CS/CS.cfg
changeset 0 5c129dd80d4f
equal deleted inserted replaced
-1:000000000000 0:5c129dd80d4f
       
     1 #
       
     2 # OpenSSL example configuration file.
       
     3 # This is mostly being used for generation of certificate requests.
       
     4 #
       
     5 
       
     6 # This definition stops the following lines choking if HOME isn't
       
     7 # defined.
       
     8 HOME			= .
       
     9 RANDFILE		= $ENV::HOME/.rnd
       
    10 
       
    11 # Extra OBJECT IDENTIFIER info:
       
    12 #oid_file		= $ENV::HOME/.oid
       
    13 oid_section		= new_oids
       
    14 
       
    15 # To use this configuration file with the "-extfile" option of the
       
    16 # "openssl x509" utility, name here the section containing the
       
    17 # X.509v3 extensions to use:
       
    18 # extensions		= 
       
    19 # (Alternatively, use a configuration file that has only
       
    20 # X.509v3 extensions in its main [= default] section.)
       
    21 
       
    22 [ new_oids ]
       
    23 
       
    24 # We can add new OIDs in here for use by 'ca' and 'req'.
       
    25 # Add a simple OID like this:
       
    26 # testoid1=1.2.3.4
       
    27 # Or use config file substitution like this:
       
    28 # testoid2=${testoid1}.5.6
       
    29 
       
    30 ####################################################################
       
    31 [ ca ]
       
    32 default_ca	= CA_default		# The default ca section
       
    33 
       
    34 ####################################################################
       
    35 [ CA_default ]
       
    36 
       
    37 dir		= /home/local/etc/ssl	# Where everything is kept
       
    38 certs		= $dir/certs		# Where the issued certs are kept
       
    39 crl_dir		= $dir/crl		# Where the issued crl are kept
       
    40 database	= $dir/index.txt	# database index file.
       
    41 #unique_subject	= no			# Set to 'no' to allow creation of
       
    42 					# several ctificates with same subject.
       
    43 new_certs_dir	= $dir/newcerts		# default place for new certs.
       
    44 
       
    45 certificate	= $dir/certs/hh_ca.crt 	# The CA certificate
       
    46 serial		= $dir/serial 		# The current serial number
       
    47 crlnumber	= $dir/crlnumber	# the current crl number
       
    48 					# must be commented out to leave a V1 CRL
       
    49 crl		= $dir/crl.pem 		# The current CRL
       
    50 private_key	= $dir/private/hh_ca.key	# The private key
       
    51 RANDFILE	= $dir/private/.rand	# private random number file
       
    52 
       
    53 x509_extensions	= usr_cert		# The extentions to add to the cert
       
    54 
       
    55 # Comment out the following two lines for the "traditional"
       
    56 # (and highly broken) format.
       
    57 name_opt 	= ca_default		# Subject Name options
       
    58 cert_opt 	= ca_default		# Certificate field options
       
    59 
       
    60 # Extension copying option: use with caution.
       
    61 # copy_extensions = copy
       
    62 
       
    63 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
       
    64 # so this is commented out by default to leave a V1 CRL.
       
    65 # crlnumber must also be commented out to leave a V1 CRL.
       
    66 crl_extensions	= crl_ext
       
    67 
       
    68 default_days	= 365			# how long to certify for
       
    69 default_crl_days= 30			# how long before next CRL
       
    70 default_md	= sha1			# which md to use.
       
    71 preserve	= no			# keep passed DN ordering
       
    72 
       
    73 # A few difference way of specifying how similar the request should look
       
    74 # For type CA, the listed attributes must be the same, and the optional
       
    75 # and supplied fields are just that :-)
       
    76 policy		= policy_anything
       
    77 
       
    78 ####################################################################
       
    79 # For the CA policy
       
    80 [ policy_match ]
       
    81 countryName		= match
       
    82 stateOrProvinceName	= match
       
    83 organizationName	= match
       
    84 organizationalUnitName	= optional
       
    85 commonName		= supplied
       
    86 emailAddress		= optional
       
    87 
       
    88 ####################################################################
       
    89 # For the 'anything' policy
       
    90 # At this point in time, you must list all acceptable 'object'
       
    91 # types.
       
    92 [ policy_anything ]
       
    93 countryName		= optional
       
    94 stateOrProvinceName	= optional
       
    95 localityName		= optional
       
    96 organizationName	= optional
       
    97 organizationalUnitName	= optional
       
    98 commonName		= supplied
       
    99 emailAddress		= optional
       
   100 
       
   101 ####################################################################
       
   102 [ req ]
       
   103 default_bits		= 2048
       
   104 default_keyfile 	= privkey.pem
       
   105 distinguished_name	= req_distinguished_name
       
   106 attributes		= req_attributes
       
   107 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
       
   108 
       
   109 # Passwords for private keys if not present they will be prompted for
       
   110 # input_password = secret
       
   111 # output_password = secret
       
   112 
       
   113 # This sets a mask for permitted string types. There are several options. 
       
