localhost.cnf 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369
  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5. # This definition stops the following lines choking if HOME isn't
  6. # defined.
  7. HOME = .
  8. RANDFILE = $ENV::HOME/.rnd
  9. # Extra OBJECT IDENTIFIER info:
  10. #oid_file = $ENV::HOME/.oid
  11. oid_section = new_oids
  12. hostname = ${ENV::HOSTNAME}
  13. ipaddress1 = ${ENV::IPADDRESS1}
  14. ipaddress2 = ${ENV::IPADDRESS2}
  15. uri1 = ${ENV::URI1}
  16. # To use this configuration file with the "-extfile" option of the
  17. # "openssl x509" utility, name here the section containing the
  18. # X.509v3 extensions to use:
  19. # extensions =
  20. # (Alternatively, use a configuration file that has only
  21. # X.509v3 extensions in its main [= default] section.)
  22. [ new_oids ]
  23. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  24. # Add a simple OID like this:
  25. # testoid1=1.2.3.4
  26. # Or use config file substitution like this:
  27. # testoid2=${testoid1}.5.6
  28. # Policies used by the TSA examples.
  29. tsa_policy1 = 1.2.3.4.1
  30. tsa_policy2 = 1.2.3.4.5.6
  31. tsa_policy3 = 1.2.3.4.5.7
  32. ####################################################################
  33. [ ca ]
  34. default_ca = CA_default # The default ca section
  35. ####################################################################
  36. [ CA_default ]
  37. dir = ./ca/ # Where everything is kept
  38. certs = $dir/certs # Where the issued certs are kept
  39. crl_dir = $dir/crl # Where the issued crl are kept
  40. database = $dir/database.txt # database index file.
  41. #unique_subject = no # Set to 'no' to allow creation of
  42. # several ctificates with same subject.
  43. new_certs_dir = $dir/newcerts # default place for new certs.
  44. certificate = $dir/ca.crt # The CA certificate
  45. serial = $dir/serial # The current serial number
  46. crlnumber = $dir/crlnumber # the current crl number
  47. # must be commented out to leave a V1 CRL
  48. crl = $dir/crl.pem # The current CRL
  49. private_key = $dir/ca.key # The private key
  50. RANDFILE = $dir/.rand # private random number file
  51. x509_extensions = usr_cert # The extensions to add to the cert
  52. # Comment out the following two lines for the "traditional"
  53. # (and highly broken) format.
  54. name_opt = ca_default # Subject Name options
  55. cert_opt = ca_default # Certificate field options
  56. # Extension copying option: use with caution.
  57. # copy_extensions = copy
  58. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  59. # so this is commented out by default to leave a V1 CRL.
  60. # crlnumber must also be commented out to leave a V1 CRL.
  61. crl_extensions = crl_ext
  62. default_days = 365 # how long to certify for
  63. default_crl_days= 30 # how long before next CRL
  64. default_md = default # use public key default MD
  65. preserve = no # keep passed DN ordering
  66. # A few difference way of specifying how similar the request should look
  67. # For type CA, the listed attributes must be the same, and the optional
  68. # and supplied fields are just that :-)
  69. policy = policy_match
  70. # For the CA policy
  71. [ policy_match ]
  72. countryName = match
  73. stateOrProvinceName = match
  74. organizationName = match
  75. organizationalUnitName = optional
  76. commonName = supplied
  77. emailAddress = optional
  78. # For the 'anything' policy
  79. # At this point in time, you must list all acceptable 'object'
  80. # types.
  81. [ policy_anything ]
  82. countryName = optional
  83. stateOrProvinceName = optional
  84. localityName = optional
  85. organizationName = optional
  86. organizationalUnitName = optional
  87. commonName = supplied
  88. emailAddress = optional
  89. ####################################################################
  90. [ req ]
  91. default_bits = 2048
  92. default_keyfile = privkey.pem
  93. distinguished_name = req_distinguished_name
  94. attributes = req_attributes
  95. x509_extensions = v3_ca # The extensions to add to the self signed cert
  96. # Passwords for private keys if not present they will be prompted for
  97. # input_password = secret
  98. # output_password = secret
  99. # This sets a mask for permitted string types. There are several options.
