openssl.cnf 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391
  1. #
  2. # OpenSSL example configuration file.
  3. # See doc/man5/config.pod for more info.
  4. #
  5. # This is mostly being used for generation of certificate requests,
  6. # but may be used for auto loading of providers
  7. # Note that you can include other files from the main configuration
  8. # file using the .include directive.
  9. #.include filename
  10. # This definition stops the following lines choking if HOME isn't
  11. # defined.
  12. HOME = .
  13. # Use this in order to automatically load providers.
  14. openssl_conf = openssl_init
  15. # Comment out the next line to ignore configuration errors
  16. config_diagnostics = 1
  17. # Extra OBJECT IDENTIFIER info:
  18. # oid_file = $ENV::HOME/.oid
  19. oid_section = new_oids
  20. # To use this configuration file with the "-extfile" option of the
  21. # "openssl x509" utility, name here the section containing the
  22. # X.509v3 extensions to use:
  23. # extensions =
  24. # (Alternatively, use a configuration file that has only
  25. # X.509v3 extensions in its main [= default] section.)
  26. [ new_oids ]
  27. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  28. # Add a simple OID like this:
  29. # testoid1=1.2.3.4
  30. # Or use config file substitution like this:
  31. # testoid2=${testoid1}.5.6
  32. # Policies used by the TSA examples.
  33. tsa_policy1 = 1.2.3.4.1
  34. tsa_policy2 = 1.2.3.4.5.6
  35. tsa_policy3 = 1.2.3.4.5.7
  36. # For FIPS
  37. # Optionally include a file that is generated by the OpenSSL fipsinstall
  38. # application. This file contains configuration data required by the OpenSSL
  39. # fips provider. It contains a named section e.g. [fips_sect] which is
  40. # referenced from the [provider_sect] below.
  41. # Refer to the OpenSSL security policy for more information.
  42. # .include fipsmodule.cnf
  43. [openssl_init]
  44. providers = provider_sect
  45. # List of providers to load
  46. [provider_sect]
  47. default = default_sect
  48. # The fips section name should match the section name inside the
  49. # included fipsmodule.cnf.
  50. # fips = fips_sect
  51. # If no providers are activated explicitly, the default one is activated implicitly.
  52. # See man 7 OSSL_PROVIDER-default for more details.
  53. #
  54. # If you add a section explicitly activating any other provider(s), you most
  55. # probably need to explicitly activate the default provider, otherwise it
  56. # becomes unavailable in openssl. As a consequence applications depending on
  57. # OpenSSL may not work correctly which could lead to significant system
  58. # problems including inability to remotely access the system.
  59. [default_sect]
  60. # activate = 1
  61. ####################################################################
  62. [ ca ]
  63. default_ca = CA_default # The default ca section
  64. ####################################################################
  65. [ CA_default ]
  66. dir = ./demoCA # Where everything is kept
  67. certs = $dir/certs # Where the issued certs are kept
  68. crl_dir = $dir/crl # Where the issued crl are kept
  69. database = $dir/index.txt # database index file.
  70. #unique_subject = no # Set to 'no' to allow creation of
  71. # several certs with same subject.
  72. new_certs_dir = $dir/newcerts # default place for new certs.
  73. certificate = $dir/cacert.pem # The CA certificate
  74. serial = $dir/serial # The current serial number
  75. crlnumber = $dir/crlnumber # the current crl number
  76. # must be commented out to leave a V1 CRL
  77. crl = $dir/crl.pem # The current CRL
  78. private_key = $dir/private/cakey.pem # The private key
  79. x509_extensions = usr_cert # The extensions to add to the cert
  80. # Comment out the following two lines for the "traditional"
  81. # (and highly broken) format.
  82. name_opt = ca_default # Subject Name options
  83. cert_opt = ca_default # Certificate field options
  84. # Extension copying option: use with caution.
  85. # copy_extensions = copy
  86. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  87. # so this is commented out by default to leave a V1 CRL.
  88. # crlnumber must also be commented out to leave a V1 CRL.
  89. # crl_extensions = crl_ext
  90. default_days = 365 # how long to certify for
  91. default_crl_days= 30 # how long before next CRL
  92. default_md = default # use public key default MD
  93. preserve = no # keep passed DN ordering
  94. # A few difference way of specifying how similar the request should look
  95. # For type CA, the listed attributes must be the same, and the optional
  96. # and supplied fields are just that :-)
  97. policy = policy_match
  98. # For the CA policy
  99. [ policy_match ]
  100. countryName = match
  101. stateOrProvinceName = match
  102. organizationName = match
  103. organizationalUnitName = optional
  104. commonName = supplied
  105. emailAddress = optional
  106. # For the 'anything' policy
  107. # At this point in time, you must list all acceptable 'object'
  108. # types.
  109. [ policy_anything ]
  110. countryName = optional
  111. stateOrProvinceName = optional
  112. localityName = optional
  113. organizationName = optional
  114. organizationalUnitName = optional
  115. commonName = supplied
  116. emailAddress = optional
  117. ####################################################################
  118. [ req ]
  119. default_bits = 2048
  120. default_keyfile = privkey.pem
  121. distinguished_name = req_distinguished_name
  122. attributes = req_attributes
  123. x509_extensions = v3_ca # The extensions to add to the self signed cert
  124. # Passwords for private keys if not present they will be prompted for
  125. # input_password = secret
  126. # output_password = secret
  127. # This sets a mask for permitted string types. There are several options.
  128. # default: PrintableString, T61String, BMPString.
  129. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  130. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  131. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  132. # MASK:XXXX a literal mask value.
  133. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  134. string_mask = utf8only
  135. # req_extensions = v3_req # The extensions to add to a certificate request
  136. [ req_distinguished_name ]
  137. countryName = Country Name (2 letter code)
  138. countryName_default = AU
  139. countryName_min = 2
  140. countryName_max = 2
  141. stateOrProvinceName = State or Province Name (full name)
  142. stateOrProvinceName_default = Some-State
  143. localityName = Locality Name (eg, city)
  144. 0.organizationName = Organization Name (eg, company)
  145. 0.organizationName_default = Internet Widgits Pty Ltd
  146. # we can do this but it is not needed normally :-)
  147. #1.organizationName = Second Organization Name (eg, company)
  148. #1.organizationName_default = World Wide Web Pty Ltd
  149. organizationalUnitName = Organizational Unit Name (eg, section)
  150. #organizationalUnitName_default =
  151. commonName = Common Name (e.g. server FQDN or YOUR name)
  152. commonName_max = 64
  153. emailAddress = Email Address
  154. emailAddress_max = 64
  155. # SET-ex3 = SET extension number 3
  156. [ req_attributes ]
  157. challengePassword = A challenge password
  158. challengePassword_min = 4
  159. challengePassword_max = 20
  160. unstructuredName = An optional company name
  161. [ usr_cert ]
  162. # These extensions are added when 'ca' signs a request.
  163. # This goes against PKIX guidelines but some CAs do it and some software
  164. # requires this to avoid interpreting an end user certificate as a CA.
  165. basicConstraints=CA:FALSE
  166. # This is typical in keyUsage for a client certificate.
  167. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  168. # PKIX recommendations harmless if included in all certificates.
  169. subjectKeyIdentifier=hash
  170. authorityKeyIdentifier=keyid,issuer
  171. # This stuff is for subjectAltName and issuerAltname.
  172. # Import the email address.
  173. # subjectAltName=email:copy
  174. # An alternative to produce certificates that aren't
  175. # deprecated according to PKIX.
  176. # subjectAltName=email:move
  177. # Copy subject details
  178. # issuerAltName=issuer:copy
  179. # This is required for TSA certificates.
  180. # extendedKeyUsage = critical,timeStamping
  181. [ v3_req ]
  182. # Extensions to add to a certificate request
  183. basicConstraints = CA:FALSE
  184. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  185. [ v3_ca ]
  186. # Extensions for a typical CA
  187. # PKIX recommendation.
  188. subjectKeyIdentifier=hash
  189. authorityKeyIdentifier=keyid:always,issuer
  190. basicConstraints = critical,CA:true
  191. # Key usage: this is typical for a CA certificate. However since it will
  192. # prevent it being used as an test self-signed certificate it is best
  193. # left out by default.
  194. # keyUsage = cRLSign, keyCertSign
  195. # Include email address in subject alt name: another PKIX recommendation
  196. # subjectAltName=email:copy
  197. # Copy issuer details
  198. # issuerAltName=issuer:copy
  199. # DER hex encoding of an extension: beware experts only!
  200. # obj=DER:02:03
  201. # Where 'obj' is a standard or added object
  202. # You can even override a supported extension:
  203. # basicConstraints= critical, DER:30:03:01:01:FF
  204. [ crl_ext ]
  205. # CRL extensions.
  206. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  207. # issuerAltName=issuer:copy
  208. authorityKeyIdentifier=keyid:always
  209. [ proxy_cert_ext ]
  210. # These extensions should be added when creating a proxy certificate
  211. # This goes against PKIX guidelines but some CAs do it and some software
  212. # requires this to avoid interpreting an end user certificate as a CA.
  213. basicConstraints=CA:FALSE
  214. # This is typical in keyUsage for a client certificate.
  215. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  216. # PKIX recommendations harmless if included in all certificates.
  217. subjectKeyIdentifier=hash
  218. authorityKeyIdentifier=keyid,issuer
  219. # This stuff is for subjectAltName and issuerAltname.
  220. # Import the email address.
  221. # subjectAltName=email:copy
  222. # An alternative to produce certificates that aren't
  223. # deprecated according to PKIX.
  224. # subjectAltName=email:move
  225. # Copy subject details
  226. # issuerAltName=issuer:copy
  227. # This really needs to be in place for it to be a proxy certificate.
  228. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  229. ####################################################################
  230. [ tsa ]
  231. default_tsa = tsa_config1 # the default TSA section
  232. [ tsa_config1 ]
  233. # These are used by the TSA reply generation only.
  234. dir = ./demoCA # TSA root directory
  235. serial = $dir/tsaserial # The current serial number (mandatory)
  236. crypto_device = builtin # OpenSSL engine to use for signing
  237. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  238. # (optional)
  239. certs = $dir/cacert.pem # Certificate chain to include in reply
  240. # (optional)
  241. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  242. signer_digest = sha256 # Signing digest to use. (Optional)
  243. default_policy = tsa_policy1 # Policy if request did not specify it
  244. # (optional)
  245. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  246. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
  247. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  248. clock_precision_digits = 0 # number of digits after dot. (optional)
  249. ordering = yes # Is ordering defined for timestamps?
  250. # (optional, default: no)
  251. tsa_name = yes # Must the TSA name be included in the reply?
  252. # (optional, default: no)
  253. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  254. # (optional, default: no)
  255. ess_cert_id_alg = sha256 # algorithm to compute certificate
  256. # identifier (optional, default: sha256)
  257. [insta] # CMP using Insta Demo CA
  258. # Message transfer
  259. server = pki.certificate.fi:8700
  260. # proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
  261. # tls_use = 0
  262. path = pkix/
  263. # Server authentication
  264. recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
  265. ignore_keyusage = 1 # potentially needed quirk
  266. unprotected_errors = 1 # potentially needed quirk
  267. extracertsout = insta.extracerts.pem
  268. # Client authentication
  269. ref = 3078 # user identification
  270. secret = pass:insta # can be used for both client and server side
  271. # Generic message options
  272. cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
  273. # Certificate enrollment
  274. subject = "/CN=openssl-cmp-test"
  275. newkey = insta.priv.pem
  276. out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
  277. certout = insta.cert.pem
  278. [pbm] # Password-based protection for Insta CA
  279. # Server and client authentication
  280. ref = $insta::ref # 3078
  281. secret = $insta::secret # pass:insta
  282. [signature] # Signature-based protection for Insta CA
  283. # Server authentication
  284. trusted = $insta::out_trusted # apps/insta.ca.crt
  285. # Client authentication
  286. secret = # disable PBM
  287. key = $insta::newkey # insta.priv.pem
  288. cert = $insta::certout # insta.cert.pem
  289. [ir]
  290. cmd = ir
  291. [cr]
  292. cmd = cr
  293. [kur]
  294. # Certificate update
  295. cmd = kur
  296. oldcert = $insta::certout # insta.cert.pem
  297. [rr]
  298. # Certificate revocation
  299. cmd = rr
  300. oldcert = $insta::certout # insta.cert.pem