Advertisement
alvarovaca

openssl.cnf

Nov 21st, 2020
383
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.25 KB | None | 0 0
  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5.  
  6. # Note that you can include other files from the main configuration
  7. # file using the .include directive.
  8. #.include filename
  9.  
  10. # This definition stops the following lines choking if HOME isn't
  11. # defined.
  12. HOME = .
  13.  
  14. # Extra OBJECT IDENTIFIER info:
  15. #oid_file = $ENV::HOME/.oid
  16. oid_section = new_oids
  17.  
  18. # System default
  19. openssl_conf = default_conf
  20.  
  21. # To use this configuration file with the "-extfile" option of the
  22. # "openssl x509" utility, name here the section containing the
  23. # X.509v3 extensions to use:
  24. # extensions =
  25. # (Alternatively, use a configuration file that has only
  26. # X.509v3 extensions in its main [= default] section.)
  27.  
  28. [ new_oids ]
  29.  
  30. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  31. # Add a simple OID like this:
  32. # testoid1=1.2.3.4
  33. # Or use config file substitution like this:
  34. # testoid2=${testoid1}.5.6
  35.  
  36. # Policies used by the TSA examples.
  37. tsa_policy1 = 1.2.3.4.1
  38. tsa_policy2 = 1.2.3.4.5.6
  39. tsa_policy3 = 1.2.3.4.5.7
  40.  
  41. ####################################################################
  42. [ ca ]
  43. default_ca = CA_default # The default ca section
  44.  
  45. ####################################################################
  46. [ CA_default ]
  47.  
  48. dir = /root/CA # Where everything is kept
  49. certs = $dir/certsdb # Where the issued certs are kept
  50. crl_dir = $dir/crl # Where the issued crl are kept
  51. database = $dir/index.txt # database index file.
  52. #unique_subject = no # Set to 'no' to allow creation of
  53. # several certs with same subject.
  54. new_certs_dir = $certs # default place for new certs.
  55.  
  56. certificate = $dir/cacert.pem # The CA certificate
  57. serial = $dir/serial # The current serial number
  58. crlnumber = $dir/crlnumber # the current crl number
  59. # must be commented out to leave a V1 CRL
  60. crl = $dir/crl.pem # The current CRL
  61. private_key = $dir/private/cakey.pem# The private key
  62.  
  63. x509_extensions = usr_cert # The extensions to add to the cert
  64.  
  65. # Comment out the following two lines for the "traditional"
  66. # (and highly broken) format.
  67. name_opt = ca_default # Subject Name options
  68. cert_opt = ca_default # Certificate field options
  69.  
  70. # Extension copying option: use with caution.
  71. # copy_extensions = copy
  72.  
  73. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  74. # so this is commented out by default to leave a V1 CRL.
  75. # crlnumber must also be commented out to leave a V1 CRL.
  76. # crl_extensions = crl_ext
  77.  
  78. default_days = 365 # how long to certify for
  79. default_crl_days= 30 # how long before next CRL
  80. default_md = default # use public key default MD
  81. preserve = no # keep passed DN ordering
  82.  
  83. # A few difference way of specifying how similar the request should look
  84. # For type CA, the listed attributes must be the same, and the optional
  85. # and supplied fields are just that :-)
  86. policy = policy_match
  87.  
  88. # For the CA policy
  89. [ policy_match ]
  90. countryName = match
  91. stateOrProvinceName = match
  92. organizationName = match
  93. organizationalUnitName = optional
  94. commonName = supplied
  95. emailAddress = optional
  96.  
  97. # For the 'anything' policy
  98. # At this point in time, you must list all acceptable 'object'
  99. # types.
  100. [ policy_anything ]
  101. countryName = optional
  102. stateOrProvinceName = optional
  103. localityName = optional
  104. organizationName = optional
  105. organizationalUnitName = optional
  106. commonName = supplied
  107. emailAddress = optional
  108.  
  109. ####################################################################
  110. [ req ]
  111. default_bits = 2048
  112. default_keyfile = privkey.pem
  113. distinguished_name = req_distinguished_name
  114. attributes = req_attributes
  115. x509_extensions = v3_ca # The extensions to add to the self signed cert
  116.  
