demo/ssl/openssl.cnf

   1 dir             = ./CA          # Where everything is kept
   2
   3 [ ca ]
   4 default_ca      = CA_default            # The default ca section
   5
   6 [ CA_default ]
   7 certs           = $dir/certs            # Where the issued certs are kept
   8 crl_dir         = $dir/crl              # Where the issued crl are kept
   9 database        = $dir/index.txt        # database index file.
  10 new_certs_dir   = $dir/newcerts         # default place for new certs.
  11 certificate     = $dir/cacert.pem       # The CA certificate
  12 serial          = $dir/serial           # The current serial number
  13 crlnumber       = $dir/crlnumber        # the current crl number
  14 crl             = $dir/crl.pem          # The current CRL
  15 private_key     = $dir/private/cakey.pem # The private key
  16 x509_extensions = usr_cert              # The extentions to add to the cert
  17 name_opt        = ca_default            # Subject Name options
  18 cert_opt        = ca_default            # Certificate field options
  19 crl_extensions  = crl_ext
  20 default_days    = 3650                  # how long to certify for
  21 default_crl_days= 30                    # how long before next CRL
  22 default_md      = default               # use public key default MD
  23 preserve        = no                    # keep passed DN ordering
  24 policy          = policy_match
  25
  26 [ policy_match ]
  27 countryName             = match
  28 stateOrProvinceName     = match
  29 organizationName        = match
  30 organizationalUnitName  = optional
  31 commonName              = supplied
  32 emailAddress            = optional
  33
  34 [ policy_anything ]
  35 countryName             = optional
  36 stateOrProvinceName     = optional
  37 localityName            = optional
  38 organizationName        = optional
  39 organizationalUnitName  = optional
  40 commonName              = supplied
  41 emailAddress            = optional
  42
  43 [ req ]
  44 default_bits            = 1024
  45 default_md              = sha1
  46 default_keyfile         = privkey.pem
  47 distinguished_name      = req_distinguished_name
  48 attributes              = req_attributes
  49 x509_extensions = v3_ca # The extensions to add to the self signed cert
  50
  51 # Passwords for private keys if not present they will be prompted for
  52 # input_password = secret
  53 # output_password = secret
  54
  55 string_mask = utf8only
  56 req_extensions = v3_req # The extensions to add to a certificate request
  57
  58 [ req_distinguished_name ]
  59 countryName                     = Country Name (2 letter code)
  60 countryName_min                 = 2
  61 countryName_max                 = 2
  62 stateOrProvinceName             = State or Province Name (full name)
  63 #localityName                   = Locality Name (eg, city)
  64 0.organizationName              = Organization Name (eg, company)
  65 organizationalUnitName          = Organizational Unit Name (eg, section)
  66 commonName                      = Common Name (eg, your name or your server\'s hostname)
  67 commonName_max                  = 64
  68 emailAddress                    = Email Address
  69 emailAddress_max                = 64
  70 # SET-ex3                       = SET extension number 3
  71
  72 ##
  73 ## DEFAULT VALUES
  74 ##
  75 countryName_default             = DE
  76 stateOrProvinceName_default     = Berlin
  77 #localityName_default   = Berlin
  78 0.organizationName_default      = Example
  79 organizationalUnitName_default  = People
  80
  81 [ req_attributes ]
  82 #challengePassword              = A challenge password
  83 #challengePassword_min          = 4
  84 #challengePassword_max          = 20
  85 #unstructuredName               = An optional company name
  86
  87 [ usr_cert ]
  88 basicConstraints=CA:FALSE
  89 subjectKeyIdentifier=hash
  90 authorityKeyIdentifier=keyid,issuer
  91 subjectAltName=email:move
  92 issuerAltName=issuer:copy
  93
  94 [ v3_req ]
  95 basicConstraints = CA:FALSE
  96 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  97
  98 [ v3_ca ]
  99 subjectKeyIdentifier=hash
 100 authorityKeyIdentifier=keyid:always,issuer
 101 basicConstraints = critical,CA:true
 102 # keyUsage = cRLSign, keyCertSign
 103
 104 subjectAltName=email:copy
 105 issuerAltName=issuer:copy
 106
 107 [ crl_ext ]
 108 issuerAltName=issuer:copy
 109 authorityKeyIdentifier=keyid:always
 110
 111 [ server_ext ]
 112 extendedKeyUsage=serverAuth
 113
 114 [ user_ext ]
 115 extendedKeyUsage=clientAuth,emailProtection