  100. # default: PrintableString, T61String, BMPString.
  101. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  102. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  103. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  104. # MASK:XXXX a literal mask value.
  105. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  106. string_mask = utf8only
  107. req_extensions = v3_req # The extensions to add to a certificate request
  108. [ req_distinguished_name ]
  109. countryName = Country Name (2 letter code)
  110. countryName_default = AU
  111. countryName_min = 2
  112. countryName_max = 2
  113. stateOrProvinceName = State or Province Name (full name)
  114. stateOrProvinceName_default = Some-State
  115. localityName = Locality Name (eg, city)
  116. 0.organizationName = Organization Name (eg, company)
  117. 0.organizationName_default = Internet Widgits Pty Ltd
  118. # we can do this but it is not needed normally :-)
  119. #1.organizationName = Second Organization Name (eg, company)
  120. #1.organizationName_default = World Wide Web Pty Ltd
  121. organizationalUnitName = Organizational Unit Name (eg, section)
  122. #organizationalUnitName_default =
  123. commonName = Common Name (e.g. server FQDN or YOUR name)
  124. commonName_max = 64
  125. emailAddress = Email Address
  126. emailAddress_max = 64
  127. # SET-ex3 = SET extension number 3
  128. [ req_attributes ]
  129. challengePassword = A challenge password
  130. challengePassword_min = 4
  131. challengePassword_max = 20
  132. unstructuredName = An optional company name
  133. [ usr_cert ]
  134. # These extensions are added when 'ca' signs a request.
  135. # This goes against PKIX guidelines but some CAs do it and some software
  136. # requires this to avoid interpreting an end user certificate as a CA.
  137. basicConstraints=CA:FALSE
  138. # Here are some examples of the usage of nsCertType. If it is omitted
  139. # the certificate can be used for anything *except* object signing.
  140. # This is OK for an SSL server.
  141. # nsCertType = server
  142. # For an object signing certificate this would be used.
  143. # nsCertType = objsign
  144. # For normal client use this is typical
  145. # nsCertType = client, email
  146. # and for everything including object signing:
  147. # nsCertType = client, email, objsign
  148. # This is typical in keyUsage for a client certificate.
  149. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  150. # This will be displayed in Netscape's comment listbox.
  151. nsComment = "OpenSSL Generated Certificate"
  152. # PKIX recommendations harmless if included in all certificates.
  153. subjectKeyIdentifier=hash
  154. authorityKeyIdentifier=keyid,issuer
  155. # This stuff is for subjectAltName and issuerAltname.
  156. # Import the email address.
  157. # subjectAltName=email:copy
  158. # An alternative to produce certificates that aren't
  159. # deprecated according to PKIX.
  160. # subjectAltName=email:move
  161. # Copy subject details
  162. # issuerAltName=issuer:copy
  163. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  164. #nsBaseUrl
  165. #nsRevocationUrl
  166. #nsRenewalUrl
  167. #nsCaPolicyUrl
  168. #nsSslServerName
  169. # This is required for TSA certificates.
  170. extendedKeyUsage = critical,timeStamping
  171. [ v3_req ]
  172. # Extensions to add to a certificate request
  173. basicConstraints = CA:FALSE
  174. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  175. subjectAltName = @alt_names
  176. [ alt_names ]
  177. DNS.1 = ${hostname}
  178. DNS.2 = ${hostname}
  179. IP.1 = ${ipaddress1}
  180. IP.2 = ${ipaddress2}
  181. URI.1 = ${uri1}
  182. [ v3_ca ]
  183. # Extensions for a typical CA
  184. # PKIX recommendation.