  117. # Passwords for private keys if not present they will be prompted for
  118. # input_password = secret
  119. # output_password = secret
  120.  
  121. # This sets a mask for permitted string types. There are several options.
  122. # default: PrintableString, T61String, BMPString.
  123. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  124. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  125. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  126. # MASK:XXXX a literal mask value.
  127. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  128. string_mask = utf8only
  129.  
  130. # req_extensions = v3_req # The extensions to add to a certificate request
  131.  
  132. [ req_distinguished_name ]
  133. countryName = Country Name (2 letter code)
  134. countryName_default = ES
  135. countryName_min = 2
  136. countryName_max = 2
  137.  
  138. stateOrProvinceName = State or Province Name (full name)
  139. stateOrProvinceName_default = Sevilla
  140.  
  141. localityName = Locality Name (eg, city)
  142. localityName_default = Dos Hermanas
  143.  
  144. 0.organizationName = Organization Name (eg, company)
  145. 0.organizationName_default = AlvaroVaca Corp
  146.  
  147. # we can do this but it is not needed normally :-)
  148. #1.organizationName = Second Organization Name (eg, company)
  149. #1.organizationName_default = World Wide Web Pty Ltd
  150.  
  151. organizationalUnitName = Organizational Unit Name (eg, section)
  152. organizationalUnitName_default = Informatica
  153.  
  154. commonName = Common Name (e.g. server FQDN or YOUR name)
  155. commonName_max = 64
  156.  
  157. emailAddress = Email Address
  158. emailAddress_max = 64
  159.  
  160. # SET-ex3 = SET extension number 3
  161.  
  162. [ req_attributes ]
  163. #challengePassword = A challenge password
  164. #challengePassword_min = 4
  165. #challengePassword_max = 20
  166.  
  167. #unstructuredName = An optional company name
  168.  
  169. [ usr_cert ]
  170.  
  171. # These extensions are added when 'ca' signs a request.
  172.  
  173. # This goes against PKIX guidelines but some CAs do it and some software
  174. # requires this to avoid interpreting an end user certificate as a CA.
  175.  
  176. basicConstraints=CA:FALSE
  177.  
  178. # Here are some examples of the usage of nsCertType. If it is omitted
  179. # the certificate can be used for anything *except* object signing.
  180.  
  181. # This is OK for an SSL server.
  182. # nsCertType = server
  183.  
  184. # For an object signing certificate this would be used.
  185. # nsCertType = objsign
  186.  
  187. # For normal client use this is typical
  188. # nsCertType = client, email
  189.  
  190. # and for everything including object signing:
  191. # nsCertType = client, email, objsign
  192.  
  193. # This is typical in keyUsage for a client certificate.
  194. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  195.  
  196. # This will be displayed in Netscape's comment listbox.
  197. nsComment = "OpenSSL Generated Certificate"
  198.  
  199. # PKIX recommendations harmless if included in all certificates.
  200. subjectKeyIdentifier=hash
  201. authorityKeyIdentifier=keyid,issuer
  202.  
  203. # This stuff is for subjectAltName and issuerAltname.
  204. # Import the email address.
  205. # subjectAltName=email:copy
  206. # An alternative to produce certificates that aren't
  207. # deprecated according to PKIX.
  208. # subjectAltName=email:move
  209.  
  210. # Copy subject details
  211. # issuerAltName=issuer:copy
  212.  
  213. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  214. #nsBaseUrl
  215. #nsRevocationUrl
  216. #nsRenewalUrl
  217. #nsCaPolicyUrl
  218. #nsSslServerName
  219.  
  220. # This is required for TSA certificates.
  221. # extendedKeyUsage = critical,timeStamping
  222.  
  223. [ v3_req ]
  224.  
  225. # Extensions to add to a certificate request
  226.  
  227. basicConstraints = CA:FALSE
  228. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  229.  
  230. [ v3_ca ]
  231.  
  232.  
  233. # Extensions for a typical CA
  234.  
  235.  
  236. # PKIX recommendation.
  237.  
  238. subjectKeyIdentifier=hash
  239.  
  240. authorityKeyIdentifier=keyid:always,issuer
  241.  
  242. basicConstraints = critical,CA:true
  243.  
