demo/ssl/openssl.cnf

   1 dir             = ./CA          # Where everything is kept
   2
   3 [ ca ]
   4 default_ca      = CA_default            # The default ca section
   5
   6 [ CA_default ]
   7 certs           = $dir/certs            # Where the issued certs are kept
   8 crl_dir         = $dir/crl              # Where the issued crl are kept
   9 database        = $dir/index.txt        # database index file.
  10 new_certs_dir   = $dir/newcerts         # default place for new certs.
  11 certificate     = $dir/cacert.pem       # The CA certificate
  12 serial          = $dir/serial           # The current serial number
  13 crlnumber       = $dir/crlnumber        # the current crl number
  14 crl             = $dir/crl.pem          # The current CRL
  15 private_key     = $dir/private/cakey.pem # The private key
  16 x509_extensions = usr_cert              # The extentions to add to the cert
  17 name_opt        = ca_default            # Subject Name options
  18 cert_opt        = ca_default            # Certificate field options
  19 crl_extensions  = crl_ext
  20 default_days    = 365                   # how long to certify for
  21 default_crl_days= 30                    # how long before next CRL
  22 default_md      = default               # use public key default MD
  23 preserve        = no                    # keep passed DN ordering
  24 policy          = policy_match
  25
  26 [ policy_match ]
  27 countryName             = optional
  28 stateOrProvinceName     = optional
  29 organizationName        = optional
  30 organizationalUnitName  = optional
  31 commonName              = optional
  32 emailAddress            = optional
  33
  34 [ policy_anything ]
  35 countryName             = optional
  36 stateOrProvinceName     = optional
  37 localityName            = optional
  38 organizationName        = optional
  39 organizationalUnitName  = optional
  40 commonName              = optional
  41 emailAddress            = optional
  42
  43 [ req ]
  44 default_bits            = 1024
  45 default_md              = sha1
  46 default_keyfile         = privkey.pem
  47 distinguished_name      = req_distinguished_name
  48 attributes              = req_attributes
  49 x509_extensions = v3_ca # The extensions to add to the self signed cert
  50
  51 # Passwords for private keys if not present they will be prompted for
  52 # input_password = secret
  53 # output_password = secret
  54
  55 string_mask = utf8only
  56 req_extensions = v3_req # The extensions to add to a certificate request
  57
  58 [ req_distinguished_name ]
  59 countryName                     = Country Name (2 letter code)
  60 countryName_min                 = 2
  61 countryName_max                 = 2
  62 #stateOrProvinceName            = State or Province Name (full name)
  63 #localityName                   = Locality Name (eg, city)
  64 0.organizationName              = Organization Name (eg, company)
  65 #organizationalUnitName         = Organizational Unit Name (eg, section)
  66 commonName                      = Common Name (eg, your name or your server\'s hostname)
  67 commonName_max                  = 64
  68 emailAddress                    = Email Address
  69 emailAddress_max                = 64
  70 # SET-ex3                       = SET extension number 3
  71
  72 ##
  73 ## DEFAULT VALUES
  74 ##
  75 countryName_default             = DE
  76 #stateOrProvinceName_default    = Berlin
  77 #localityName_default   = Berlin
  78 0.organizationName_default      = Example
  79 #organizationalUnitName_default = Certificate Authorities
  80 commonName_default      = Certificate Authority
  81
  82 [ req_attributes ]
  83 #challengePassword              = A challenge password
  84 #challengePassword_min          = 4
  85 #challengePassword_max          = 20
  86 #unstructuredName               = An optional company name
  87
  88 [ usr_cert ]
  89 basicConstraints=CA:FALSE
  90 subjectKeyIdentifier=hash
  91 authorityKeyIdentifier=keyid,issuer
  92 subjectAltName=email:move
  93 issuerAltName=issuer:copy
  94
  95 [ v3_req ]
  96 basicConstraints = CA:FALSE
  97 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  98
  99 [ v3_ca ]
 100 subjectKeyIdentifier=hash
 101 authorityKeyIdentifier=keyid:always,issuer
 102 basicConstraints = critical,CA:true
 103 # keyUsage = cRLSign, keyCertSign
 104
 105 #subjectAltName=email:copy
 106 issuerAltName=issuer:copy
 107
 108 [ crl_ext ]
 109 issuerAltName=issuer:copy
 110 authorityKeyIdentifier=keyid:always
 111
 112 [ server_ext ]
 113 extendedKeyUsage=serverAuth
 114
 115 [ user_ext ]
 116 extendedKeyUsage=clientAuth,emailProtection