openssl.cnf

1. #
2. # OpenSSL example configuration file.
3. # This is mostly being used for generation of certificate requests.
4. #
5.  
6. # Note that you can include other files from the main configuration
7. # file using the .include directive.
8. #.include filename
9.  
10. # This definition stops the following lines choking if HOME isn't
11. # defined.
12. HOME = .
13.  
14. # Extra OBJECT IDENTIFIER info:
15. #oid_file = $ENV::HOME/.oid
16. oid_section = new_oids
17.  
18. # System default
19. openssl_conf = default_conf
20.  
21. # To use this configuration file with the "-extfile" option of the
22. # "openssl x509" utility, name here the section containing the
23. # X.509v3 extensions to use:
24. # extensions =
25. # (Alternatively, use a configuration file that has only
26. # X.509v3 extensions in its main [= default] section.)
27.  
28. [ new_oids ]
29.  
30. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
31. # Add a simple OID like this:
32. # testoid1=1.2.3.4
33. # Or use config file substitution like this:
34. # testoid2=${testoid1}.5.6
35.  
36. # Policies used by the TSA examples.
37. tsa_policy1 = 1.2.3.4.1
38. tsa_policy2 = 1.2.3.4.5.6
39. tsa_policy3 = 1.2.3.4.5.7
40.  
41. ####################################################################
42. [ ca ]
43. default_ca = CA_default # The default ca section
44.  
45. ####################################################################
46. [ CA_default ]
47.  
48. dir = /root/CA # Where everything is kept
49. certs = $dir/certsdb # Where the issued certs are kept
50. crl_dir = $dir/crl # Where the issued crl are kept
51. database = $dir/index.txt # database index file.
52. #unique_subject = no # Set to 'no' to allow creation of
53. # several certs with same subject.
54. new_certs_dir = $certs # default place for new certs.
55.  
56. certificate = $dir/cacert.pem # The CA certificate
57. serial = $dir/serial # The current serial number
58. crlnumber = $dir/crlnumber # the current crl number
59. # must be commented out to leave a V1 CRL
60. crl = $dir/crl.pem # The current CRL
61. private_key = $dir/private/cakey.pem# The private key
62.  
63. x509_extensions = usr_cert # The extensions to add to the cert
64.  
65. # Comment out the following two lines for the "traditional"
66. # (and highly broken) format.
67. name_opt = ca_default # Subject Name options
68. cert_opt = ca_default # Certificate field options
69.  
70. # Extension copying option: use with caution.
71. # copy_extensions = copy
72.  
73. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
74. # so this is commented out by default to leave a V1 CRL.
75. # crlnumber must also be commented out to leave a V1 CRL.
76. # crl_extensions = crl_ext
77.  
78. default_days = 365 # how long to certify for
79. default_crl_days= 30 # how long before next CRL
80. default_md = default # use public key default MD
81. preserve = no # keep passed DN ordering
82.  
83. # A few difference way of specifying how similar the request should look
84. # For type CA, the listed attributes must be the same, and the optional
85. # and supplied fields are just that :-)
86. policy = policy_match
87.  
88. # For the CA policy
89. [ policy_match ]
90. countryName = match
91. stateOrProvinceName = match
92. organizationName = match
93. organizationalUnitName = optional
94. commonName = supplied
95. emailAddress = optional
96.  
97. # For the 'anything' policy
98. # At this point in time, you must list all acceptable 'object'
99. # types.
100. [ policy_anything ]
101. countryName = optional
102. stateOrProvinceName = optional
103. localityName = optional
104. organizationName = optional
105. organizationalUnitName = optional
106. commonName = supplied
107. emailAddress = optional
108.  
109. ####################################################################
110. [ req ]
111. default_bits = 2048
112. default_keyfile = privkey.pem
113. distinguished_name = req_distinguished_name
114. attributes = req_attributes
115. x509_extensions = v3_ca # The extensions to add to the self signed cert
116.  
117. # Passwords for private keys if not present they will be prompted for
118. # input_password = secret
119. # output_password = secret
120.  