  244. # Key usage: this is typical for a CA certificate. However since it will
  245. # prevent it being used as an test self-signed certificate it is best
  246. # left out by default.
  247. # keyUsage = cRLSign, keyCertSign
  248.  
  249. # Some might want this also
  250. # nsCertType = sslCA, emailCA
  251.  
  252. # Include email address in subject alt name: another PKIX recommendation
  253. # subjectAltName=email:copy
  254. # Copy issuer details
  255. # issuerAltName=issuer:copy
  256.  
  257. # DER hex encoding of an extension: beware experts only!
  258. # obj=DER:02:03
  259. # Where 'obj' is a standard or added object
  260. # You can even override a supported extension:
  261. # basicConstraints= critical, DER:30:03:01:01:FF
  262.  
  263. [ crl_ext ]
  264.  
  265. # CRL extensions.
  266. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  267.  
  268. # issuerAltName=issuer:copy
  269. authorityKeyIdentifier=keyid:always
  270.  
  271. [ proxy_cert_ext ]
  272. # These extensions should be added when creating a proxy certificate
  273.  
  274. # This goes against PKIX guidelines but some CAs do it and some software
  275. # requires this to avoid interpreting an end user certificate as a CA.
  276.  
  277. basicConstraints=CA:FALSE
  278.  
  279. # Here are some examples of the usage of nsCertType. If it is omitted
  280. # the certificate can be used for anything *except* object signing.
  281.  
  282. # This is OK for an SSL server.
  283. # nsCertType = server
  284.  
  285. # For an object signing certificate this would be used.
  286. # nsCertType = objsign
  287.  
  288. # For normal client use this is typical
  289. # nsCertType = client, email
  290.  
  291. # and for everything including object signing:
  292. # nsCertType = client, email, objsign
  293.  
  294. # This is typical in keyUsage for a client certificate.
  295. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  296.  
  297. # This will be displayed in Netscape's comment listbox.
  298. nsComment = "OpenSSL Generated Certificate"
  299.  
  300. # PKIX recommendations harmless if included in all certificates.
  301. subjectKeyIdentifier=hash
  302. authorityKeyIdentifier=keyid,issuer
  303.  
  304. # This stuff is for subjectAltName and issuerAltname.
  305. # Import the email address.
  306. # subjectAltName=email:copy
  307. # An alternative to produce certificates that aren't
  308. # deprecated according to PKIX.
  309. # subjectAltName=email:move
  310.  
  311. # Copy subject details
  312. # issuerAltName=issuer:copy
  313.  
  314. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  315. #nsBaseUrl
  316. #nsRevocationUrl
  317. #nsRenewalUrl
  318. #nsCaPolicyUrl
  319. #nsSslServerName
  320.  
  321. # This really needs to be in place for it to be a proxy certificate.
  322. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  323.  
  324. ####################################################################
  325. [ tsa ]
  326.  
  327. default_tsa = tsa_config1 # the default TSA section
  328.  
  329. [ tsa_config1 ]
  330.  
  331. # These are used by the TSA reply generation only.
  332. dir = ./demoCA # TSA root directory
  333. serial = $dir/tsaserial # The current serial number (mandatory)
  334. crypto_device = builtin # OpenSSL engine to use for signing
  335. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  336. # (optional)
  337. certs = $dir/cacert.pem # Certificate chain to include in reply
  338. # (optional)
  339. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  340. signer_digest = sha256 # Signing digest to use. (Optional)
  341. default_policy = tsa_policy1 # Policy if request did not specify it
  342. # (optional)
  343. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  344. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
  345. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  346. clock_precision_digits = 0 # number of digits after dot. (optional)
  347. ordering = yes # Is ordering defined for timestamps?
  348. # (optional, default: no)
  349. tsa_name = yes # Must the TSA name be included in the reply?
  350. # (optional, default: no)
  351. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  352. # (optional, default: no)
  353. ess_cert_id_alg = sha1 # algorithm to compute certificate
  354. # identifier (optional, default: sha1)
  355. [default_conf]
  356. ssl_conf = ssl_sect
  357.  
  358. [ssl_sect]
  359. system_default = system_default_sect
  360.  
  361. [system_default_sect]
  362. MinProtocol = TLSv1.2
  363. CipherString = DEFAULT@SECLEVEL=2
  364.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement