1# This is based on the default OpenSSL configuration file which is 2# licensed with the following license: 3 4# Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 13# 2. Redistributions in binary form must reproduce the above copyright 14# notice, this list of conditions and the following disclaimer in 15# the documentation and/or other materials provided with the 16# distribution. 17# 18# 3. All advertising materials mentioning features or use of this 19# software must display the following acknowledgment: 20# "This product includes software developed by the OpenSSL Project 21# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 22# 23# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 24# endorse or promote products derived from this software without 25# prior written permission. For written permission, please contact 26# openssl-core@openssl.org. 27# 28# 5. Products derived from this software may not be called "OpenSSL" 29# nor may "OpenSSL" appear in their names without prior written 30# permission of the OpenSSL Project. 31# 32# 6. Redistributions of any form whatsoever must retain the following 33# acknowledgment: 34# "This product includes software developed by the OpenSSL Project 35# for use in the OpenSSL Toolkit (http://www.openssl.org/)" 36# 37# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 38# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 39# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 40# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 41# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 42# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 43# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 44# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 45# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 46# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 47# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 48# OF THE POSSIBILITY OF SUCH DAMAGE. 49# ==================================================================== 50# 51# This product includes cryptographic software written by Eric Young 52# (eay@cryptsoft.com). This product includes software written by Tim 53# Hudson (tjh@cryptsoft.com). 54# 55 56HOME = . 57RANDFILE = $ENV::HOME/.rnd 58 59# Extra OBJECT IDENTIFIER info: 60#oid_file = $ENV::HOME/.oid 61oid_section = new_oids 62 63# To use this configuration file with the "-extfile" option of the 64# "openssl x509" utility, name here the section containing the 65# X.509v3 extensions to use: 66# extensions = 67# (Alternatively, use a configuration file that has only 68# X.509v3 extensions in its main [= default] section.) 69 70[ new_oids ] 71 72# We can add new OIDs in here for use by 'ca' and 'req'. 73# Add a simple OID like this: 74# testoid1=1.2.3.4 75# Or use config file substitution like this: 76# testoid2=${testoid1}.5.6 77 78#################################################################### 79[ ca ] 80default_ca = CA_default # The default ca section 81 82#################################################################### 83[ CA_default ] 84 85dir = /tmp/ca # Where everything is kept 86certs = $dir/certs # Where the issued certs are kept 87crl_dir = $dir/crl # Where the issued crl are kept 88database = $dir/index.txt # database index file. 89new_certs_dir = $dir/newcerts # default place for new certs. 90 91certificate = $dir/cacert.pem # The CA certificate 92serial = $dir/serial # The current serial number 93crl = $dir/crl.pem # The current CRL 94private_key = $dir/private/cakey.pem# The private key 95RANDFILE = $dir/private/.rand # private random number file 96 97x509_extensions = usr_cert # The extentions to add to the cert 98 99# Comment out the following two lines for the "traditional" 100# (and highly broken) format. 101name_opt = ca_default # Subject Name options 102cert_opt = ca_default # Certificate field options 103 104# Extension copying option: use with caution. 105# copy_extensions = copy 106 107# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 108# so this is commented out by default to leave a V1 CRL. 109# crl_extensions = crl_ext 110 111default_days = 365 # how long to certify for 112default_crl_days= 30 # how long before next CRL 113default_md = sha1 # which md to use. 114preserve = no # keep passed DN ordering 115 116policy = policy_anything 117 118[ policy_match ] 119countryName = match 120stateOrProvinceName = match 121organizationName = match 122organizationalUnitName = optional 123commonName = supplied 124emailAddress = optional 125 126[ policy_anything ] 127countryName = optional 128stateOrProvinceName = optional 129localityName = optional 130organizationName = optional 131organizationalUnitName = optional 132commonName = supplied 133emailAddress = optional 134 135#################################################################### 136[ req ] 137default_bits = 1024 138default_keyfile = /tmp/privkey.pem 139distinguished_name = req_distinguished_name 140attributes = req_attributes 141x509_extensions = v3_ca # The extentions to add to the self signed cert 142string_mask = nombstr 143req_extensions = v3_req # The extensions to add to a certificate request 144 145[ req_distinguished_name ] 146countryName = Country Name (2 letter code) 147countryName_default = US 148countryName_min = 2 149countryName_max = 2 150 151stateOrProvinceName = State or Province Name (full name) 152stateOrProvinceName_default = California 153 154localityName = Locality Name (eg, city) 155localityName_default = San Mateo 156 1570.organizationName = Organization Name (eg, company) 1580.organizationName_default = Genius.com Inc 159 160organizationalUnitName = Organizational Unit Name (eg, section) 161organizationalUnitName_default = NetOps 162 163commonName = Common Name (eg, your name or your server\'s hostname) 164commonName_max = 64 165 166emailAddress = Email Address 167emailAddress_max = 64 168 169[ req_attributes ] 170challengePassword = A challenge password 171challengePassword_min = 4 172challengePassword_max = 20 173unstructuredName = An optional company name 174 175[ unsupported_cert ] 176# Just a made-up OID 1771.2.3.4.99999.1.2.3.4 = critical,ASN1:FORMAT:BITLIST,BITSTRING:0,1,2 178 179[ keyUsage_critical_cert ] 180basicConstraints=CA:FALSE 181keyUsage = critical, decipherOnly, keyAgreement 182 183[ keyUsage_extraLong_cert ] 184keyUsage=ASN1:FORMAT:BITLIST,BITSTRING:0,1,2,3,4,5,6,7,8,9,10 185 186[ keyUsage_cert ] 187basicConstraints=CA:FALSE 188keyUsage = encipherOnly, keyEncipherment, dataEncipherment, keyCertSign, cRLSign, cRLSign, keyEncipherment, dataEncipherment, keyCertSign, cRLSign 189 190[ extendedKeyUsage_cert ] 191extendedKeyUsage=1.2.3.4 192 193[ userWithPathLen_cert ] 194basicConstraints=CA:false,pathlen:10 195 196[ ca_cert ] 197basicConstraints=CA:true 198 199[ caWithPathLen_cert ] 200basicConstraints=CA:true,pathlen:10 201 202[ invalid_ip_cert ] 203subjectAltName = ASN1:SEQUENCE:invalid_ip_SEQ 204issuerAltName = ASN1:SEQUENCE:invalid_ip_SEQ 205 206[ invalid_ip_SEQ ] 207IP.1 = IMPLICIT:7,FORMAT:HEX,OCTETSTRING:0A 208 209[ ipv6_cert ] 210subjectAltName = ASN1:SEQUENCE:ipv6_SEQ 211issuerAltName = ASN1:SEQUENCE:ipv6_SEQ 212 213[ ipv6_SEQ ] 214IP.1 = IMPLICIT:7,FORMAT:HEX,OCTETSTRING:20010DB8000000000000FF0000428329 215 216[ usr_cert ] 217basicConstraints=CA:FALSE 218keyUsage = nonRepudiation, digitalSignature, keyEncipherment 219subjectKeyIdentifier=hash 220authorityKeyIdentifier=keyid,issuer:always 221nsComment = "X.509 Unit Test" 222 223subjectAltName = @alt_names 224issuerAltName = @alt_names 225#subjectAltName = ASN1:SEQUENCE:raw_alt_names 226 227[ alt_none_cert ] 228 229[ alt_names ] 230otherName.0 = 1.2.3.4;UTF8:test1 231email.0 = x509@example.com 232DNS.0 = x509.example.com 233dirName.0 = dir_example 234URI.0 = http://www.example.com/?q=awesomeness 235IP.0 = 192.168.0.1 236RID.0 = 1.2.3.4 237 238[ alt_other_cert ] 239subjectAltName = otherName:1.2.3.4;UTF8:test1 240 241[ alt_email_cert ] 242subjectAltName = email:x509@example.com 243 244[ alt_dns_cert ] 245subjectAltName = DNS:x509.example.com 246 247[ alt_dirname_cert ] 248subjectAltName = dirName:dir_example 249 250[ alt_uri_cert ] 251subjectAltName = URI:http://www.example.com/?q=awesomeness 252 253[ alt_rid_cert ] 254subjectAltName = RID:1.2.3.4 255 256[ raw_alt_names ] 257ediPartyName = IMPLICIT:5,SEQUENCE:ediPartyName_SEQ 258x400 = IMPLICIT:3,SEQUENCE:x400_SEQ 259 260[ x400_SEQ ] 261BuiltInStandardAttributes = SEQUENCE:x400_BuiltInStandardAddtributes_SEQ 262 263[ x400_BuiltInStandardAddtributes_SEQ ] 264PersonalName=IMPLICIT:5,SET:x400_PersonalName_SET 265 266[ x400_PersonalName_SET ] 267Surname=IMPLICIT:0,PRINTABLESTRING:Root 268GivenName=IMPLICIT:1,PRINTABLESTRING:Kenny 269 270[ ediPartyName_SEQ ] 271partyName = IMPLICIT:1,PRINTABLESTRING:Joe 272 273[ dir_example ] 274C=US 275O=Awesome Dudes 276OU=Über Frîends 277CN=example X.509 278CN=∆ƒ 279 280[ v3_req ] 281basicConstraints = CA:FALSE 282keyUsage = nonRepudiation, digitalSignature, keyEncipherment 283subjectAltName = @alt_names 284issuerAltName = @alt_names 285basicConstraints=CA:FALSE 286nsComment = "X.509 Unit Test" 287 288[ v3_ca ] 289subjectKeyIdentifier=hash 290authorityKeyIdentifier=keyid:always,issuer:always 291basicConstraints = CA:true 292 293[ crl_ext ] 294authorityKeyIdentifier=keyid:always,issuer:always 295