CS/CS.cfg
author hh
Thu, 21 Nov 2019 14:55:10 +0100
changeset 0 5c129dd80d4f
permissions -rw-r--r--
--
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
hh
parents:
diff changeset
     1
#
hh
parents:
diff changeset
     2
# OpenSSL example configuration file.
hh
parents:
diff changeset
     3
# This is mostly being used for generation of certificate requests.
hh
parents:
diff changeset
     4
#
hh
parents:
diff changeset
     5
hh
parents:
diff changeset
     6
# This definition stops the following lines choking if HOME isn't
hh
parents:
diff changeset
     7
# defined.
hh
parents:
diff changeset
     8
HOME			= .
hh
parents:
diff changeset
     9
RANDFILE		= $ENV::HOME/.rnd
hh
parents:
diff changeset
    10
hh
parents:
diff changeset
    11
# Extra OBJECT IDENTIFIER info:
hh
parents:
diff changeset
    12
#oid_file		= $ENV::HOME/.oid
hh
parents:
diff changeset
    13
oid_section		= new_oids
hh
parents:
diff changeset
    14
hh
parents:
diff changeset
    15
# To use this configuration file with the "-extfile" option of the
hh
parents:
diff changeset
    16
# "openssl x509" utility, name here the section containing the
hh
parents:
diff changeset
    17
# X.509v3 extensions to use:
hh
parents:
diff changeset
    18
# extensions		= 
hh
parents:
diff changeset
    19
# (Alternatively, use a configuration file that has only
hh
parents:
diff changeset
    20
# X.509v3 extensions in its main [= default] section.)
hh
parents:
diff changeset
    21
hh
parents:
diff changeset
    22
[ new_oids ]
hh
parents:
diff changeset
    23
hh
parents:
diff changeset
    24
# We can add new OIDs in here for use by 'ca' and 'req'.
hh
parents:
diff changeset
    25
# Add a simple OID like this:
hh
parents:
diff changeset
    26
# testoid1=1.2.3.4
hh
parents:
diff changeset
    27
# Or use config file substitution like this:
hh
parents:
diff changeset
    28
# testoid2=${testoid1}.5.6
hh
parents:
diff changeset
    29
hh
parents:
diff changeset
    30
####################################################################
hh
parents:
diff changeset
    31
[ ca ]
hh
parents:
diff changeset
    32
default_ca	= CA_default		# The default ca section
hh
parents:
diff changeset
    33
hh
parents:
diff changeset
    34
####################################################################
hh
parents:
diff changeset
    35
[ CA_default ]
hh
parents:
diff changeset
    36
hh
parents:
diff changeset
    37
dir		= /home/local/etc/ssl	# Where everything is kept
hh
parents:
diff changeset
    38
certs		= $dir/certs		# Where the issued certs are kept
hh
parents:
diff changeset
    39
crl_dir		= $dir/crl		# Where the issued crl are kept
hh
parents:
diff changeset
    40
database	= $dir/index.txt	# database index file.
hh
parents:
diff changeset
    41
#unique_subject	= no			# Set to 'no' to allow creation of
hh
parents:
diff changeset
    42
					# several ctificates with same subject.
hh
parents:
diff changeset
    43
new_certs_dir	= $dir/newcerts		# default place for new certs.
hh
parents:
diff changeset
    44
hh
parents:
diff changeset
    45
certificate	= $dir/certs/hh_ca.crt 	# The CA certificate
hh
parents:
diff changeset
    46
serial		= $dir/serial 		# The current serial number
hh
parents:
diff changeset
    47
crlnumber	= $dir/crlnumber	# the current crl number
hh
parents:
diff changeset
    48
					# must be commented out to leave a V1 CRL
hh
parents:
diff changeset
    49
crl		= $dir/crl.pem 		# The current CRL
hh
parents:
diff changeset
    50
private_key	= $dir/private/hh_ca.key	# The private key
hh
parents:
diff changeset
    51
RANDFILE	= $dir/private/.rand	# private random number file
hh
parents:
diff changeset
    52
hh
parents:
diff changeset
    53
x509_extensions	= usr_cert		# The extentions to add to the cert
hh
parents:
diff changeset
    54
hh
parents:
diff changeset
    55
# Comment out the following two lines for the "traditional"
hh
parents:
diff changeset
    56
# (and highly broken) format.
hh
parents:
diff changeset
    57
name_opt 	= ca_default		# Subject Name options
hh
parents:
diff changeset
    58
cert_opt 	= ca_default		# Certificate field options
hh
parents:
diff changeset
    59
hh
parents:
diff changeset
    60
# Extension copying option: use with caution.
hh
parents:
diff changeset
    61
# copy_extensions = copy
hh
parents:
diff changeset
    62
hh
parents:
diff changeset
    63
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
hh
parents:
diff changeset
    64
# so this is commented out by default to leave a V1 CRL.
hh
parents:
diff changeset
    65
# crlnumber must also be commented out to leave a V1 CRL.
hh
parents:
diff changeset
    66
crl_extensions	= crl_ext
hh
parents:
diff changeset
    67
hh
parents:
diff changeset
    68
default_days	= 365			# how long to certify for
hh
parents:
diff changeset
    69
default_crl_days= 30			# how long before next CRL
hh
parents:
diff changeset
    70
default_md	= sha1			# which md to use.
hh
parents:
diff changeset
    71
preserve	= no			# keep passed DN ordering
hh
parents:
diff changeset
    72
hh
parents:
diff changeset
    73
# A few difference way of specifying how similar the request should look
hh
parents:
diff changeset
    74
# For type CA, the listed attributes must be the same, and the optional
hh
parents:
diff changeset
    75
# and supplied fields are just that :-)
hh
parents:
diff changeset
    76
policy		= policy_anything
hh
parents:
diff changeset
    77
hh
parents:
diff changeset
    78
####################################################################
hh
parents:
diff changeset
    79
# For the CA policy
hh
parents:
diff changeset
    80
[ policy_match ]
hh
parents:
diff changeset
    81
countryName		= match
hh
parents:
diff changeset
    82
stateOrProvinceName	= match
hh
parents:
diff changeset
    83
organizationName	= match
hh
parents:
diff changeset
    84
organizationalUnitName	= optional
hh
parents:
diff changeset
    85
commonName		= supplied
hh
parents:
diff changeset
    86
emailAddress		= optional
hh
parents:
diff changeset
    87
hh
parents:
diff changeset
    88
####################################################################
hh
parents:
diff changeset
    89
# For the 'anything' policy
hh
parents:
diff changeset
    90
# At this point in time, you must list all acceptable 'object'
hh
parents:
diff changeset
    91
# types.
hh
parents:
diff changeset
    92
[ policy_anything ]
hh
parents:
diff changeset
    93
countryName		= optional
hh
parents:
diff changeset
    94
stateOrProvinceName	= optional
hh
parents:
diff changeset
    95
localityName		= optional
hh
parents:
diff changeset
    96
organizationName	= optional
hh
parents:
diff changeset
    97
organizationalUnitName	= optional
hh
parents:
diff changeset
    98
commonName		= supplied
hh
parents:
diff changeset
    99
emailAddress		= optional
hh
parents:
diff changeset
   100
hh
parents:
diff changeset
   101
####################################################################
hh
parents:
diff changeset
   102
[ req ]
hh
parents:
diff changeset
   103
default_bits		= 2048
hh
parents:
diff changeset
   104
default_keyfile 	= privkey.pem
hh
parents:
diff changeset
   105
distinguished_name	= req_distinguished_name
hh
parents:
diff changeset
   106
attributes		= req_attributes
hh
parents:
diff changeset
   107
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
hh
parents:
diff changeset
   108
hh
parents:
diff changeset
   109
# Passwords for private keys if not present they will be prompted for
hh
parents:
diff changeset
   110
# input_password = secret
hh
parents:
diff changeset
   111
# output_password = secret
hh
parents:
diff changeset
   112
hh
parents:
diff changeset
   113
# This sets a mask for permitted string types. There are several options. 
hh
parents:
diff changeset
   114
# default: PrintableString, T61String, BMPString.
hh
parents:
diff changeset
   115
# pkix	 : PrintableString, BMPString.
hh
parents:
diff changeset
   116
# utf8only: only UTF8Strings.
hh
parents:
diff changeset
   117
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
hh
parents:
diff changeset
   118
# MASK:XXXX a literal mask value.
hh
parents:
diff changeset
   119
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
hh
parents:
diff changeset
   120
# so use this option with caution!
hh
parents:
diff changeset
   121
string_mask = nombstr
hh
parents:
diff changeset
   122
prompt = no
hh
parents:
diff changeset
   123
hh
parents:
diff changeset
   124
####################################################################
hh
parents:
diff changeset
   125
# req_extensions = v3_req # The extensions to add to a certificate request
hh
parents:
diff changeset
   126
[ req_distinguished_name ]
hh
parents:
diff changeset
   127
countryName			= CZ
hh
parents:
diff changeset
   128
stateOrProvinceName		= --
hh
parents:
diff changeset
   129
localityName			= Praha
hh
parents:
diff changeset
   130
0.organizationName		= H.H.
