1 # 2 # OpenSSL example configuration file. 3 # See doc/man5/config.pod for more info. 4 # 5 # This is mostly being used for generation of certificate requests, 6 # but may be used for auto loading of providers 7 8 # Note that you can include other files from the main configuration 9 # file using the .include directive. 10 #.include filename 11 12 # This definition stops the following lines choking if HOME isn't 13 # defined. 14 HOME = . 15 16 # Use this in order to automatically load providers. 17 openssl_conf = openssl_init 18 19 # Comment out the next line to ignore configuration errors 20 config_diagnostics = 1 21 22 # Extra OBJECT IDENTIFIER info: 23 # oid_file = $ENV::HOME/.oid 24 oid_section = new_oids 25 26 # To use this configuration file with the "-extfile" option of the 27 # "openssl x509" utility, name here the section containing the 28 # X.509v3 extensions to use: 29 # extensions = 30 # (Alternatively, use a configuration file that has only 31 # X.509v3 extensions in its main [= default] section.) 32 33 [ new_oids ] 34 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 35 # Add a simple OID like this: 36 # testoid1=1.2.3.4 37 # Or use config file substitution like this: 38 # testoid2=${testoid1}.5.6 39 40 # Policies used by the TSA examples. 41 tsa_policy1 = 1.2.3.4.1 42 tsa_policy2 = 1.2.3.4.5.6 43 tsa_policy3 = 1.2.3.4.5.7 44 45 # For FIPS 46 # Optionally include a file that is generated by the OpenSSL fipsinstall 47 # application. This file contains configuration data required by the OpenSSL 48 # fips provider. It contains a named section e.g. [fips_sect] which is 49 # referenced from the [provider_sect] below. 50 # Refer to the OpenSSL security policy for more information. 51 # .include fipsmodule.cnf 52 53 [openssl_init] 54 providers = provider_sect 55 56 # List of providers to load 57 [provider_sect] 58 default = default_sect 59 # The fips section name should match the section name inside the 60 # included fipsmodule.cnf. 61 # fips = fips_sect 62 63 # If no providers are activated explicitly, the default one is activated implicitly. 64 # See man 7 OSSL_PROVIDER-default for more details. 65 # 66 # If you add a section explicitly activating any other provider(s), you most 67 # probably need to explicitly activate the default provider, otherwise it 68 # becomes unavailable in openssl. As a consequence applications depending on 69 # OpenSSL may not work correctly which could lead to significant system 70 # problems including inability to remotely access the system. 71 [default_sect] 72 # activate = 1 73 74 75 #################################################################### 76 [ ca ] 77 default_ca = CA_default # The default ca section 78 79 #################################################################### 80 [ CA_default ] 81 82 dir = ./demoCA # Where everything is kept 83 certs = $dir/certs # Where the issued certs are kept 84 crl_dir = $dir/crl # Where the issued crl are kept 85 database = $dir/index.txt # database index file. 86 #unique_subject = no # Set to 'no' to allow creation of 87 # several certs with same subject. 88 new_certs_dir = $dir/newcerts # default place for new certs. 89 90 certificate = $dir/cacert.pem # The CA certificate 91 serial = $dir/serial # The current serial number 92 crlnumber = $dir/crlnumber # the current crl number 93 # must be commented out to leave a V1 CRL 94 crl = $dir/crl.pem # The current CRL 95 private_key = $dir/private/cakey.pem # The private key 96 97 x509_extensions = usr_cert # The extensions to add to the cert 98 99 # Comment out the following two lines for the "traditional" 100 # (and highly broken) format. 101 name_opt = ca_default # Subject Name options 102 cert_opt = ca_default # Certificate field options 103 104 # Extension copying option: use with caution. 105 # copy_extensions = copy 106 107 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 108 # so this is commented out by default to leave a V1 CRL. 109 # crlnumber must also be commented out to leave a V1 CRL. 110 # crl_extensions = crl_ext 111 112 default_days = 365 # how long to certify for 113 default_crl_days= 30 # how long before next CRL 114 default_md = default # use public key default MD 115 preserve = no # keep passed DN ordering 116 117 # A few difference way of specifying how similar the request should look 118 # For type CA, the listed attributes must be the same, and the optional 119 # and supplied fields are just that :-) 120 policy = policy_match 121 122 # For the CA policy 123 [ policy_match ] 124 countryName = match 125 stateOrProvinceName = match 126 organizationName = match 127 organizationalUnitName = optional 128 commonName = supplied 129 emailAddress = optional 130 131 # For the 'anything' policy 132 # At this point in time, you must list all acceptable 'object' 133 # types. 