HOME = .RANDFILE = $ENV::HOME/.rnd######

1. HOME = .
2. RANDFILE = $ENV::HOME/.rnd
3.  
4. ####################################################################
5. # CA Definition
6. [ ca ]
7. default_ca = CA_default # The default ca section
8.  
9. ####################################################################
10. # Per the above, this is where we define CA values
11. [ CA_default ]
12.  
13. dir = . # Where everything is kept
14. certs = $dir/certsdb # Where the issued certs are kept
15. new_certs_dir = $certs # default place for new certs.
16. database = $dir/index.txt # database index file.
17. certificate = $dir/cacert.pem # The CA certificate
18. private_key = $dir/private/cakey.pem# The private key
19. serial = $dir/serial # The current serial number
20. RANDFILE = $dir/private/.rand # private random number file
21.  
22. crldir = $dir/crl
23. crlnumber = $dir/crlnumber # the current crl number
24. crl = $crldir/crl.pem # The current CRL
25.  
26. # By default we use "user certificate" extensions when signing
27. x509_extensions = usr_cert # The extentions to add to the cert
28.  
29. # Honor extensions requested of us
30. copy_extensions = copy
31.  
32. # Comment out the following two lines for the "traditional"
33. # (and highly broken) format.
34. name_opt = ca_default # Subject Name options
35. cert_opt = ca_default # Certificate field options
36.  
37. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
38. # so this is commented out by default to leave a V1 CRL.
39. # crlnumber must also be commented out to leave a V1 CRL.
40. #crl_extensions = crl_ext
41. default_days = 365 # how long to certify for
42. default_crl_days= 30 # how long before next CRL
43. default_md = sha1 # which md to use.
44. preserve = no # keep passed DN ordering
45.  
46. # A few difference way of specifying how similar the request should look
47. # For type CA, the listed attributes must be the same, and the optional
48. # and supplied fields are just that :-)
49. policy = policy_match
50.  
51. ####################################################################
52. # The default policy for the CA when signing requests, requires some
53. # resemblence to the CA cert
54. #
55. [ policy_match ]
56. countryName = match # Must be the same as the CA
57. stateOrProvinceName = match # Must be the same as the CA
58. organizationName = match # Must be the same as the CA
59. organizationalUnitName = optional # not required
60. commonName = supplied # must be there, whatever it is
61. emailAddress = optional # not required
62.  
63. ####################################################################
64. # An alternative policy not referred to anywhere in this file. Can
65. # be used by specifying '-policy policy_anything' to ca(8).
66. #
67. [ policy_anything ]
68. countryName = optional
69. stateOrProvinceName = optional
70. localityName = optional
71. organizationName = optional
72. organizationalUnitName = optional
73. commonName = supplied
74. emailAddress = optional
75.  
76. ####################################################################
77. # This is where we define how to generate CSRs
78. [ req ]
79. default_bits = 2048
80. default_keyfile = privkey.pem
81. distinguished_name = req_distinguished_name # where to get DN for reqs
82. attributes = req_attributes # req attributes
83. x509_extensions = v3_ca # The extentions to add to self signed certs
84. req_extensions = v3_req # The extensions to add to req's
85.  
86. # This sets a mask for permitted string types. There are several options.
87. # default: PrintableString, T61String, BMPString.
88. # pkix : PrintableString, BMPString.
89. # utf8only: only UTF8Strings.
90. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
91. # MASK:XXXX a literal mask value.
92. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
93. # so use this option with caution!
94. string_mask = nombstr
95.  
96.  
97. ####################################################################
98. # Per "req" section, this is where we define DN info
99. [ req_distinguished_name ]
100. countryName = Country Name (2 letter code)
101. countryName_default = US
102. countryName_min = 2
103. countryName_max = 2
104.  
105. stateOrProvinceName = State or Province Name (full name)
106. stateOrProvinceName_default = California
107.  
108. localityName = Locality Name (eg, city)
109. localityName_default = Hawthorne
110.  
111. 0.organizationName = Organization Name (eg, company)
112. 0.organizationName_default = PhilNet
113.  
114. organizationalUnitName = Organizational Unit Name (eg, section)
115.  
116. commonName = Common Name (eg, YOUR name)
117. commonName_max = 64
118.  
119. emailAddress = Email Address
120. emailAddress_max = 64
121.  
122.  
123. ####################################################################
124. # We don't want these, but the section must exist
125. [ req_attributes ]
126. #challengePassword = A challenge password
127. #challengePassword_min = 4
128. #challengePassword_max = 20
129. #unstructuredName = An optional company name
130.  
131.  
132. ####################################################################
133. # Extensions for when we sign normal certs (specified as default)
134. [ usr_cert ]
135.  
136. # User certs aren't CAs, by definition
137. basicConstraints=CA:false
138.  
139. # Here are some examples of the usage of nsCertType. If it is omitted
140. # the certificate can be used for anything *except* object signing.
141. # This is OK for an SSL server.
142. #nsCertType = server
143. # For an object signing certificate this would be used.
144. #nsCertType = objsign
145. # For normal client use this is typical
146. #nsCertType = client, email
147. # and for everything including object signing:
148. #nsCertType = client, email, objsign
149. # This is typical in keyUsage for a client certificate.
150. #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
151.  
152. # PKIX recommendations harmless if included in all certificates.
153. subjectKeyIdentifier=hash
154. authorityKeyIdentifier=keyid,issuer
155.  
156. # This stuff is for subjectAltName and issuerAltname.
157. # Import the email address.
158. #subjectAltName=email:copy
159. # An alternative to produce certificates that aren't
160. # deprecated according to PKIX.
161. #subjectAltName=email:move
162.  
163.  
164. ####################################################################
165. # Extension for requests
166. [ v3_req ]
167. # Lets at least make our requests PKIX complaint
168. subjectAltName=email:move
169.  
170.  
171. ####################################################################
172. # An alternative section of extensions, not referred to anywhere
173. # else in the config. We'll use this via '-extensions v3_ca' when
174. # using ca(8) to sign another CA.
175. #
176. [ v3_ca ]
177.  
178. # PKIX recommendation.
179. subjectKeyIdentifier=hash
180. authorityKeyIdentifier=keyid:always,issuer:always
181.  
182. # This is what PKIX recommends but some broken software chokes on critical
183. # extensions.
184. #basicConstraints = critical,CA:true
185. # So we do this instead.
186. basicConstraints = CA:true
187.  
188. # Key usage: this is typical for a CA certificate. However since it will
189. # prevent it being used as an test self-signed certificate it is best
190. # left out by default.
191. # keyUsage = cRLSign, keyCertSign
192.  
193. # Some might want this also
194. # nsCertType = sslCA, emailCA
195.  
196. # Include email address in subject alt name: another PKIX recommendation
197. #subjectAltName=email:move
198. # Copy issuer details
199. #issuerAltName=issuer:copy