Annotation of elwix/config/etc/uboot/ssl/openssl.cnf, revision 1.1.2.1

1.1.2.1 ! misho       1: # $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.8 2006/07/29 19:14:46 simon Exp $
        !             2: #
        !             3: # OpenSSL example configuration file.
        !             4: # This is mostly being used for generation of certificate requests.
        !             5: #
        !             6: 
        !             7: # This definition stops the following lines choking if HOME isn't
        !             8: # defined.
        !             9: HOME                   = .
        !            10: RANDFILE               = $ENV::HOME/.rnd
        !            11: 
        !            12: # Extra OBJECT IDENTIFIER info:
        !            13: #oid_file              = $ENV::HOME/.oid
        !            14: oid_section            = new_oids
        !            15: 
        !            16: # To use this configuration file with the "-extfile" option of the
        !            17: # "openssl x509" utility, name here the section containing the
        !            18: # X.509v3 extensions to use:
        !            19: # extensions           = 
        !            20: # (Alternatively, use a configuration file that has only
        !            21: # X.509v3 extensions in its main [= default] section.)
        !            22: 
        !            23: [ new_oids ]
        !            24: 
        !            25: # We can add new OIDs in here for use by 'ca' and 'req'.
        !            26: # Add a simple OID like this:
        !            27: # testoid1=1.2.3.4
        !            28: # Or use config file substitution like this:
        !            29: # testoid2=${testoid1}.5.6
        !            30: 
        !            31: ####################################################################
        !            32: [ ca ]
        !            33: default_ca     = CA_default            # The default ca section
        !            34: 
        !            35: ####################################################################
        !            36: [ CA_default ]
        !            37: 
        !            38: dir            = ./demoCA              # Where everything is kept
        !            39: certs          = $dir/certs            # Where the issued certs are kept
        !            40: crl_dir                = $dir/crl              # Where the issued crl are kept
        !            41: database       = $dir/index.txt        # database index file.
        !            42: #unique_subject        = no                    # Set to 'no' to allow creation of
        !            43:                                        # several ctificates with same subject.
        !            44: new_certs_dir  = $dir/newcerts         # default place for new certs.
        !            45: 
        !            46: certificate    = $dir/cacert.pem       # The CA certificate
        !            47: serial         = $dir/serial           # The current serial number
        !            48: crlnumber      = $dir/crlnumber        # the current crl number
        !            49:                                        # must be commented out to leave a V1 CRL
        !            50: crl            = $dir/crl.pem          # The current CRL
        !            51: private_key    = $dir/private/cakey.pem# The private key
        !            52: RANDFILE       = $dir/private/.rand    # private random number file
        !            53: 
        !            54: x509_extensions        = usr_cert              # The extentions to add to the cert
        !            55: 
        !            56: # Comment out the following two lines for the "traditional"
        !            57: # (and highly broken) format.
        !            58: name_opt       = ca_default            # Subject Name options
        !            59: cert_opt       = ca_default            # Certificate field options
        !            60: 
        !            61: # Extension copying option: use with caution.
        !            62: # copy_extensions = copy
        !            63: 
        !            64: # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
        !            65: # so this is commented out by default to leave a V1 CRL.
        !            66: # crlnumber must also be commented out to leave a V1 CRL.
        !            67: # crl_extensions       = crl_ext
        !            68: 
        !            69: default_days   = 365                   # how long to certify for
        !            70: default_crl_days= 30                   # how long before next CRL
        !            71: default_md     = sha1                  # which md to use.
        !            72: preserve       = no                    # keep passed DN ordering
        !            73: 
        !            74: # A few difference way of specifying how similar the request should look
        !            75: # For type CA, the listed attributes must be the same, and the optional
        !            76: # and supplied fields are just that :-)
        !            77: policy         = policy_match
        !            78: 
        !            79: # For the CA policy
        !            80: [ policy_match ]
        !            81: countryName            = match
        !            82: stateOrProvinceName    = match
        !            83: organizationName       = match
        !            84: organizationalUnitName = optional
        !            85: commonName             = supplied
        !            86: emailAddress           = optional
        !            87: 
        !            88: # For the 'anything' policy
        !            89: # At this point in time, you must list all acceptable 'object'
        !            90: # types.
        !            91: [ policy_anything ]
        !            92: countryName            = optional
        !            93: stateOrProvinceName    = optional
        !            94: localityName           = optional
        !            95: organizationName       = optional
        !            96: organizationalUnitName = optional
        !            97: commonName             = supplied
        !            98: emailAddress           = optional
        !            99: 
        !           100: ####################################################################
        !           101: [ req ]
        !           102: default_bits           = 1024
        !           103: default_keyfile        = privkey.pem
        !           104: distinguished_name     = req_distinguished_name
        !           105: attributes             = req_attributes
        !           106: x509_extensions        = v3_ca # The extentions to add to the self signed cert
        !           107: 
        !           108: # Passwords for private keys if not present they will be prompted for
        !           109: # input_password = secret
        !           110: # output_password = secret
        !           111: 
        !           112: # This sets a mask for permitted string types. There are several options. 
        !           113: # default: PrintableString, T61String, BMPString.
        !           114: # pkix  : PrintableString, BMPString.
        !           115: # utf8only: only UTF8Strings.
        !           116: # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
        !           117: # MASK:XXXX a literal mask value.
        !           118: # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
        !           119: # so use this option with caution!
        !           120: string_mask = nombstr
        !           121: 
        !           122: # req_extensions = v3_req # The extensions to add to a certificate request
        !           123: 
        !           124: [ req_distinguished_name ]
        !           125: countryName                    = Country Name (2 letter code)
        !           126: countryName_default            = AU
        !           127: countryName_min                        = 2
        !           128: countryName_max                        = 2
        !           129: 
        !           130: stateOrProvinceName            = State or Province Name (full name)
        !           131: stateOrProvinceName_default    = Some-State
        !           132: 
        !           133: localityName                   = Locality Name (eg, city)
        !           134: 
        !           135: 0.organizationName             = Organization Name (eg, company)
        !           136: 0.organizationName_default     = Internet Widgits Pty Ltd
        !           137: 
        !           138: # we can do this but it is not needed normally :-)
        !           139: #1.organizationName            = Second Organization Name (eg, company)
        !           140: #1.organizationName_default    = World Wide Web Pty Ltd
        !           141: 
        !           142: organizationalUnitName         = Organizational Unit Name (eg, section)
        !           143: #organizationalUnitName_default        =
        !           144: 
        !           145: commonName                     = Common Name (eg, YOUR name)
        !           146: commonName_max                 = 64
        !           147: 
        !           148: emailAddress                   = Email Address
        !           149: emailAddress_max               = 64
        !           150: 
        !           151: # SET-ex3                      = SET extension number 3
        !           152: 
        !           153: [ req_attributes ]
        !           154: challengePassword              = A challenge password
        !           155: challengePassword_min          = 4
        !           156: challengePassword_max          = 20
        !           157: 
        !           158: unstructuredName               = An optional company name
        !           159: 
        !           160: [ usr_cert ]
        !           161: 
        !           162: # These extensions are added when 'ca' signs a request.
        !           163: 
        !           164: # This goes against PKIX guidelines but some CAs do it and some software
        !           165: # requires this to avoid interpreting an end user certificate as a CA.
        !           166: 
        !           167: basicConstraints=CA:FALSE
        !           168: 
        !           169: # Here are some examples of the usage of nsCertType. If it is omitted
        !           170: # the certificate can be used for anything *except* object signing.
        !           171: 
        !           172: # This is OK for an SSL server.
        !           173: # nsCertType                   = server
        !           174: 
        !           175: # For an object signing certificate this would be used.
        !           176: # nsCertType = objsign
        !           177: 
        !           178: # For normal client use this is typical
        !           179: # nsCertType = client, email
        !           180: 
        !           181: # and for everything including object signing:
        !           182: # nsCertType = client, email, objsign
        !           183: 
        !           184: # This is typical in keyUsage for a client certificate.
        !           185: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        !           186: 
        !           187: # This will be displayed in Netscape's comment listbox.
        !           188: nsComment                      = "OpenSSL Generated Certificate"
        !           189: 
        !           190: # PKIX recommendations harmless if included in all certificates.
        !           191: subjectKeyIdentifier=hash
        !           192: authorityKeyIdentifier=keyid,issuer
        !           193: 
        !           194: # This stuff is for subjectAltName and issuerAltname.
        !           195: # Import the email address.
        !           196: # subjectAltName=email:copy
        !           197: # An alternative to produce certificates that aren't
        !           198: # deprecated according to PKIX.
        !           199: # subjectAltName=email:move
        !           200: 
        !           201: # Copy subject details
        !           202: # issuerAltName=issuer:copy
        !           203: 
        !           204: #nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
        !           205: #nsBaseUrl
        !           206: #nsRevocationUrl
        !           207: #nsRenewalUrl
        !           208: #nsCaPolicyUrl
        !           209: #nsSslServerName
        !           210: 
        !           211: [ v3_req ]
        !           212: 
        !           213: # Extensions to add to a certificate request
        !           214: 
        !           215: basicConstraints = CA:FALSE
        !           216: keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        !           217: 
        !           218: [ v3_ca ]
        !           219: 
        !           220: 
        !           221: # Extensions for a typical CA
        !           222: 
        !           223: 
        !           224: # PKIX recommendation.
        !           225: 
        !           226: subjectKeyIdentifier=hash
        !           227: 
        !           228: authorityKeyIdentifier=keyid:always,issuer:always
        !           229: 
        !           230: # This is what PKIX recommends but some broken software chokes on critical
        !           231: # extensions.
        !           232: #basicConstraints = critical,CA:true
        !           233: # So we do this instead.
        !           234: basicConstraints = CA:true
        !           235: 
        !           236: # Key usage: this is typical for a CA certificate. However since it will
        !           237: # prevent it being used as an test self-signed certificate it is best
        !           238: # left out by default.
        !           239: # keyUsage = cRLSign, keyCertSign
        !           240: 
        !           241: # Some might want this also
        !           242: # nsCertType = sslCA, emailCA
        !           243: 
        !           244: # Include email address in subject alt name: another PKIX recommendation
        !           245: # subjectAltName=email:copy
        !           246: # Copy issuer details
        !           247: # issuerAltName=issuer:copy
        !           248: 
        !           249: # DER hex encoding of an extension: beware experts only!
        !           250: # obj=DER:02:03
        !           251: # Where 'obj' is a standard or added object
        !           252: # You can even override a supported extension:
        !           253: # basicConstraints= critical, DER:30:03:01:01:FF
        !           254: 
        !           255: [ crl_ext ]
        !           256: 
        !           257: # CRL extensions.
        !           258: # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
        !           259: 
        !           260: # issuerAltName=issuer:copy
        !           261: authorityKeyIdentifier=keyid:always,issuer:always
        !           262: 
        !           263: [ proxy_cert_ext ]
        !           264: # These extensions should be added when creating a proxy certificate
        !           265: 
        !           266: # This goes against PKIX guidelines but some CAs do it and some software
        !           267: # requires this to avoid interpreting an end user certificate as a CA.
        !           268: 
        !           269: basicConstraints=CA:FALSE
        !           270: 
        !           271: # Here are some examples of the usage of nsCertType. If it is omitted
        !           272: # the certificate can be used for anything *except* object signing.
        !           273: 
        !           274: # This is OK for an SSL server.
        !           275: # nsCertType                   = server
        !           276: 
        !           277: # For an object signing certificate this would be used.
        !           278: # nsCertType = objsign
        !           279: 
        !           280: # For normal client use this is typical
        !           281: # nsCertType = client, email
        !           282: 
        !           283: # and for everything including object signing:
        !           284: # nsCertType = client, email, objsign
        !           285: 
        !           286: # This is typical in keyUsage for a client certificate.
        !           287: # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        !           288: 
        !           289: # This will be displayed in Netscape's comment listbox.
        !           290: nsComment                      = "OpenSSL Generated Certificate"
        !           291: 
        !           292: # PKIX recommendations harmless if included in all certificates.
        !           293: subjectKeyIdentifier=hash
        !           294: authorityKeyIdentifier=keyid,issuer:always
        !           295: 
        !           296: # This stuff is for subjectAltName and issuerAltname.
        !           297: # Import the email address.
        !           298: # subjectAltName=email:copy
        !           299: # An alternative to produce certificates that aren't
        !           300: # deprecated according to PKIX.
        !           301: # subjectAltName=email:move
        !           302: 
        !           303: # Copy subject details
        !           304: # issuerAltName=issuer:copy
        !           305: 
        !           306: #nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
        !           307: #nsBaseUrl
        !           308: #nsRevocationUrl
        !           309: #nsRenewalUrl
        !           310: #nsCaPolicyUrl
        !           311: #nsSslServerName
        !           312: 
        !           313: # This really needs to be in place for it to be a proxy certificate.
        !           314: proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>