hh
parents:
diff changeset
   131
organizationalUnitName		= --
hh
parents:
diff changeset
   132
commonName			= $ENV::CN
hh
parents:
diff changeset
   133
emailAddress			= hh@hh.cz
hh
parents:
diff changeset
   134
hh
parents:
diff changeset
   135
# SET-ex3			= SET extension number 3
hh
parents:
diff changeset
   136
hh
parents:
diff changeset
   137
[ req_attributes ]
hh
parents:
diff changeset
   138
#challengePassword		= A challenge password
hh
parents:
diff changeset
   139
#challengePassword_min		= 4
hh
parents:
diff changeset
   140
#challengePassword_max		= 20
hh
parents:
diff changeset
   141
hh
parents:
diff changeset
   142
#unstructuredName		= An optional company name
hh
parents:
diff changeset
   143
hh
parents:
diff changeset
   144
####################################################################
hh
parents:
diff changeset
   145
[ usr_cert ]
hh
parents:
diff changeset
   146
# These extensions are added when 'ca' signs a request.
hh
parents:
diff changeset
   147
hh
parents:
diff changeset
   148
# This goes against PKIX guidelines but some CAs do it and some software
hh
parents:
diff changeset
   149
# requires this to avoid interpreting an end user certificate as a CA.
hh
parents:
diff changeset
   150
basicConstraints=CA:FALSE
hh
parents:
diff changeset
   151
hh
parents:
diff changeset
   152
# Here are some examples of the usage of nsCertType. If it is omitted
hh
parents:
diff changeset
   153
# the certificate can be used for anything *except* object signing.
hh
parents:
diff changeset
   154
# This is OK for an SSL server.
hh
parents:
diff changeset
   155
# nsCertType = server
hh
parents:
diff changeset
   156
# For an object signing certificate this would be used.
hh
parents:
diff changeset
   157
# nsCertType = objsign
hh
parents:
diff changeset
   158
# For normal client use this is typical
hh
parents:
diff changeset
   159
# nsCertType = client, email
hh
parents:
diff changeset
   160
# and for everything including object signing:
hh
parents:
diff changeset
   161
# nsCertType = client, email, objsign
hh
parents:
diff changeset
   162
hh
parents:
diff changeset
   163
# This is typical in keyUsage for a client certificate.
hh
parents:
diff changeset
   164
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
hh
parents:
diff changeset
   165
hh
parents:
diff changeset
   166
# This will be displayed in Netscape's comment listbox.
hh
parents:
diff changeset
   167
nsComment = "hh_ca - OpenSSL Generated Certificate"
hh
parents:
diff changeset
   168
hh
parents:
diff changeset
   169
# PKIX recommendations harmless if included in all certificates.
hh
parents:
diff changeset
   170
subjectKeyIdentifier=hash
hh
parents:
diff changeset
   171
#authorityKeyIdentifier=keyid:always,issuer:always
hh
parents:
diff changeset
   172
hh
parents:
diff changeset
   173
# This stuff is for subjectAltName and issuerAltname.
hh
parents:
diff changeset
   174
# Import the email address.
hh
parents:
diff changeset
   175
subjectAltName=email:copy
hh
parents:
diff changeset
   176
# An alternative to produce certificates that aren't
hh
parents:
diff changeset
   177
# deprecated according to PKIX.
hh
parents:
diff changeset
   178
# subjectAltName=email:move
hh
parents:
diff changeset
   179
hh
parents:
diff changeset
   180
# Copy subject details
hh
parents:
diff changeset
   181
#issuerAltName=issuer:copy
hh
parents:
diff changeset
   182
hh
parents:
diff changeset
   183
nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   184
#nsBaseUrl
hh
parents:
diff changeset
   185
nsRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   186
#nsRenewalUrl
hh
parents:
diff changeset
   187
#nsCaPolicyUrl
hh
parents:
diff changeset
   188
#nsSslServerName
hh
parents:
diff changeset
   189
hh
parents:
diff changeset
   190
####################################################################
hh
parents:
diff changeset
   191
[ srv_cert ]
hh
parents:
diff changeset
   192
# These extensions are added when 'ca' signs a request.
hh
parents:
diff changeset
   193
hh
parents:
diff changeset
   194
# This goes against PKIX guidelines but some CAs do it and some software
hh
parents:
diff changeset
   195
# requires this to avoid interpreting an end user certificate as a CA.
hh
parents:
diff changeset
   196
basicConstraints=CA:FALSE
hh
parents:
diff changeset
   197
hh
parents:
diff changeset
   198
# Here are some examples of the usage of nsCertType. If it is omitted
hh
parents:
diff changeset
   199
# the certificate can be used for anything *except* object signing.
hh
parents:
diff changeset
   200
# This is OK for an SSL server.
hh
parents:
diff changeset
   201
nsCertType = server
hh
parents:
diff changeset
   202
# For an object signing certificate this would be used.
hh
parents:
diff changeset
   203
# nsCertType = objsign
hh
parents:
diff changeset
   204
# For normal client use this is typical
hh
parents:
diff changeset
   205
# nsCertType = client, email
hh
parents:
diff changeset
   206
# and for everything including object signing:
hh
parents:
diff changeset
   207
# nsCertType = client, email, objsign
hh
parents:
diff changeset
   208
hh
parents:
diff changeset
   209
# This is typical in keyUsage for a client certificate.
hh
parents:
diff changeset
   210
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
hh
parents:
diff changeset
   211
hh
parents:
diff changeset
   212
# This will be displayed in Netscape's comment listbox.
hh
parents:
diff changeset
   213
nsComment = "hh_ca - OpenSSL Generated Certificate"
hh
parents:
diff changeset
   214
hh
parents:
diff changeset
   215
# PKIX recommendations harmless if included in all certificates.
hh
parents:
diff changeset
   216
subjectKeyIdentifier=hash
hh
parents:
diff changeset
   217
#authorityKeyIdentifier=keyid:always,issuer:always
hh
parents:
diff changeset
   218
hh
parents:
diff changeset
   219
# This stuff is for subjectAltName and issuerAltname.
hh
parents:
diff changeset
   220
# Import the email address.
hh
parents:
diff changeset
   221
subjectAltName=email:copy
hh
parents:
diff changeset
   222
# An alternative to produce certificates that aren't
hh
parents:
diff changeset
   223
# deprecated according to PKIX.
hh
parents:
diff changeset
   224
# subjectAltName=email:move
hh
parents:
diff changeset
   225
hh
parents:
diff changeset
   226
# Copy subject details
hh
parents:
diff changeset
   227
#issuerAltName=issuer:copy
hh
parents:
diff changeset
   228
hh
parents:
diff changeset
   229
nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   230
#nsBaseUrl
hh
parents:
diff changeset
   231
nsRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   232
#nsRenewalUrl
hh
parents:
diff changeset
   233
#nsCaPolicyUrl
hh
parents:
diff changeset
   234
#nsSslServerName
hh
parents:
diff changeset
   235
hh
parents:
diff changeset
   236
####################################################################
hh
parents:
diff changeset
   237
[ v3_req ]
hh
parents:
diff changeset
   238
# Extensions to add to a certificate request
hh
parents:
diff changeset
   239
hh
parents:
diff changeset
   240
basicConstraints = CA:FALSE
hh
parents:
diff changeset
   241
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
hh
parents:
diff changeset
   242
hh
parents:
diff changeset
   243
####################################################################
hh
parents:
diff changeset
   244
[ v3_ca ]
hh
parents:
diff changeset
   245
# Extensions for a typical CA
hh
parents:
diff changeset
   246
hh
parents:
diff changeset
   247
# PKIX recommendation.
hh
parents:
diff changeset
   248
subjectKeyIdentifier=hash
hh
parents:
diff changeset
   249
#authorityKeyIdentifier=keyid:always,issuer:always
hh
parents:
diff changeset
   250
hh
parents:
diff changeset
   251
# This is what PKIX recommends but some broken software chokes on critical
hh
parents:
diff changeset
   252
# extensions.
hh
parents:
diff changeset
   253
#basicConstraints = critical,CA:true
hh
parents:
diff changeset
   254
# So we do this instead.
hh
parents:
diff changeset
   255
basicConstraints = CA:true
hh
parents:
diff changeset
   256
hh
parents:
diff changeset
   257
# Key usage: this is typical for a CA certificate. However since it will
hh
parents:
diff changeset
   258
# prevent it being used as an test self-signed certificate it is best
hh
parents:
diff changeset
   259
# left out by default.
hh
parents:
diff changeset
   260
# keyUsage = cRLSign, keyCertSign
hh
parents:
diff changeset
   261
hh
parents:
diff changeset
   262
# Some might want this also
hh
parents:
diff changeset
   263
nsCertType = sslCA, emailCA
hh
parents:
diff changeset
   264
hh
parents:
diff changeset
   265
# Include email address in subject alt name: another PKIX recommendation
hh
parents:
diff changeset
   266
subjectAltName=email:copy
hh
parents:
diff changeset
   267
# Copy issuer details
hh
parents:
diff changeset
   268
#issuerAltName=issuer:copy
hh
parents:
diff changeset
   269
hh
parents:
diff changeset
   270
# DER hex encoding of an extension: beware experts only!
hh
parents:
diff changeset
   271
# obj=DER:02:03
hh
parents:
diff changeset
   272
# Where 'obj' is a standard or added object
hh
parents:
diff changeset
   273
# You can even override a supported extension:
hh
parents:
diff changeset
   274
# basicConstraints= critical, DER:30:03:01:01:FF
hh
parents:
diff changeset
   275
hh
parents:
diff changeset
   276
####################################################################
hh
parents:
diff changeset
   277
[ crl_ext ]
hh
parents:
diff changeset
   278
# CRL extensions.
hh
parents:
diff changeset
   279
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
hh
parents:
diff changeset
   280
hh
parents:
diff changeset
   281
# issuerAltName=issuer:copy
hh
parents:
diff changeset
   282
authorityKeyIdentifier=keyid:always,issuer:always
hh
parents:
diff changeset
   283
hh
parents:
diff changeset
   284
####################################################################
hh
parents:
diff changeset
   285
[ proxy_cert_ext ]
hh
parents:
diff changeset
   286
# These extensions should be added when creating a proxy certificate
hh
parents:
diff changeset
   287
hh
parents:
diff changeset
   288
# This goes against PKIX guidelines but some CAs do it and some software
hh
parents:
diff changeset
   289
# requires this to avoid interpreting an end user certificate as a CA.
hh
parents:
diff changeset
   290
basicConstraints=CA:FALSE
hh
parents:
diff changeset
   291
hh
parents:
diff changeset
   292
# Here are some examples of the usage of nsCertType. If it is omitted
hh
parents:
diff changeset
   293
# the certificate can be used for anything *except* object signing.
hh
parents:
diff changeset
   294
hh
parents:
diff changeset
   295
# This is OK for an SSL server.
hh
parents:
diff changeset
   296
# nsCertType			= server
hh
parents:
diff changeset
   297
hh
parents:
diff changeset
   298
# For an object signing certificate this would be used.
hh
parents:
diff changeset
   299
# nsCertType = objsign
hh
parents:
diff changeset
   300
hh
parents:
diff changeset
   301
# For normal client use this is typical
hh
parents:
diff changeset
   302
# nsCertType = client, email
hh
parents:
diff changeset
   303
hh
parents:
diff changeset
   304
# and for everything including object signing:
hh
parents:
diff changeset
   305
# nsCertType = client, email, objsign
hh
parents:
diff changeset
   306
hh
parents:
diff changeset
   307
# This is typical in keyUsage for a client certificate.
hh
parents:
diff changeset
   308
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
hh
parents:
diff changeset
   309
hh
parents:
diff changeset
   310
# This will be displayed in Netscape's comment listbox.
hh
parents:
diff changeset
   311
nsComment = "hh_ca - OpenSSL Generated Certificate"
hh
parents:
diff changeset
   312
hh
parents:
diff changeset
   313
# PKIX recommendations harmless if included in all certificates.
hh
parents:
diff changeset
   314
subjectKeyIdentifier=hash
hh
parents:
diff changeset
   315
authorityKeyIdentifier=keyid,issuer:always
hh
parents:
diff changeset
   316
hh
parents:
diff changeset
   317
# This stuff is for subjectAltName and issuerAltname.
hh
parents:
diff changeset
   318
# Import the email address.
hh
parents:
diff changeset
   319
subjectAltName=email:copy
hh
parents:
diff changeset
   320
# An alternative to produce certificates that aren't
hh
parents:
diff changeset
   321
# deprecated according to PKIX.
hh
parents:
diff changeset
   322
# subjectAltName=email:move
hh
parents:
diff changeset
   323
hh
parents:
diff changeset
   324
# Copy subject details
hh
parents:
diff changeset
   325
issuerAltName=issuer:copy
hh
parents:
diff changeset
   326
hh
parents:
diff changeset
   327
nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   328
#nsBaseUrl
hh
parents:
diff changeset
   329
nsRevocationUrl = http://www.hh.cz/ca-crl.pem
hh
parents:
diff changeset
   330
#nsRenewalUrl
hh
parents:
diff changeset
   331
#nsCaPolicyUrl
hh
parents:
diff changeset
   332
#nsSslServerName
hh
parents:
diff changeset
   333
hh
parents:
diff changeset
   334
# This really needs to be in place for it to be a proxy certificate.
hh
parents:
diff changeset
   335
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo