Annotation of elwix/config/etc/default/ssl/openssl.cnf, revision 1.1.1.1
1.1 misho 1: # $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.8 2006/07/29 19:14:46 simon Exp $
2: #
3: # OpenSSL example configuration file.
4: # This is mostly being used for generation of certificate requests.
5: #
6:
7: # This definition stops the following lines choking if HOME isn't
8: # defined.
9: HOME = .
10: RANDFILE = $ENV::HOME/.rnd
11:
12: # Extra OBJECT IDENTIFIER info:
13: #oid_file = $ENV::HOME/.oid
14: oid_section = new_oids
15:
16: # To use this configuration file with the "-extfile" option of the
17: # "openssl x509" utility, name here the section containing the
18: # X.509v3 extensions to use:
19: # extensions =
20: # (Alternatively, use a configuration file that has only
21: # X.509v3 extensions in its main [= default] section.)
22:
23: [ new_oids ]
24:
25: # We can add new OIDs in here for use by 'ca' and 'req'.
26: # Add a simple OID like this:
27: # testoid1=1.2.3.4
28: # Or use config file substitution like this:
29: # testoid2=${testoid1}.5.6
30:
31: ####################################################################
32: [ ca ]
33: default_ca = CA_default # The default ca section
34:
35: ####################################################################
36: [ CA_default ]
37:
38: dir = ./demoCA # Where everything is kept
39: certs = $dir/certs # Where the issued certs are kept
40: crl_dir = $dir/crl # Where the issued crl are kept
41: database = $dir/index.txt # database index file.
42: #unique_subject = no # Set to 'no' to allow creation of
43: # several ctificates with same subject.
44: new_certs_dir = $dir/newcerts # default place for new certs.
45:
46: certificate = $dir/cacert.pem # The CA certificate
47: serial = $dir/serial # The current serial number
48: crlnumber = $dir/crlnumber # the current crl number
49: # must be commented out to leave a V1 CRL
50: crl = $dir/crl.pem # The current CRL
51: private_key = $dir/private/cakey.pem# The private key
52: RANDFILE = $dir/private/.rand # private random number file
53:
54: x509_extensions = usr_cert # The extentions to add to the cert
55:
56: # Comment out the following two lines for the "traditional"
57: # (and highly broken) format.
58: name_opt = ca_default # Subject Name options
59: cert_opt = ca_default # Certificate field options
60:
61: # Extension copying option: use with caution.
62: # copy_extensions = copy
63:
64: # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
65: # so this is commented out by default to leave a V1 CRL.
66: # crlnumber must also be commented out to leave a V1 CRL.
67: # crl_extensions = crl_ext
68:
69: default_days = 365 # how long to certify for
70: default_crl_days= 30 # how long before next CRL
71: default_md = sha1 # which md to use.
72: preserve = no # keep passed DN ordering
73:
74: # A few difference way of specifying how similar the request should look
75: # For type CA, the listed attributes must be the same, and the optional
76: # and supplied fields are just that :-)
77: policy = policy_match
78:
79: # For the CA policy
80: [ policy_match ]
81: countryName = match
82: stateOrProvinceName = match
83: organizationName = match
84: organizationalUnitName = optional
85: commonName = supplied
86: emailAddress = optional
87:
88: # For the 'anything' policy
89: # At this point in time, you must list all acceptable 'object'
90: # types.
91: [ policy_anything ]
92: countryName = optional
93: stateOrProvinceName = optional
94: localityName = optional
95: organizationName = optional
96: organizationalUnitName = optional
97: commonName = supplied
98: emailAddress = optional
99:
100: ####################################################################
101: [ req ]
102: default_bits = 1024
103: default_keyfile = privkey.pem
104: distinguished_name = req_distinguished_name
105: attributes = req_attributes
106: x509_extensions = v3_ca # The extentions to add to the self signed cert
107:
108: # Passwords for private keys if not present they will be prompted for
109: # input_password = secret
110: # output_password = secret
111:
112: # This sets a mask for permitted string types. There are several options.
113: # default: PrintableString, T61String, BMPString.
114: # pkix : PrintableString, BMPString.
115: # utf8only: only UTF8Strings.
116: # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
117: # MASK:XXXX a literal mask value.
118: # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
119: # so use this option with caution!
120: string_mask = nombstr
121:
122: # req_extensions = v3_req # The extensions to add to a certificate request
123:
124: [ req_distinguished_name ]
125: countryName = Country Name (2 letter code)
126: countryName_default = AU
127: countryName_min = 2
128: countryName_max = 2
129:
130: stateOrProvinceName = State or Province Name (full name)
131: stateOrProvinceName_default = Some-State
132:
133: localityName = Locality Name (eg, city)
134:
135: 0.organizationName = Organization Name (eg, company)
136: 0.organizationName_default = Internet Widgits Pty Ltd
137:
138: # we can do this but it is not needed normally :-)
139: #1.organizationName = Second Organization Name (eg, company)
140: #1.organizationName_default = World Wide Web Pty Ltd
141:
142: organizationalUnitName = Organizational Unit Name (eg, section)
143: #organizationalUnitName_default =
144:
145: commonName = Common Name (eg, YOUR name)
146: commonName_max = 64
147:
148: emailAddress = Email Address
149: emailAddress_max = 64
150:
151: # SET-ex3 = SET extension number 3
152:
153: [ req_attributes ]
154: challengePassword = A challenge password
155: challengePassword_min = 4
156: challengePassword_max = 20
157:
158: unstructuredName = An optional company name
159:
160: [ usr_cert ]
161:
162: # These extensions are added when 'ca' signs a request.
163:
164: # This goes against PKIX guidelines but some CAs do it and some software
165: # requires this to avoid interpreting an end user certificate as a CA.
166:
167: basicConstraints=CA:FALSE
168:
169: # Here are some examples of the usage of nsCertType. If it is omitted
170: # the certificate can be used for anything *except* object signing.
171:
172: # This is OK for an SSL server.
173: # nsCertType = server
174:
175: # For an object signing certificate this would be used.
176: # nsCertType = objsign
177:
178: # For normal client use this is typical
179: # nsCertType = client, email
180:
181: # and for everything including object signing:
182: # nsCertType = client, email, objsign
183:
184: # This is typical in keyUsage for a client certificate.
185: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
186:
187: # This will be displayed in Netscape's comment listbox.
188: nsComment = "OpenSSL Generated Certificate"
189:
190: # PKIX recommendations harmless if included in all certificates.
191: subjectKeyIdentifier=hash
192: authorityKeyIdentifier=keyid,issuer
193:
194: # This stuff is for subjectAltName and issuerAltname.
195: # Import the email address.
196: # subjectAltName=email:copy
197: # An alternative to produce certificates that aren't
198: # deprecated according to PKIX.
199: # subjectAltName=email:move
200:
201: # Copy subject details
202: # issuerAltName=issuer:copy
203:
204: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
205: #nsBaseUrl
206: #nsRevocationUrl
207: #nsRenewalUrl
208: #nsCaPolicyUrl
209: #nsSslServerName
210:
211: [ v3_req ]
212:
213: # Extensions to add to a certificate request
214:
215: basicConstraints = CA:FALSE
216: keyUsage = nonRepudiation, digitalSignature, keyEncipherment
217:
218: [ v3_ca ]
219:
220:
221: # Extensions for a typical CA
222:
223:
224: # PKIX recommendation.
225:
226: subjectKeyIdentifier=hash
227:
228: authorityKeyIdentifier=keyid:always,issuer:always
229:
230: # This is what PKIX recommends but some broken software chokes on critical
231: # extensions.
232: #basicConstraints = critical,CA:true
233: # So we do this instead.
234: basicConstraints = CA:true
235:
236: # Key usage: this is typical for a CA certificate. However since it will
237: # prevent it being used as an test self-signed certificate it is best
238: # left out by default.
239: # keyUsage = cRLSign, keyCertSign
240:
241: # Some might want this also
242: # nsCertType = sslCA, emailCA
243:
244: # Include email address in subject alt name: another PKIX recommendation
245: # subjectAltName=email:copy
246: # Copy issuer details
247: # issuerAltName=issuer:copy
248:
249: # DER hex encoding of an extension: beware experts only!
250: # obj=DER:02:03
251: # Where 'obj' is a standard or added object
252: # You can even override a supported extension:
253: # basicConstraints= critical, DER:30:03:01:01:FF
254:
255: [ crl_ext ]
256:
257: # CRL extensions.
258: # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
259:
260: # issuerAltName=issuer:copy
261: authorityKeyIdentifier=keyid:always,issuer:always
262:
263: [ proxy_cert_ext ]
264: # These extensions should be added when creating a proxy certificate
265:
266: # This goes against PKIX guidelines but some CAs do it and some software
267: # requires this to avoid interpreting an end user certificate as a CA.
268:
269: basicConstraints=CA:FALSE
270:
271: # Here are some examples of the usage of nsCertType. If it is omitted
272: # the certificate can be used for anything *except* object signing.
273:
274: # This is OK for an SSL server.
275: # nsCertType = server
276:
277: # For an object signing certificate this would be used.
278: # nsCertType = objsign
279:
280: # For normal client use this is typical
281: # nsCertType = client, email
282:
283: # and for everything including object signing:
284: # nsCertType = client, email, objsign
285:
286: # This is typical in keyUsage for a client certificate.
287: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
288:
289: # This will be displayed in Netscape's comment listbox.
290: nsComment = "OpenSSL Generated Certificate"
291:
292: # PKIX recommendations harmless if included in all certificates.
293: subjectKeyIdentifier=hash
294: authorityKeyIdentifier=keyid,issuer:always
295:
296: # This stuff is for subjectAltName and issuerAltname.
297: # Import the email address.
298: # subjectAltName=email:copy
299: # An alternative to produce certificates that aren't
300: # deprecated according to PKIX.
301: # subjectAltName=email:move
302:
303: # Copy subject details
304: # issuerAltName=issuer:copy
305:
306: #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
307: #nsBaseUrl
308: #nsRevocationUrl
309: #nsRenewalUrl
310: #nsCaPolicyUrl
311: #nsSslServerName
312:
313: # This really needs to be in place for it to be a proxy certificate.
314: proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>