121. # This sets a mask for permitted string types. There are several options.
122. # default: PrintableString, T61String, BMPString.
123. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
124. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
125. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
126. # MASK:XXXX a literal mask value.
127. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
128. string_mask = utf8only
129.  
130. # req_extensions = v3_req # The extensions to add to a certificate request
131.  
132. [ req_distinguished_name ]
133. countryName = Country Name (2 letter code)
134. countryName_default = ES
135. countryName_min = 2
136. countryName_max = 2
137.  
138. stateOrProvinceName = State or Province Name (full name)
139. stateOrProvinceName_default = Sevilla
140.  
141. localityName = Locality Name (eg, city)
142. localityName_default = Dos Hermanas
143.  
144. 0.organizationName = Organization Name (eg, company)
145. 0.organizationName_default = AlvaroVaca Corp
146.  
147. # we can do this but it is not needed normally :-)
148. #1.organizationName = Second Organization Name (eg, company)
149. #1.organizationName_default = World Wide Web Pty Ltd
150.  
151. organizationalUnitName = Organizational Unit Name (eg, section)
152. organizationalUnitName_default = Informatica
153.  
154. commonName = Common Name (e.g. server FQDN or YOUR name)
155. commonName_max = 64
156.  
157. emailAddress = Email Address
158. emailAddress_max = 64
159.  
160. # SET-ex3 = SET extension number 3
161.  
162. [ req_attributes ]
163. #challengePassword = A challenge password
164. #challengePassword_min = 4
165. #challengePassword_max = 20
166.  
167. #unstructuredName = An optional company name
168.  
169. [ usr_cert ]
170.  
171. # These extensions are added when 'ca' signs a request.
172.  
173. # This goes against PKIX guidelines but some CAs do it and some software
174. # requires this to avoid interpreting an end user certificate as a CA.
175.  
176. basicConstraints=CA:FALSE
177.  
178. # Here are some examples of the usage of nsCertType. If it is omitted
179. # the certificate can be used for anything *except* object signing.
180.  
181. # This is OK for an SSL server.
182. # nsCertType = server
183.  
184. # For an object signing certificate this would be used.
185. # nsCertType = objsign
186.  
187. # For normal client use this is typical
188. # nsCertType = client, email
189.  
190. # and for everything including object signing:
191. # nsCertType = client, email, objsign
192.  
193. # This is typical in keyUsage for a client certificate.
194. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
195.  
196. # This will be displayed in Netscape's comment listbox.
197. nsComment = "OpenSSL Generated Certificate"
198.  
199. # PKIX recommendations harmless if included in all certificates.
200. subjectKeyIdentifier=hash
201. authorityKeyIdentifier=keyid,issuer
202.  
203. # This stuff is for subjectAltName and issuerAltname.
204. # Import the email address.
205. # subjectAltName=email:copy
206. # An alternative to produce certificates that aren't
207. # deprecated according to PKIX.
208. # subjectAltName=email:move
209.  
210. # Copy subject details
211. # issuerAltName=issuer:copy
212.  
213. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
214. #nsBaseUrl
215. #nsRevocationUrl
216. #nsRenewalUrl
217. #nsCaPolicyUrl
218. #nsSslServerName
219.  
220. # This is required for TSA certificates.
221. # extendedKeyUsage = critical,timeStamping
222.  
223. [ v3_req ]
224.  
225. # Extensions to add to a certificate request
226.  
227. basicConstraints = CA:FALSE
228. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
229.  
230. [ v3_ca ]
231.  
232.  
233. # Extensions for a typical CA
234.  
235.  
236. # PKIX recommendation.
237.  
238. subjectKeyIdentifier=hash
239.  
240. authorityKeyIdentifier=keyid:always,issuer
241.  
242. basicConstraints = critical,CA:true
243.  
244. # Key usage: this is typical for a CA certificate. However since it will
245. # prevent it being used as an test self-signed certificate it is best
246. # left out by default.
247. # keyUsage = cRLSign, keyCertSign
248.  
249. # Some might want this also
250. # nsCertType = sslCA, emailCA
251.  
252. # Include email address in subject alt name: another PKIX recommendation
253. # subjectAltName=email:copy
254. # Copy issuer details
255. # issuerAltName=issuer:copy
256.  
257. # DER hex encoding of an extension: beware experts only!
258. # obj=DER:02:03
259. # Where 'obj' is a standard or added object
260. # You can even override a supported extension:
261. # basicConstraints= critical, DER:30:03:01:01:FF
262.  
263. [ crl_ext ]
264.  
265. # CRL extensions.
266. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
267.  
268. # issuerAltName=issuer:copy
269. authorityKeyIdentifier=keyid:always
270.  
271. [ proxy_cert_ext ]
272. # These extensions should be added when creating a proxy certificate
273.  
274. # This goes against PKIX guidelines but some CAs do it and some software
275. # requires this to avoid interpreting an end user certificate as a CA.
276.  
277. basicConstraints=CA:FALSE
278.  
279. # Here are some examples of the usage of nsCertType. If it is omitted
280. # the certificate can be used for anything *except* object signing.
281.  
282. # This is OK for an SSL server.
283. # nsCertType = server
284.  
285. # For an object signing certificate this would be used.
286. # nsCertType = objsign
287.  
288. # For normal client use this is typical
289. # nsCertType = client, email
290.  
291. # and for everything including object signing:
292. # nsCertType = client, email, objsign
293.  
294. # This is typical in keyUsage for a client certificate.
295. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
296.  
297. # This will be displayed in Netscape's comment listbox.
298. nsComment = "OpenSSL Generated Certificate"
299.  
300. # PKIX recommendations harmless if included in all certificates.
301. subjectKeyIdentifier=hash
302. authorityKeyIdentifier=keyid,issuer
303.  
304. # This stuff is for subjectAltName and issuerAltname.
305. # Import the email address.
306. # subjectAltName=email:copy
307. # An alternative to produce certificates that aren't
308. # deprecated according to PKIX.
309. # subjectAltName=email:move
310.  
311. # Copy subject details
312. # issuerAltName=issuer:copy
313.  
314. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
315. #nsBaseUrl
316. #nsRevocationUrl
317. #nsRenewalUrl
318. #nsCaPolicyUrl
319. #nsSslServerName
320.  
321. # This really needs to be in place for it to be a proxy certificate.
322. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
323.  
324. ####################################################################
325. [ tsa ]
326.  
327. default_tsa = tsa_config1 # the default TSA section
328.  
329. [ tsa_config1 ]
330.  
331. # These are used by the TSA reply generation only.
332. dir = ./demoCA # TSA root directory
333. serial = $dir/tsaserial # The current serial number (mandatory)
334. crypto_device = builtin # OpenSSL engine to use for signing
335. signer_cert = $dir/tsacert.pem # The TSA signing certificate
336. # (optional)
337. certs = $dir/cacert.pem # Certificate chain to include in reply
338. # (optional)
339. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
340. signer_digest = sha256 # Signing digest to use. (Optional)
341. default_policy = tsa_policy1 # Policy if request did not specify it
342. # (optional)
343. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
344. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
345. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
346. clock_precision_digits = 0 # number of digits after dot. (optional)
347. ordering = yes # Is ordering defined for timestamps?
348. # (optional, default: no)
349. tsa_name = yes # Must the TSA name be included in the reply?
350. # (optional, default: no)
351. ess_cert_id_chain = no # Must the ESS cert id chain be included?
352. # (optional, default: no)
353. ess_cert_id_alg = sha1 # algorithm to compute certificate
354. # identifier (optional, default: sha1)
355. [default_conf]
356. ssl_conf = ssl_sect
357.  
358. [ssl_sect]
359. system_default = system_default_sect
360.  
361. [system_default_sect]
362. MinProtocol = TLSv1.2
363. CipherString = DEFAULT@SECLEVEL=2
364.