Annotation of elwix/config/etc/default/ssl/openssl.cnf, revision 1.1
1.1 ! misho 1: # $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.8 2006/07/29 19:14:46 simon Exp $
! 2: #
! 3: # OpenSSL example configuration file.
! 4: # This is mostly being used for generation of certificate requests.
! 5: #
! 6:
! 7: # This definition stops the following lines choking if HOME isn't
! 8: # defined.
! 9: HOME = .
! 10: RANDFILE = $ENV::HOME/.rnd
! 11:
! 12: # Extra OBJECT IDENTIFIER info:
! 13: #oid_file = $ENV::HOME/.oid
! 14: oid_section = new_oids
! 15:
! 16: # To use this configuration file with the "-extfile" option of the
! 17: # "openssl x509" utility, name here the section containing the
! 18: # X.509v3 extensions to use:
! 19: # extensions =
! 20: # (Alternatively, use a configuration file that has only
! 21: # X.509v3 extensions in its main [= default] section.)
! 22:
! 23: [ new_oids ]
! 24:
! 25: # We can add new OIDs in here for use by 'ca' and 'req'.
! 26: # Add a simple OID like this:
! 27: # testoid1=1.2.3.4
! 28: # Or use config file substitution like this:
! 29: # testoid2=${testoid1}.5.6
! 30:
! 31: ####################################################################
! 32: [ ca ]
! 33: default_ca = CA_default # The default ca section
! 34:
! 35: ####################################################################
! 36: [ CA_default ]
! 37:
! 38: dir = ./demoCA # Where everything is kept
! 39: certs = $dir/certs # Where the issued certs are kept
! 40: crl_dir = $dir/crl # Where the issued crl are kept
! 41: database = $dir/index.txt # database index file.
! 42: #unique_subject = no # Set to 'no' to allow creation of
! 43: # several ctificates with same subject.
! 44: new_certs_dir = $dir/newcerts # default place for new certs.
! 45:
! 46: certificate = $dir/cacert.pem # The CA certificate
! 47: serial = $dir/serial # The current serial number
! 48: crlnumber = $dir/crlnumber # the current crl number
! 49: # must be commented out to leave a V1 CRL
! 50: crl = $dir/crl.pem # The current CRL
! 51: private_key = $dir/private/cakey.pem# The private key
! 52: RANDFILE = $dir/private/.rand # private random number file
! 53:
! 54: x509_extensions = usr_cert # The extentions to add to the cert
! 55:
! 56: # Comment out the following two lines for the "traditional"
! 57: # (and highly broken) format.
! 58: name_opt = ca_default # Subject Name options
! 59: cert_opt = ca_default # Certificate field options
! 60:
! 61: # Extension copying option: use with caution.
! 62: # copy_extensions = copy
! 63:
! 64: # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
! 65: # so this is commented out by default to leave a V1 CRL.
! 66: # crlnumber must also be commented out to leave a V1 CRL.
! 67: # crl_extensions = crl_ext
! 68:
! 69: default_days = 365 # how long to certify for
! 70: default_crl_days= 30 # how long before next CRL
! 71: default_md = sha1 # which md to use.
! 72: preserve = no # keep passed DN ordering
! 73:
! 74: # A few difference way of specifying how similar the request should look
! 75: # For type CA, the listed attributes must be the same, and the optional
! 76: # and supplied fields are just that :-)
! 77: policy = policy_match
! 78:
! 79: # For the CA policy
! 80: [ policy_match ]
! 81: countryName = match
! 82: stateOrProvinceName = match
! 83: organizationName = match
! 84: organizationalUnitName = optional
! 85: commonName = supplied
! 86: emailAddress = optional
! 87:
! 88: # For the 'anything' policy
! 89: # At this point in time, you must list all acceptable 'object'
! 90: # types.
! 91: [ policy_anything ]
! 92: countryName = optional
! 93: stateOrProvinceName = optional
! 94: localityName = optional
! 95: organizationName = optional
! 96: organizationalUnitName = optional
! 97: commonName = supplied
! 98: emailAddress = optional
! 99:
! 100: ####################################################################
! 101: [ req ]
! 102: default_bits = 1024
! 103: default_keyfile = privkey.pem
! 104: distinguished_name = req_distinguished_name
! 105: attributes = req_attributes
! 106: x509_extensions = v3_ca # The extentions to add to the self signed cert
! 107:
! 108: # Passwords for private keys if not present they will be prompted for
! 109: # input_password = secret
! 110: # output_password = secret
! 111:
! 112: # This sets a mask for permitted string types. There are several options.
! 113: # default: PrintableString, T61String, BMPString.
! 114: # pkix : PrintableString, BMPString.
! 115: # utf8only: only UTF8Strings.
! 116: # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
! 117: # MASK:XXXX a literal mask value.
! 118: # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
! 119: # so use this option with caution!
! 120: string_mask = nombstr
! 121:
! 122: # req_extensions = v3_req # The extensions to add to a certificate request
! 123:
! 124: [ req_distinguished_name ]
! 125: countryName = Country Name (2 letter code)
! 126: countryName_default = AU
! 127: countryName_min = 2
! 128: countryName_max = 2
! 129:
! 130: stateOrProvinceName = State or Province Name (full name)
! 131: stateOrProvinceName_default = Some-State
! 132:
! 133: localityName = Locality Name (eg, city)
! 134:
! 135: 0.organizationName = Organization Name (eg, company)
! 136: 0.organizationName_default = Internet Widgits Pty Ltd
! 137:
! 138: # we can do this but it is not needed normally :-)
! 139: #1.organizationName = Second Organization Name (eg, company)
! 140: #1.organizationName_default = World Wide Web Pty Ltd
! 141:
! 142: organizationalUnitName = Organizational Unit Name (eg, section)
! 143: #organizationalUnitName_default =
! 144:
! 145: commonName = Common Name (eg, YOUR name)
! 146: commonName_max = 64
! 147:
! 148: emailAddress = Email Address
! 149: emailAddress_max = 64
! 150:
! 151: # SET-ex3 = SET extension number 3
! 152:
! 153: [ req_attributes ]
! 154: challengePassword = A challenge password
! 155: challengePassword_min = 4
! 156: challengePassword_max = 20
! 157:
! 158: unstructuredName = An optional company name
! 159:
! 160: [ usr_cert ]
! 161:
! 162: # These extensions are added when 'ca' signs a request.
! 163:
! 164: # This goes against PKIX guidelines but some CAs do it and some software
! 165: # requires this to avoid interpreting an end user certificate as a CA.
! 166:
! 167: basicConstraints=CA:FALSE
! 168:
! 169: # Here are some examples of the usage of nsCertType. If it is omitted
! 170: # the certificate can be used for anything *except* object signing.
! 171:
! 172: # This is OK for an SSL server.
! 173: # nsCertType = server
! 174:
! 175: # For an object signing certificate this would be used.
! 176: # nsCertType = objsign
! 177:
! 178: # For normal client use this is typical
! 179: # nsCertType = client, email
! 180:
! 181: # and for everything including object signing:
! 182: # nsCertType = client, email, objsign
! 183:
! 184: # This is typical in keyUsage for a client certificate.
! 185: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
! 186:
! 187: # This will be displayed in Netscape's comment listbox.
! 188: nsComment = "OpenSSL Generated Certificate"
! 189:
! 190: # PKIX recommendations harmless if included in all certificates.
! 191: subjectKeyIdentifier=hash
! 192: authorityKeyIdentifier=keyid,issuer
! 193:
! 194: # This stuff is for subjectAltName and issuerAltname.
! 195: # Import the email address.
! 196: # subjectAltName=email:copy
! 197: # An alternative to produce certificates that aren't
! 198: # deprecated according to PKIX.
! 199: # subjectAltName=email:move
! 200:
! 201: # Copy subject details
! 202: # issuerAltName=issuer:copy
! 203:
! 204: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
! 205: #nsBaseUrl
! 206: #nsRevocationUrl
! 207: #nsRenewalUrl
! 208: #nsCaPolicyUrl
! 209: #nsSslServerName
! 210:
! 211: [ v3_req ]
! 212:
! 213: # Extensions to add to a certificate request
! 214:
! 215: basicConstraints = CA:FALSE
! 216: keyUsage = nonRepudiation, digitalSignature, keyEncipherment
! 217:
! 218: [ v3_ca ]
! 219:
! 220:
! 221: # Extensions for a typical CA
! 222:
! 223:
! 224: # PKIX recommendation.
! 225:
! 226: subjectKeyIdentifier=hash
! 227:
! 228: authorityKeyIdentifier=keyid:always,issuer:always
! 229:
! 230: # This is what PKIX recommends but some broken software chokes on critical
! 231: # extensions.
! 232: #basicConstraints = critical,CA:true
! 233: # So we do this instead.
! 234: basicConstraints = CA:true
! 235:
! 236: # Key usage: this is typical for a CA certificate. However since it will
! 237: # prevent it being used as an test self-signed certificate it is best
! 238: # left out by default.
! 239: # keyUsage = cRLSign, keyCertSign
! 240:
! 241: # Some might want this also
! 242: # nsCertType = sslCA, emailCA
! 243:
! 244: # Include email address in subject alt name: another PKIX recommendation
! 245: # subjectAltName=email:copy
! 246: # Copy issuer details
! 247: # issuerAltName=issuer:copy
! 248:
! 249: # DER hex encoding of an extension: beware experts only!
! 250: # obj=DER:02:03
! 251: # Where 'obj' is a standard or added object
! 252: # You can even override a supported extension:
! 253: # basicConstraints= critical, DER:30:03:01:01:FF
! 254:
! 255: [ crl_ext ]
! 256:
! 257: # CRL extensions.
! 258: # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
! 259:
! 260: # issuerAltName=issuer:copy
! 261: authorityKeyIdentifier=keyid:always,issuer:always
! 262:
! 263: [ proxy_cert_ext ]
! 264: # These extensions should be added when creating a proxy certificate
! 265:
! 266: # This goes against PKIX guidelines but some CAs do it and some software
! 267: # requires this to avoid interpreting an end user certificate as a CA.
! 268:
! 269: basicConstraints=CA:FALSE
! 270:
! 271: # Here are some examples of the usage of nsCertType. If it is omitted
! 272: # the certificate can be used for anything *except* object signing.
! 273:
! 274: # This is OK for an SSL server.
! 275: # nsCertType = server
! 276:
! 277: # For an object signing certificate this would be used.
! 278: # nsCertType = objsign
! 279:
! 280: # For normal client use this is typical
! 281: # nsCertType = client, email
! 282:
! 283: # and for everything including object signing:
! 284: # nsCertType = client, email, objsign
! 285:
! 286: # This is typical in keyUsage for a client certificate.
! 287: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
! 288:
! 289: # This will be displayed in Netscape's comment listbox.
! 290: nsComment = "OpenSSL Generated Certificate"
! 291:
! 292: # PKIX recommendations harmless if included in all certificates.
! 293: subjectKeyIdentifier=hash
! 294: authorityKeyIdentifier=keyid,issuer:always
! 295:
! 296: # This stuff is for subjectAltName and issuerAltname.
! 297: # Import the email address.
! 298: # subjectAltName=email:copy
! 299: # An alternative to produce certificates that aren't
! 300: # deprecated according to PKIX.
! 301: # subjectAltName=email:move
! 302:
! 303: # Copy subject details
! 304: # issuerAltName=issuer:copy
! 305:
! 306: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
! 307: #nsBaseUrl
! 308: #nsRevocationUrl
! 309: #nsRenewalUrl
! 310: #nsCaPolicyUrl
! 311: #nsSslServerName
! 312:
! 313: # This really needs to be in place for it to be a proxy certificate.
! 314: proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to openssl.cnf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / ssl