   114 # default: PrintableString, T61String, BMPString.
       
   115 # pkix	 : PrintableString, BMPString.
       
   116 # utf8only: only UTF8Strings.
       
   117 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
       
   118 # MASK:XXXX a literal mask value.
       
   119 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
       
   120 # so use this option with caution!
       
   121 string_mask = nombstr
       
   122 prompt = no
       
   123 
       
   124 ####################################################################
       
   125 # req_extensions = v3_req # The extensions to add to a certificate request
       
   126 [ req_distinguished_name ]
       
   127 countryName			= CZ
       
   128 stateOrProvinceName		= --
       
   129 localityName			= Praha
       
   130 0.organizationName		= H.H.
       
   131 organizationalUnitName		= --
       
   132 commonName			= $ENV::CN
       
   133 emailAddress			= hh@hh.cz
       
   134 
       
   135 # SET-ex3			= SET extension number 3
       
   136 
       
   137 [ req_attributes ]
       
   138 #challengePassword		= A challenge password
       
   139 #challengePassword_min		= 4
       
   140 #challengePassword_max		= 20
       
   141 
       
   142 #unstructuredName		= An optional company name
       
   143 
       
   144 ####################################################################
       
   145 [ usr_cert ]
       
   146 # These extensions are added when 'ca' signs a request.
       
   147 
       
   148 # This goes against PKIX guidelines but some CAs do it and some software
       
   149 # requires this to avoid interpreting an end user certificate as a CA.
       
   150 basicConstraints=CA:FALSE
       
   151 
       
   152 # Here are some examples of the usage of nsCertType. If it is omitted
       
   153 # the certificate can be used for anything *except* object signing.
       
   154 # This is OK for an SSL server.
       
   155 # nsCertType = server
       
   156 # For an object signing certificate this would be used.
       
   157 # nsCertType = objsign
       
   158 # For normal client use this is typical
       
   159 # nsCertType = client, email
       
   160 # and for everything including object signing:
       
   161 # nsCertType = client, email, objsign
       
   162 
       
   163 # This is typical in keyUsage for a client certificate.
       
   164 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
       
   165 
       
   166 # This will be displayed in Netscape's comment listbox.
       
   167 nsComment = "hh_ca - OpenSSL Generated Certificate"
       
   168 
       
   169 # PKIX recommendations harmless if included in all certificates.
       
   170 subjectKeyIdentifier=hash
       
   171 #authorityKeyIdentifier=keyid:always,issuer:always
       
   172 
       
   173 # This stuff is for subjectAltName and issuerAltname.
       
   174 # Import the email address.
       
   175 subjectAltName=email:copy
       
   176 # An alternative to produce certificates that aren't
       
   177 # deprecated according to PKIX.
       
   178 # subjectAltName=email:move
       
   179 
       
   180 # Copy subject details
       
   181 #issuerAltName=issuer:copy
       
   182 
       
   183 nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   184 #nsBaseUrl
       
   185 nsRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   186 #nsRenewalUrl
       
   187 #nsCaPolicyUrl
       
   188 #nsSslServerName
       
   189 
       
   190 ####################################################################
       
   191 [ srv_cert ]
       
   192 # These extensions are added when 'ca' signs a request.
       
   193 
       
   194 # This goes against PKIX guidelines but some CAs do it and some software
       
   195 # requires this to avoid interpreting an end user certificate as a CA.
       
   196 basicConstraints=CA:FALSE
       
   197 
       
   198 # Here are some examples of the usage of nsCertType. If it is omitted
       
   199 # the certificate can be used for anything *except* object signing.
       
   200 # This is OK for an SSL server.
       
   201 nsCertType = server
       
   202 # For an object signing certificate this would be used.
       
   203 # nsCertType = objsign
       
   204 # For normal client use this is typical
       
   205 # nsCertType = client, email
       
   206 # and for everything including object signing:
       
   207 # nsCertType = client, email, objsign
       
   208 
       
   209 # This is typical in keyUsage for a client certificate.
       
   210 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
       
   211 
       
   212 # This will be displayed in Netscape's comment listbox.
       
   213 nsComment = "hh_ca - OpenSSL Generated Certificate"
       
   214 
       
   215 # PKIX recommendations harmless if included in all certificates.
       
