  39. ####################################################################
  40. [ CA_default ]
  41.  
  42. dir = ./demoCA # Where everything is kept
  43. certs = $dir/certs # Where the issued certs are kept
  44. crl_dir = $dir/crl # Where the issued crl are kept
  45. database = $dir/index.txt # database index file.
  46. #unique_subject = no # Set to 'no' to allow creation of
  47. # several ctificates with same subject.
  48. new_certs_dir = $dir/newcerts # default place for new certs.
  49.  
  50. certificate = $dir/cacert.pem # The CA certificate
  51. serial = $dir/serial # The current serial number
  52. crlnumber = $dir/crlnumber # the current crl number
  53. # must be commented out to leave a V1 CRL
  54. crl = $dir/crl.pem # The current CRL
  55. private_key = $dir/private/cakey.pem# The private key
  56. RANDFILE = $dir/private/.rand # private random number file
  57.  
  58. x509_extensions = usr_cert # The extentions to add to the cert
  59.  
  60. # Comment out the following two lines for the "traditional"
  61. # (and highly broken) format.
  62. name_opt = ca_default # Subject Name options
  63. cert_opt = ca_default # Certificate field options
  64.  
  65. # Extension copying option: use with caution.
  66. # copy_extensions = copy
  67.  
  68. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  69. # so this is commented out by default to leave a V1 CRL.
  70. # crlnumber must also be commented out to leave a V1 CRL.
  71. # crl_extensions = crl_ext
  72.  
  73. default_days = 365 # how long to certify for
  74. default_crl_days= 30 # how long before next CRL
  75. default_md = default # use public key default MD
  76. preserve = no # keep passed DN ordering
  77.  
  78. # A few difference way of specifying how similar the request should look
  79. # For type CA, the listed attributes must be the same, and the optional
  80. # and supplied fields are just that :-)
  81. policy = policy_match
  82.  
  83. # For the CA policy
  84. [ policy_match ]
  85. countryName = match
  86. stateOrProvinceName = match
  87. organizationName = match
  88. organizationalUnitName = optional
  89. commonName = supplied
  90. emailAddress = optional
  91.  
  92. # For the 'anything' policy
  93. # At this point in time, you must list all acceptable 'object'
  94. # types.
  95. [ policy_anything ]
  96. countryName = optional
  97. stateOrProvinceName = optional
  98. localityName = optional
  99. organizationName = optional
  100. organizationalUnitName = optional
  101. commonName = supplied
  102. emailAddress = optional
  103.  
  104. ####################################################################
  105. [ req ]
  106. default_bits = 2048
  107. default_keyfile = privkey.pem
  108. distinguished_name = req_distinguished_name
  109. attributes = req_attributes
  110. x509_extensions = v3_ca # The extentions to add to the self signed cert
  111.  
  112. # Passwords for private keys if not present they will be prompted for
  113. # input_password = secret
  114. # output_password = secret
  115.  
  116. # This sets a mask for permitted string types. There are several options.
  117. # default: PrintableString, T61String, BMPString.
  118. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  119. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  120. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  121. # MASK:XXXX a literal mask value.
  122. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  123. string_mask = utf8only
  124.  
  125. # req_extensions = v3_req # The extensions to add to a certificate request
  126.  
  127. [ req_distinguished_name ]
  128. countryName = Country Name (2 letter code)
  129. countryName_default = BE
  130. countryName_min = 2
  131. countryName_max = 2
  132.  
  133. stateOrProvinceName = State or Province Name (full name)
  134. stateOrProvinceName_default = Vlaams-Brabant
  135.  
  136. localityName = Locality Name (eg, city)
  137. localityName_default = Leuven
  138.  
  139. 0.organizationName = Organization Name (eg, company)
  140. 0.organizationName_default = Test NV
  141.  
  142. # we can do this but it is not needed normally :-)
  143. #1.organizationName = Second Organization Name (eg, company)
  144. #1.organizationName_default = World Wide Web Pty Ltd
  145.  
  146. organizationalUnitName = Organizational Unit Name (eg, section)
  147. organizationalUnitName_default = IT
  148.  
  149. commonName = Common Name (e.g. server FQDN or YOUR name)
  150. commonName_max = 64
  151.  
  152. emailAddress = Email Address
  153. emailAddress_max = 64
  154. emailAddress_default = test@test.com
  155.  
  156. # SET-ex3 = SET extension number 3
  157.  
  158. [ req_attributes ]
  159. challengePassword = A challenge password
  160. challengePassword_min = 4
  161. challengePassword_max = 20
  162.  
  163. unstructuredName = An optional company name
  164.  
  165. [ usr_cert ]
  166.  
  167. # These extensions are added when 'ca' signs a request.
  168.  
  169. # This goes against PKIX guidelines but some CAs do it and some software
  170. # requires this to avoid interpreting an end user certificate as a CA.
  171.  
  172. basicConstraints=CA:FALSE
  173.  
  174. # Here are some examples of the usage of nsCertType. If it is omitted
  175. # the certificate can be used for anything *except* object signing.
  176.  
  177. # This is OK for an SSL server.
  178. # nsCertType = server
  179.  
  180. # For an object signing certificate this would be used.
  181. # nsCertType = objsign
  182.  
  183. # For normal client use this is typical
  184. # nsCertType = client, email
  185.  
  186. # and for everything including object signing:
  187. # nsCertType = client, email, objsign
  188.  
  189. # This is typical in keyUsage for a client certificate.
  190. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  191.  
  192. # This will be displayed in Netscape's comment listbox.
  193. nsComment = "OpenSSL Generated Certificate"
  194.  
  195. # PKIX recommendations harmless if included in all certificates.
  196. subjectKeyIdentifier=hash
  197. authorityKeyIdentifier=keyid,issuer
  198.  
  199. # This stuff is for subjectAltName and issuerAltname.
  200. # Import the email address.
  201. # subjectAltName=email:copy
  202. # An alternative to produce certificates that aren't
  203. # deprecated according to PKIX.
  204. # subjectAltName=email:move
  205.  
  206. # Copy subject details
  207. # issuerAltName=issuer:copy
  208.  
  209. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  210. #nsBaseUrl
  211. #nsRevocationUrl
  212. #nsRenewalUrl
  213. #nsCaPolicyUrl
  214. #nsSslServerName
  215.  
  216. # This is required for TSA certificates.
  217. # extendedKeyUsage = critical,timeStamping
  218.  
  219. [ v3_req ]
  220.  
  221. # Extensions to add to a certificate request
  222.  
  223. basicConstraints = CA:FALSE
  224. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
  225. extendedKeyUsage = serverAuth, clientAuth
  226.  
  227. [ v3_ca ]
  228.  
  229.  
  230. # Extensions for a typical CA
  231.  
  232.  
  233. # PKIX recommendation.
  234.  
  235. subjectKeyIdentifier=hash
  236.  
  237. authorityKeyIdentifier=keyid:always,issuer
  238.  
  239. # This is what PKIX recommends but some broken software chokes on critical
  240. # extensions.
  241. #basicConstraints = critical,CA:true
  242. # So we do this instead.
  243. basicConstraints = CA:true
  244.  
  245. # Key usage: this is typical for a CA certificate. However since it will
  246. # prevent it being used as an test self-signed certificate it is best
  247. # left out by default.
  248. # keyUsage = cRLSign, keyCertSign
  249.  
  250. # Some might want this also
  251. # nsCertType = sslCA, emailCA
  252.  
  253. # Include email address in subject alt name: another PKIX recommendation
  254. # subjectAltName=email:copy
  255. # Copy issuer details
  256. # issuerAltName=issuer:copy
  257.  
  258. # DER hex encoding of an extension: beware experts only!
  259. # obj=DER:02:03
  260. # Where 'obj' is a standard or added object
  261. # You can even override a supported extension:
  262. # basicConstraints= critical, DER:30:03:01:01:FF
  263.  
  264. [ testex ]
  265. basicConstraints = CA:FALSE
  266. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
  267. extendedKeyUsage = serverAuth, clientAuth
  268.  
  269. [ crl_ext ]
  270.  
  271. # CRL extensions.
  272. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  273.  
  274. # issuerAltName=issuer:copy
  275. authorityKeyIdentifier=keyid:always
  276.  
  277. [ proxy_cert_ext ]
  278. # These extensions should be added when creating a proxy certificate
  279.  
  280. # This goes against PKIX guidelines but some CAs do it and some software
  281. # requires this to avoid interpreting an end user certificate as a CA.
  282.  
  283. basicConstraints=CA:FALSE
  284.  
  285. # Here are some examples of the usage of nsCertType. If it is omitted
  286. # the certificate can be used for anything *except* object signing.
  287.  
  288. # This is OK for an SSL server.
  289. # nsCertType = server
  290.  
  291. # For an object signing certificate this would be used.
  292. # nsCertType = objsign
  293.  
  294. # For normal client use this is typical
  295. # nsCertType = client, email
  296.  
  297. # and for everything including object signing:
  298. # nsCertType = client, email, objsign
  299.  
  300. # This is typical in keyUsage for a client certificate.
  301. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  302.  
  303. # This will be displayed in Netscape's comment listbox.
  304. nsComment = "OpenSSL Generated Certificate"
  305.  
  306. # PKIX recommendations harmless if included in all certificates.
  307. subjectKeyIdentifier=hash
  308. authorityKeyIdentifier=keyid,issuer
  309.  
  310. # This stuff is for subjectAltName and issuerAltname.
  311. # Import the email address.
  312. # subjectAltName=email:copy
  313. # An alternative to produce certificates that aren't
  314. # deprecated according to PKIX.
  315. # subjectAltName=email:move
  316.  
  317. # Copy subject details
  318. # issuerAltName=issuer:copy
  319.  
  320. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  321. #nsBaseUrl
  322. #nsRevocationUrl
  323. #nsRenewalUrl
  324. #nsCaPolicyUrl
  325. #nsSslServerName
  326.  
  327. # This really needs to be in place for it to be a proxy certificate.
  328. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  329.  
  330. ####################################################################
  331. [ tsa ]
  332.  
  333. default_tsa = tsa_config1 # the default TSA section
  334.  
  335. [ tsa_config1 ]
  336.  
  337. # These are used by the TSA reply generation only.
  338. dir = ./demoCA # TSA root directory
  339. serial = $dir/tsaserial # The current serial number (mandatory)
  340. crypto_device = builtin # OpenSSL engine to use for signing
  341. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  342. # (optional)
  343. certs = $dir/cacert.pem # Certificate chain to include in reply
  344. # (optional)
  345. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  346.  
  347. default_policy = tsa_policy1 # Policy if request did not specify it
  348. # (optional)
  349. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  350. digests = md5, sha1 # Acceptable message digests (mandatory)
  351. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  352. clock_precision_digits = 0 # number of digits after dot. (optional)
  353. ordering = yes # Is ordering defined for timestamps?
  354. # (optional, default: no)
  355. tsa_name = yes # Must the TSA name be included in the reply?
  356. # (optional, default: no)
  357. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  358. # (optional, default: no)
  359.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!