Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / bc27e64692ecfbbffdedf8bbe8a249d687ff9ead / . / cluster / openssl.cnf
blob: 1e5cc2e5afcabfc64cd48c6f9654cca249c34d44 [file] [log] [blame]
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame]1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME = .
9RANDFILE = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file = $ENV::HOME/.oid
13oid_section = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30# Policies used by the TSA examples.
31tsa_policy1 = 1.2.3.4.1
32tsa_policy2 = 1.2.3.4.5.6
33tsa_policy3 = 1.2.3.4.5.7
34
35####################################################################
36[ ca ]
37default_ca = CA_default # The default ca section
38
39####################################################################
40[ CA_default ]
41
42dir = ./demoCA # Where everything is kept
43certs = $dir/certs # Where the issued certs are kept
44crl_dir = $dir/crl # Where the issued crl are kept
45database = $dir/index.txt # database index file.
46#unique_subject = no # Set to 'no' to allow creation of
47 # several ctificates with same subject.
48new_certs_dir = $dir/newcerts # default place for new certs.
49
50certificate = $dir/cacert.pem # The CA certificate
51serial = $dir/serial # The current serial number
52crlnumber = $dir/crlnumber # the current crl number
53 # must be commented out to leave a V1 CRL
54crl = $dir/crl.pem # The current CRL
55private_key = $dir/private/cakey.pem# The private key
56RANDFILE = $dir/private/.rand # private random number file
57
58x509_extensions = usr_cert # The extentions to add to the cert
59
60# Comment out the following two lines for the "traditional"
61# (and highly broken) format.
62name_opt = ca_default # Subject Name options
63cert_opt = ca_default # Certificate field options
64
65# Extension copying option: use with caution.
66copy_extensions = copy
67
68# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
69# so this is commented out by default to leave a V1 CRL.
70# crlnumber must also be commented out to leave a V1 CRL.
71# crl_extensions = crl_ext
72
73default_days = 365 # how long to certify for
74default_crl_days= 30 # how long before next CRL
75default_md = default # use public key default MD
76preserve = no # keep passed DN ordering
77
78# A few difference way of specifying how similar the request should look
79# For type CA, the listed attributes must be the same, and the optional
80# and supplied fields are just that :-)
81policy = policy_match
82
83# For the CA policy
84[ policy_match ]
85countryName = match
86stateOrProvinceName = match
87organizationName = match
88organizationalUnitName = optional
89commonName = supplied
90emailAddress = optional
91
92# For the 'anything' policy
93# At this point in time, you must list all acceptable 'object'
94# types.
95[ policy_anything ]
96countryName = optional
97stateOrProvinceName = optional
98localityName = optional
99organizationName = optional
100organizationalUnitName = optional
101commonName = supplied
102emailAddress = optional
103
104####################################################################
105[ req ]
106default_bits = 2048
107default_keyfile = privkey.pem
108distinguished_name = req_distinguished_name
109attributes = req_attributes
110x509_extensions = v3_ca # The extentions to add to the self signed cert
111
112# Passwords for private keys if not present they will be prompted for
113# input_password = secret
114# output_password = secret
115
116# This sets a mask for permitted string types. There are several options.
117# default: PrintableString, T61String, BMPString.
118# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
119# utf8only: only UTF8Strings (PKIX recommendation after 2004).
120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
121# MASK:XXXX a literal mask value.
122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
123string_mask = utf8only
124
125# req_extensions = v3_req # The extensions to add to a certificate request
126
127[ req_distinguished_name ]
128countryName = Country Name (2 letter code)
129countryName_default = AU
130countryName_min = 2
131countryName_max = 2
132
133stateOrProvinceName = State or Province Name (full name)
134stateOrProvinceName_default = Some-State
135
136localityName = Locality Name (eg, city)
137
1380.organizationName = Organization Name (eg, company)
1390.organizationName_default = Internet Widgits Pty Ltd
140
141# we can do this but it is not needed normally :-)
142#1.organizationName = Second Organization Name (eg, company)
143#1.organizationName_default = World Wide Web Pty Ltd
144
145organizationalUnitName = Organizational Unit Name (eg, section)
146#organizationalUnitName_default =
147
148commonName = Common Name (e.g. server FQDN or YOUR name)
149commonName_max = 64
150
151emailAddress = Email Address
152emailAddress_max = 64
153
154# SET-ex3 = SET extension number 3
155
156[ req_attributes ]
157challengePassword = A challenge password
158challengePassword_min = 4
159challengePassword_max = 20
160
161unstructuredName = An optional company name
162
163[ usr_cert ]
164
165# These extensions are added when 'ca' signs a request.
166
167# This goes against PKIX guidelines but some CAs do it and some software
168# requires this to avoid interpreting an end user certificate as a CA.
169
170basicConstraints=CA:FALSE
171
172# Here are some examples of the usage of nsCertType. If it is omitted
173# the certificate can be used for anything *except* object signing.
174
175# This is OK for an SSL server.
176# nsCertType = server
177
178# For an object signing certificate this would be used.
179# nsCertType = objsign
180
181# For normal client use this is typical
182# nsCertType = client, email
183
184# and for everything including object signing:
185# nsCertType = client, email, objsign
186
187# This is typical in keyUsage for a client certificate.
188# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
189
190# This will be displayed in Netscape's comment listbox.
191nsComment = "OpenSSL Generated Certificate"
192
193# PKIX recommendations harmless if included in all certificates.
194subjectKeyIdentifier=hash
195authorityKeyIdentifier=keyid,issuer
196
197# This stuff is for subjectAltName and issuerAltname.
198# Import the email address.
199# subjectAltName=email:copy
200# An alternative to produce certificates that aren't
201# deprecated according to PKIX.
202# subjectAltName=email:move
203
204# Copy subject details
205# issuerAltName=issuer:copy
206
207#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
208#nsBaseUrl
209#nsRevocationUrl
210#nsRenewalUrl
211#nsCaPolicyUrl
212#nsSslServerName
213
214# This is required for TSA certificates.
215# extendedKeyUsage = critical,timeStamping
216
217[ v3_req ]
218
219# Extensions to add to a certificate request
220
221basicConstraints = CA:FALSE
222keyUsage = nonRepudiation, digitalSignature, keyEncipherment
223
224[ v3_ca ]
225
226
227# Extensions for a typical CA
228
229
230# PKIX recommendation.
231
232subjectKeyIdentifier=hash
233
234authorityKeyIdentifier=keyid:always,issuer
235
236# This is what PKIX recommends but some broken software chokes on critical
237# extensions.
238#basicConstraints = critical,CA:true
239# So we do this instead.
240basicConstraints = CA:true
241
242# Key usage: this is typical for a CA certificate. However since it will
243# prevent it being used as an test self-signed certificate it is best
244# left out by default.
245# keyUsage = cRLSign, keyCertSign
246
247# Some might want this also
248# nsCertType = sslCA, emailCA
249
250# Include email address in subject alt name: another PKIX recommendation
251# subjectAltName=email:copy
252# Copy issuer details
253# issuerAltName=issuer:copy
254
255# DER hex encoding of an extension: beware experts only!
256# obj=DER:02:03
257# Where 'obj' is a standard or added object
258# You can even override a supported extension:
259# basicConstraints= critical, DER:30:03:01:01:FF
260
261[ crl_ext ]
262
263# CRL extensions.
264# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
265
266# issuerAltName=issuer:copy
267authorityKeyIdentifier=keyid:always
268
269[ proxy_cert_ext ]
270# These extensions should be added when creating a proxy certificate
271
272# This goes against PKIX guidelines but some CAs do it and some software
273# requires this to avoid interpreting an end user certificate as a CA.
274
275basicConstraints=CA:FALSE
276
277# Here are some examples of the usage of nsCertType. If it is omitted
278# the certificate can be used for anything *except* object signing.
279
280# This is OK for an SSL server.
281# nsCertType = server
282
283# For an object signing certificate this would be used.
284# nsCertType = objsign
285
286# For normal client use this is typical
287# nsCertType = client, email
288
289# and for everything including object signing:
290# nsCertType = client, email, objsign
291
292# This is typical in keyUsage for a client certificate.
293# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
294
295# This will be displayed in Netscape's comment listbox.
296nsComment = "OpenSSL Generated Certificate"
297
298# PKIX recommendations harmless if included in all certificates.
299subjectKeyIdentifier=hash
300authorityKeyIdentifier=keyid,issuer
301
302# This stuff is for subjectAltName and issuerAltname.
303# Import the email address.
304# subjectAltName=email:copy
305# An alternative to produce certificates that aren't
306# deprecated according to PKIX.
307# subjectAltName=email:move
308
309# Copy subject details
310# issuerAltName=issuer:copy
311
312#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
313#nsBaseUrl
314#nsRevocationUrl
315#nsRenewalUrl
316#nsCaPolicyUrl
317#nsSslServerName
318
319# This really needs to be in place for it to be a proxy certificate.
320proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
321
322####################################################################
323[ tsa ]
324
325default_tsa = tsa_config1 # the default TSA section
326
327[ tsa_config1 ]
328
329# These are used by the TSA reply generation only.
330dir = ./demoCA # TSA root directory
331serial = $dir/tsaserial # The current serial number (mandatory)
332crypto_device = builtin # OpenSSL engine to use for signing
333signer_cert = $dir/tsacert.pem # The TSA signing certificate
334 # (optional)
335certs = $dir/cacert.pem # Certificate chain to include in reply
336 # (optional)
337signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
338
339default_policy = tsa_policy1 # Policy if request did not specify it
340 # (optional)
341other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
342digests = md5, sha1 # Acceptable message digests (mandatory)
343accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
344clock_precision_digits = 0 # number of digits after dot. (optional)
345ordering = yes # Is ordering defined for timestamps?
346 # (optional, default: no)
347tsa_name = yes # Must the TSA name be included in the reply?
348 # (optional, default: no)
349ess_cert_id_chain = no # Must the ESS cert id chain be included?
350 # (optional, default: no)