   216 subjectKeyIdentifier=hash
       
   217 #authorityKeyIdentifier=keyid:always,issuer:always
       
   218 
       
   219 # This stuff is for subjectAltName and issuerAltname.
       
   220 # Import the email address.
       
   221 subjectAltName=email:copy
       
   222 # An alternative to produce certificates that aren't
       
   223 # deprecated according to PKIX.
       
   224 # subjectAltName=email:move
       
   225 
       
   226 # Copy subject details
       
   227 #issuerAltName=issuer:copy
       
   228 
       
   229 nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   230 #nsBaseUrl
       
   231 nsRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   232 #nsRenewalUrl
       
   233 #nsCaPolicyUrl
       
   234 #nsSslServerName
       
   235 
       
   236 ####################################################################
       
   237 [ v3_req ]
       
   238 # Extensions to add to a certificate request
       
   239 
       
   240 basicConstraints = CA:FALSE
       
   241 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
       
   242 
       
   243 ####################################################################
       
   244 [ v3_ca ]
       
   245 # Extensions for a typical CA
       
   246 
       
   247 # PKIX recommendation.
       
   248 subjectKeyIdentifier=hash
       
   249 #authorityKeyIdentifier=keyid:always,issuer:always
       
   250 
       
   251 # This is what PKIX recommends but some broken software chokes on critical
       
   252 # extensions.
       
   253 #basicConstraints = critical,CA:true
       
   254 # So we do this instead.
       
   255 basicConstraints = CA:true
       
   256 
       
   257 # Key usage: this is typical for a CA certificate. However since it will
       
   258 # prevent it being used as an test self-signed certificate it is best
       
   259 # left out by default.
       
   260 # keyUsage = cRLSign, keyCertSign
       
   261 
       
   262 # Some might want this also
       
   263 nsCertType = sslCA, emailCA
       
   264 
       
   265 # Include email address in subject alt name: another PKIX recommendation
       
   266 subjectAltName=email:copy
       
   267 # Copy issuer details
       
   268 #issuerAltName=issuer:copy
       
   269 
       
   270 # DER hex encoding of an extension: beware experts only!
       
   271 # obj=DER:02:03
       
   272 # Where 'obj' is a standard or added object
       
   273 # You can even override a supported extension:
       
   274 # basicConstraints= critical, DER:30:03:01:01:FF
       
   275 
       
   276 ####################################################################
       
   277 [ crl_ext ]
       
   278 # CRL extensions.
       
   279 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
       
   280 
       
   281 # issuerAltName=issuer:copy
       
   282 authorityKeyIdentifier=keyid:always,issuer:always
       
   283 
       
   284 ####################################################################
       
   285 [ proxy_cert_ext ]
       
   286 # These extensions should be added when creating a proxy certificate
       
   287 
       
   288 # This goes against PKIX guidelines but some CAs do it and some software
       
   289 # requires this to avoid interpreting an end user certificate as a CA.
       
   290 basicConstraints=CA:FALSE
       
   291 
       
   292 # Here are some examples of the usage of nsCertType. If it is omitted
       
   293 # the certificate can be used for anything *except* object signing.
       
   294 
       
   295 # This is OK for an SSL server.
       
   296 # nsCertType			= server
       
   297 
       
   298 # For an object signing certificate this would be used.
       
   299 # nsCertType = objsign
       
   300 
       
   301 # For normal client use this is typical
       
   302 # nsCertType = client, email
       
   303 
       
   304 # and for everything including object signing:
       
   305 # nsCertType = client, email, objsign
       
   306 
       
   307 # This is typical in keyUsage for a client certificate.
       
   308 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
       
   309 
       
   310 # This will be displayed in Netscape's comment listbox.
       
   311 nsComment = "hh_ca - OpenSSL Generated Certificate"
       
   312 
       
   313 # PKIX recommendations harmless if included in all certificates.
       
   314 subjectKeyIdentifier=hash
       
   315 authorityKeyIdentifier=keyid,issuer:always
       
   316 
       
   317 # This stuff is for subjectAltName and issuerAltname.
       
   318 # Import the email address.
       
   319 subjectAltName=email:copy
       
   320 # An alternative to produce certificates that aren't
       
   321 # deprecated according to PKIX.
       
   322 # subjectAltName=email:move
       
   323 
       
   324 # Copy subject details
       
   325 issuerAltName=issuer:copy
       
   326 
       
   327 nsCaRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   328 #nsBaseUrl
       
   329 nsRevocationUrl = http://www.hh.cz/ca-crl.pem
       
   330 #nsRenewalUrl
       
   331 #nsCaPolicyUrl
       
   332 #nsSslServerName
       
   333 
       
   334 # This really needs to be in place for it to be a proxy certificate.
       
   335 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo