1 # 2 # OpenSSL example configuration file. 3 # This is mostly being used for generation of certificate requests. 4 # 5 6 # Note that you can include other files from the main configuration 7 # file using the .include directive. 8 #.include filename 9 10 # This definition stops the following lines choking if HOME isn't 11 # defined. 12 HOME = . 13 14 # Extra OBJECT IDENTIFIER info: 15 #oid_file = $ENV::HOME/.oid 16 oid_section = new_oids 17 18 # To use this configuration file with the "-extfile" option of the 19 # "openssl x509" utility, name here the section containing the 20 # X.509v3 extensions to use: 21 # extensions = 22 # (Alternatively, use a configuration file that has only 23 # X.509v3 extensions in its main [= default] section.) 24 25 [ new_oids ] 26 27 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 28 # Add a simple OID like this: 29 # testoid1=1.2.3.4 30 # Or use config file substitution like this: 31 # testoid2=${testoid1}.5.6 32 33 # Policies used by the TSA examples. 34 tsa_policy1 = 1.2.3.4.1 35 tsa_policy2 = 1.2.3.4.5.6 36 tsa_policy3 = 1.2.3.4.5.7 37 38 #################################################################### 39 [ ca ] 40 default_ca = CA_default # The default ca section 41 42 #################################################################### 43 [ CA_default ] 44 45 dir = ./demoCA # Where everything is kept 46 certs = $dir/certs # Where the issued certs are kept 47 crl_dir = $dir/crl # Where the issued crl are kept 48 database = $dir/index.txt # database index file. 49 #unique_subject = no # Set to 'no' to allow creation of 50 # several certs with same subject. 51 new_certs_dir = $dir/newcerts # default place for new certs. 52 53 certificate = $dir/cacert.pem # The CA certificate 54 serial = $dir/serial # The current serial number 55 crlnumber = $dir/crlnumber # the current crl number 56 # must be commented out to leave a V1 CRL 57 crl = $dir/crl.pem # The current CRL 58 private_key = $dir/private/cakey.pem# The private key 59 60 x509_extensions = usr_cert # The extensions to add to the cert 61 62 # Comment out the following two lines for the "traditional" 63 # (and highly broken) format. 64 name_opt = ca_default # Subject Name options 65 cert_opt = ca_default # Certificate field options 66 67 # Extension copying option: use with caution. 68 # copy_extensions = copy 69 70 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 71 # so this is commented out by default to leave a V1 CRL. 72 # crlnumber must also be commented out to leave a V1 CRL. 73 # crl_extensions = crl_ext 74 75 default_days = 365 # how long to certify for 76 default_crl_days= 30 # how long before next CRL 77 default_md = default # use public key default MD 78 preserve = no # keep passed DN ordering 79 80 # A few difference way of specifying how similar the request should look 81 # For type CA, the listed attributes must be the same, and the optional 82 # and supplied fields are just that :-) 83 policy = policy_match 84 85 # For the CA policy 86 [ policy_match ] 87 countryName = match 88 stateOrProvinceName = match 89 organizationName = match 90 organizationalUnitName = optional 91 commonName = supplied 92 emailAddress = optional 93 94 # For the 'anything' policy 95 # At this point in time, you must list all acceptable 'object' 96 # types. 97 [ policy_anything ] 98 countryName = optional 99 stateOrProvinceName = optional 100 localityName = optional 101 organizationName = optional 102 organizationalUnitName = optional 103 commonName = supplied 104 emailAddress = optional 105 106 #################################################################### 107 [ req ] 108 default_bits = 2048 109 default_keyfile = privkey.pem 110 distinguished_name = req_distinguished_name 111 attributes = req_attributes 112 x509_extensions = v3_ca # The extensions to add to the self signed cert 113 114 # Passwords for private keys if not present they will be prompted for 115 # input_password = secret 116 # output_password = secret 117 118 # This sets a mask for permitted string types. There are several options. 119 # default: PrintableString, T61String, BMPString. 120 # pkix : PrintableString, BMPString (PKIX recommendation before 2004) 121 # utf8only: only UTF8Strings (PKIX recommendation after 2004). 122 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 123 # MASK:XXXX a literal mask value. 124 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 125 string_mask = utf8only 126 127 # req_extensions = v3_req # The extensions to add to a certificate request 128 129 [ req_distinguished_name ] 130 countryName = Country Name (2 letter code) 131 countryName_default = AU 132 countryName_min = 2 133 countryName_max = 2 134 135 stateOrProvinceName = State or Province Name (full name) 136 stateOrProvinceName_default = Some-State 137 138 localityName = Locality Name (eg, city) 139 140 0.organizationName = Organization Name (eg, company) 141 0.organizationName_default = Internet Widgits Pty Ltd 142 143 # we can do this but it is not needed normally :-) 144 #1.organizationName = Second Organization Name (eg, company) 145 #1.organizationName_default = World Wide Web Pty Ltd 146 147 organizationalUnitName = Organizational Unit Name (eg, section) 148 #organizationalUnitName_default = 149 150 commonName = Common Name (e.g. server FQDN or YOUR name) 151 commonName_max = 64 152 153 emailAddress = Email Address 154 emailAddress_max = 64 155 156 # SET-ex3 = SET extension number 3 157 158 [ req_attributes ] 159 challengePassword = A challenge password 160 challengePassword_min = 4 161 challengePassword_max = 20 162 163 unstructuredName = An optional company name 164 165 [ usr_cert ] 166 167 # These extensions are added when 'ca' signs a request. 168 169 # This goes against PKIX guidelines but some CAs do it and some software 170 # requires this to avoid interpreting an end user certificate as a CA. 171 172 basicConstraints=CA:FALSE 173 174 # Here are some examples of the usage of nsCertType. If it is omitted 175 # the certificate can be used for anything *except* object signing. 176 177 # This is OK for an SSL server. 178 # nsCertType = server 179 180 # For an object signing certificate this would be used. 181 # nsCertType = objsign 182 183 # For normal client use this is typical 184 # nsCertType = client, email 185 186 # and for everything including object signing: 187 # nsCertType = client, email, objsign 188 189 # This is typical in keyUsage for a client certificate. 190 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 191 192 # This will be displayed in Netscape's comment listbox. 193 nsComment = "OpenSSL Generated Certificate" 194 195 # PKIX recommendations harmless if included in all certificates. 196 subjectKeyIdentifier=hash 197 authorityKeyIdentifier=keyid,issuer 198 199 # This stuff is for subjectAltName and issuerAltname. 200 # Import the email address. 201 # subjectAltName=email:copy 202 # An alternative to produce certificates that aren't 203 # deprecated according to PKIX. 204 # subjectAltName=email:move 205 206 # Copy subject details 207 # issuerAltName=issuer:copy 208 209 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 210 #nsBaseUrl 211 #nsRevocationUrl 212 #nsRenewalUrl 213 #nsCaPolicyUrl 214 #nsSslServerName 215 216 # This is required for TSA certificates. 217 # extendedKeyUsage = critical,timeStamping 218 219 [ v3_req ] 220 221 # Extensions to add to a certificate request 222 223 basicConstraints = CA:FALSE 224 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 225 226 [ v3_ca ] 227 228 229 # Extensions for a typical CA 230 231 232 # PKIX recommendation. 233 234 subjectKeyIdentifier=hash 235 236 authorityKeyIdentifier=keyid:always,issuer 237 238 basicConstraints = critical,CA:true 239 240 # Key usage: this is typical for a CA certificate. However since it will 241 # prevent it being used as an test self-signed certificate it is best 242 # left out by default. 243 # keyUsage = cRLSign, keyCertSign 244 245 # Some might want this also 246 # nsCertType = sslCA, emailCA 247 248 # Include email address in subject alt name: another PKIX recommendation 249 # subjectAltName=email:copy 250 # Copy issuer details 251 # issuerAltName=issuer:copy 252 253 # DER hex encoding of an extension: beware experts only! 254 # obj=DER:02:03 255 # Where 'obj' is a standard or added object 256 # You can even override a supported extension: 257 # basicConstraints= critical, DER:30:03:01:01:FF 258 259 [ crl_ext ] 260 261 # CRL extensions. 262 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 263 264 # issuerAltName=issuer:copy 265 authorityKeyIdentifier=keyid:always 266 267 [ proxy_cert_ext ] 268 # These extensions should be added when creating a proxy certificate 269 270 # This goes against PKIX guidelines but some CAs do it and some software 271 # requires this to avoid interpreting an end user certificate as a CA. 272 273 basicConstraints=CA:FALSE 274 275 # Here are some examples of the usage of nsCertType. If it is omitted 276 # the certificate can be used for anything *except* object signing. 277 278 # This is OK for an SSL server. 279 # nsCertType = server 280 281 # For an object signing certificate this would be used. 282 # nsCertType = objsign 283 284 # For normal client use this is typical 285 # nsCertType = client, email 286 287 # and for everything including object signing: 288 # nsCertType = client, email, objsign 289 290 # This is typical in keyUsage for a client certificate. 291 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 292 293 # This will be displayed in Netscape's comment listbox. 294 nsComment = "OpenSSL Generated Certificate" 295 296 # PKIX recommendations harmless if included in all certificates. 297 subjectKeyIdentifier=hash 298 authorityKeyIdentifier=keyid,issuer 299 300 # This stuff is for subjectAltName and issuerAltname. 301 # Import the email address. 302 # subjectAltName=email:copy 303 # An alternative to produce certificates that aren't 304 # deprecated according to PKIX. 305 # subjectAltName=email:move 306 307 # Copy subject details 308 # issuerAltName=issuer:copy 309 310 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 311 #nsBaseUrl 312 #nsRevocationUrl 313 #nsRenewalUrl 314 #nsCaPolicyUrl 315 #nsSslServerName 316 317 # This really needs to be in place for it to be a proxy certificate. 318 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 319 320 #################################################################### 321 [ tsa ] 322 323 default_tsa = tsa_config1 # the default TSA section 324 325 [ tsa_config1 ] 326 327 # These are used by the TSA reply generation only. 328 dir = ./demoCA # TSA root directory 329 serial = $dir/tsaserial # The current serial number (mandatory) 330 crypto_device = builtin # OpenSSL engine to use for signing 331 signer_cert = $dir/tsacert.pem # The TSA signing certificate 332 # (optional) 333 certs = $dir/cacert.pem # Certificate chain to include in reply 334 # (optional) 335 signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 336 signer_digest = sha256 # Signing digest to use. (Optional) 337 default_policy = tsa_policy1 # Policy if request did not specify it 338 # (optional) 339 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 340 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 341 accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 342 clock_precision_digits = 0 # number of digits after dot. (optional) 343 ordering = yes # Is ordering defined for timestamps? 344 # (optional, default: no) 345 tsa_name = yes # Must the TSA name be included in the reply? 346 # (optional, default: no) 347 ess_cert_id_chain = no # Must the ESS cert id chain be included? 348 # (optional, default: no) 349 ess_cert_id_alg = sha1 # algorithm to compute certificate 350 # identifier (optional, default: sha1) 351
Indexes created Sat Feb 28 05:31:39 UTC 2026