  185. subjectKeyIdentifier=hash
  186. authorityKeyIdentifier=keyid:always,issuer
  187. # This is what PKIX recommends but some broken software chokes on critical
  188. # extensions.
  189. #basicConstraints = critical,CA:true
  190. # So we do this instead.
  191. basicConstraints = CA:false
  192. # Key usage: this is typical for a CA certificate. However since it will
  193. # prevent it being used as an test self-signed certificate it is best
  194. # left out by default.
  195. # keyUsage = cRLSign, keyCertSign
  196. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
  197. extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
  198. # Some might want this also
  199. # nsCertType = sslCA, emailCA
  200. # Include email address in subject alt name: another PKIX recommendation
  201. # subjectAltName=email:copy
  202. # Copy issuer details
  203. # issuerAltName=issuer:copy
  204. # DER hex encoding of an extension: beware experts only!
  205. # obj=DER:02:03
  206. # Where 'obj' is a standard or added object
  207. # You can even override a supported extension:
  208. # basicConstraints= critical, DER:30:03:01:01:FF
  209. subjectAltName = @alt_names
  210. [ crl_ext ]
  211. # CRL extensions.
  212. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  213. # issuerAltName=issuer:copy
  214. authorityKeyIdentifier=keyid:always
  215. [ proxy_cert_ext ]
  216. # These extensions should be added when creating a proxy certificate
  217. # This goes against PKIX guidelines but some CAs do it and some software
  218. # requires this to avoid interpreting an end user certificate as a CA.
  219. basicConstraints=CA:FALSE
  220. # Here are some examples of the usage of nsCertType. If it is omitted
  221. # the certificate can be used for anything *except* object signing.
  222. # This is OK for an SSL server.
  223. # nsCertType = server
  224. # For an object signing certificate this would be used.
  225. # nsCertType = objsign
  226. # For normal client use this is typical
  227. # nsCertType = client, email
  228. # and for everything including object signing:
  229. # nsCertType = client, email, objsign
  230. # This is typical in keyUsage for a client certificate.
  231. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  232. # This will be displayed in Netscape's comment listbox.
  233. nsComment = "OpenSSL Generated Certificate"
  234. # PKIX recommendations harmless if included in all certificates.
  235. subjectKeyIdentifier=hash
  236. authorityKeyIdentifier=keyid,issuer
  237. # This stuff is for subjectAltName and issuerAltname.
  238. # Import the email address.
  239. # subjectAltName=email:copy
  240. # An alternative to produce certificates that aren't
  241. # deprecated according to PKIX.
  242. # subjectAltName=email:move
  243. # Copy subject details
  244. # issuerAltName=issuer:copy
  245. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  246. #nsBaseUrl
  247. #nsRevocationUrl
  248. #nsRenewalUrl
  249. #nsCaPolicyUrl
  250. #nsSslServerName
  251. # This really needs to be in place for it to be a proxy certificate.
  252. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  253. ####################################################################
  254. [ tsa ]
  255. default_tsa = tsa_config1 # the default TSA section
  256. [ tsa_config1 ]
  257. # These are used by the TSA reply generation only.
  258. dir = ./demoCA # TSA root directory
  259. serial = $dir/tsaserial # The current serial number (mandatory)
  260. crypto_device = builtin # OpenSSL engine to use for signing
  261. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  262. # (optional)
  263. certs = $dir/cacert.pem # Certificate chain to include in reply
  264. # (optional)
  265. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  266. default_policy = tsa_policy1 # Policy if request did not specify it
  267. # (optional)
  268. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  269. digests = md5, sha1 # Acceptable message digests (mandatory)
  270. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  271. clock_precision_digits = 0 # number of digits after dot. (optional)
  272. ordering = yes # Is ordering defined for timestamps?
  273. # (optional, default: no)
  274. tsa_name = yes # Must the TSA name be included in the reply?
  275. # (optional, default: no)
  276. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  277. # (optional, default: no)