134 [ policy_anything ] 135 countryName = optional 136 stateOrProvinceName = optional 137 localityName = optional 138 organizationName = optional 139 organizationalUnitName = optional 140 commonName = supplied 141 emailAddress = optional 142 143 #################################################################### 144 [ req ] 145 default_bits = 2048 146 default_keyfile = privkey.pem 147 distinguished_name = req_distinguished_name 148 attributes = req_attributes 149 x509_extensions = v3_ca # The extensions to add to the self signed cert 150 151 # Passwords for private keys if not present they will be prompted for 152 # input_password = secret 153 # output_password = secret 154 155 # This sets a mask for permitted string types. There are several options. 156 # default: PrintableString, T61String, BMPString. 157 # pkix : PrintableString, BMPString (PKIX recommendation before 2004) 158 # utf8only: only UTF8Strings (PKIX recommendation after 2004). 159 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 160 # MASK:XXXX a literal mask value. 161 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 162 string_mask = utf8only 163 164 # req_extensions = v3_req # The extensions to add to a certificate request 165 166 [ req_distinguished_name ] 167 countryName = Country Name (2 letter code) 168 countryName_default = AU 169 countryName_min = 2 170 countryName_max = 2 171 172 stateOrProvinceName = State or Province Name (full name) 173 stateOrProvinceName_default = Some-State 174 175 localityName = Locality Name (eg, city) 176 177 0.organizationName = Organization Name (eg, company) 178 0.organizationName_default = Internet Widgits Pty Ltd 179 180 # we can do this but it is not needed normally :-) 181 #1.organizationName = Second Organization Name (eg, company) 182 #1.organizationName_default = World Wide Web Pty Ltd 183 184 organizationalUnitName = Organizational Unit Name (eg, section) 185 #organizationalUnitName_default = 186 187 commonName = Common Name (e.g. server FQDN or YOUR name) 188 commonName_max = 64 189 190 emailAddress = Email Address 191 emailAddress_max = 64 192 193 # SET-ex3 = SET extension number 3 194 195 [ req_attributes ] 196 challengePassword = A challenge password 197 challengePassword_min = 4 198 challengePassword_max = 20 199 200 unstructuredName = An optional company name 201 202 [ usr_cert ] 203 204 # These extensions are added when 'ca' signs a request. 205 206 # This goes against PKIX guidelines but some CAs do it and some software 207 # requires this to avoid interpreting an end user certificate as a CA. 208 209 basicConstraints=CA:FALSE 210 211 # This is typical in keyUsage for a client certificate. 212 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 213 214 # PKIX recommendations harmless if included in all certificates. 215 subjectKeyIdentifier=hash 216 authorityKeyIdentifier=keyid,issuer 217 218 # This stuff is for subjectAltName and issuerAltname. 219 # Import the email address. 220 # subjectAltName=email:copy 221 # An alternative to produce certificates that aren't 222 # deprecated according to PKIX. 223 # subjectAltName=email:move 224 225 # Copy subject details 226 # issuerAltName=issuer:copy 227 228 # This is required for TSA certificates. 229 # extendedKeyUsage = critical,timeStamping 230 231 [ v3_req ] 232 233 # Extensions to add to a certificate request 234 235 basicConstraints = CA:FALSE 236 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 237 238 [ v3_ca ] 239 240 241 # Extensions for a typical CA 242 243 244 # PKIX recommendation. 245 246 subjectKeyIdentifier=hash 247 248 authorityKeyIdentifier=keyid:always,issuer 249 250 basicConstraints = critical,CA:true 251 252 # Key usage: this is typical for a CA certificate. However since it will 253 # prevent it being used as an test self-signed certificate it is best 254 # left out by default. 255 # keyUsage = cRLSign, keyCertSign 256 257 # Include email address in subject alt name: another PKIX recommendation 258 # subjectAltName=email:copy 259 # Copy issuer details 260 # issuerAltName=issuer:copy 261 262 # DER hex encoding of an extension: beware experts only! 263 # obj=DER:02:03 264 # Where 'obj' is a standard or added object 265 # You can even override a supported extension: 266 # basicConstraints= critical, DER:30:03:01:01:FF 267 268 [ crl_ext ] 269 270 # CRL extensions. 271 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 272 273 # issuerAltName=issuer:copy 274 authorityKeyIdentifier=keyid:always 275 276 [ proxy_cert_ext ] 277 # These extensions should be added when creating a proxy certificate 278 279 # This goes against PKIX guidelines but some CAs do it and some software 280 # requires this to avoid interpreting an end user certificate as a CA. 281 282 basicConstraints=CA:FALSE 283 284 # This is typical in keyUsage for a client certificate. 285 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 286 287 # PKIX recommendations harmless if included in all certificates. 288 subjectKeyIdentifier=hash 289 authorityKeyIdentifier=keyid,issuer 290 291 # This stuff is for subjectAltName and issuerAltname. 292 # Import the email address. 293 # subjectAltName=email:copy 294 # An alternative to produce certificates that aren't 295 # deprecated according to PKIX. 296 # subjectAltName=email:move 297 298 # Copy subject details 299 # issuerAltName=issuer:copy 300 301 # This really needs to be in place for it to be a proxy certificate. 302 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 303 304 #################################################################### 305 [ tsa ] 306 307 default_tsa = tsa_config1 # the default TSA section 308 309 [ tsa_config1 ] 310 311 # These are used by the TSA reply generation only. 312 dir = ./demoCA # TSA root directory 313 serial = $dir/tsaserial # The current serial number (mandatory) 314 crypto_device = builtin # OpenSSL engine to use for signing 315 signer_cert = $dir/tsacert.pem # The TSA signing certificate 316 # (optional) 317 certs = $dir/cacert.pem # Certificate chain to include in reply 318 # (optional) 319 signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 320 signer_digest = sha256 # Signing digest to use. (Optional) 321 default_policy = tsa_policy1 # Policy if request did not specify it 322 # (optional) 323 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 324 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 325 accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 326 clock_precision_digits = 0 # number of digits after dot. (optional) 327 ordering = yes # Is ordering defined for timestamps? 328 # (optional, default: no) 329 tsa_name = yes # Must the TSA name be included in the reply? 330 # (optional, default: no) 331 ess_cert_id_chain = no # Must the ESS cert id chain be included? 332 # (optional, default: no) 333 ess_cert_id_alg = sha256 # algorithm to compute certificate 334 # identifier (optional, default: sha256) 335 336 [insta] # CMP using Insta Demo CA 337 # Message transfer 338 server = pki.certificate.fi:8700 339 # proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 340 # tls_use = 0 341 path = pkix/ 342 343 # Server authentication 344 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer 345 ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature 346 unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected 347 extracertsout = insta.extracerts.pem 348 349 # Client authentication 350 ref = 3078 # user identification 351 secret = pass:insta # can be used for both client and server side 352 353 # Generic message options 354 cmd = ir # default operation, can be overridden on cmd line with, e.g., kur 355 356 # Certificate enrollment 357 subject = "/CN=openssl-cmp-test" 358 newkey = insta.priv.pem 359 out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature 360 certout = insta.cert.pem 361 362 [pbm] # Password-based protection for Insta CA 363 # Server and client authentication 364 ref = $insta::ref # 3078 365 secret = $insta::secret # pass:insta 366 367 [signature] # Signature-based protection for Insta CA 368 # Server authentication 369 trusted = $insta::out_trusted # apps/insta.ca.crt 370 371 # Client authentication 372 secret = # disable PBM 373 key = $insta::newkey # insta.priv.pem 374 cert = $insta::certout # insta.cert.pem 375 376 [ir] 377 cmd = ir 378 379 [cr] 380 cmd = cr 381 382 [kur] 383 # Certificate update 384 cmd = kur 385 oldcert = $insta::certout # insta.cert.pem 386 387 [rr] 388 # Certificate revocation 389 cmd = rr 390 oldcert = $insta::certout # insta.cert.pem 391
Indexes created Sat Feb 28 05:31:39 UTC 2026