NB! This project is outdated and unmaintained, please refer to the OpenSC WindowsInstaller instead!

source: trunk/openssl.cnf @ 72

Revision 72, 9.5 KB checked in by aj, 5 years ago (diff)

use a pre-configured openssl.cnf with pkcs#11 engine configured.
  • Property svn:executable set to *
Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file               = $ENV::HOME/.oid
13oid_section             = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22# for engine_pkcs11
23openssl_conf            = openssl_def
24
25[openssl_def]
26engines = engine_section
27
28[engine_section]
29pkcs11 = pkcs11_section
30
31[pkcs11_section]
32engine_id = pkcs11
33dynamic_path = C:/Program Files/Smart Card Bundle/engine_pkcs11.so
34MODULE_PATH = C:/Program Files/Smart Card Bundle/opensc-pkcs11.so
35init = 0
36
37[ new_oids ]
38
39# We can add new OIDs in here for use by 'ca' and 'req'.
40# Add a simple OID like this:
41# testoid1=1.2.3.4
42# Or use config file substitution like this:
43# testoid2=${testoid1}.5.6
44
45####################################################################
46[ ca ]
47default_ca      = CA_default            # The default ca section
48
49####################################################################
50[ CA_default ]
51
52dir             = ./demoCA              # Where everything is kept
53certs           = $dir/certs            # Where the issued certs are kept
54crl_dir         = $dir/crl              # Where the issued crl are kept
55database        = $dir/index.txt        # database index file.
56#unique_subject = no                    # Set to 'no' to allow creation of
57                                        # several ctificates with same subject.
58new_certs_dir   = $dir/newcerts         # default place for new certs.
59
60certificate     = $dir/cacert.pem       # The CA certificate
61serial          = $dir/serial           # The current serial number
62crlnumber       = $dir/crlnumber        # the current crl number
63                                        # must be commented out to leave a V1 CRL
64crl             = $dir/crl.pem          # The current CRL
65private_key     = $dir/private/cakey.pem# The private key
66RANDFILE        = $dir/private/.rand    # private random number file
67
68x509_extensions = usr_cert              # The extentions to add to the cert
69
70# Comment out the following two lines for the "traditional"
71# (and highly broken) format.
72name_opt        = ca_default            # Subject Name options
73cert_opt        = ca_default            # Certificate field options
74
75# Extension copying option: use with caution.
76# copy_extensions = copy
77
78# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
79# so this is commented out by default to leave a V1 CRL.
80# crlnumber must also be commented out to leave a V1 CRL.
81# crl_extensions        = crl_ext
82
83default_days    = 365                   # how long to certify for
84default_crl_days= 30                    # how long before next CRL
85default_md      = sha1                  # which md to use.
86preserve        = no                    # keep passed DN ordering
87
88# A few difference way of specifying how similar the request should look
89# For type CA, the listed attributes must be the same, and the optional
90# and supplied fields are just that :-)
91policy          = policy_match
92
93# For the CA policy
94[ policy_match ]
95countryName             = match
96stateOrProvinceName     = match
97organizationName        = match
98organizationalUnitName  = optional
99commonName              = supplied
100emailAddress            = optional
101
102# For the 'anything' policy
103# At this point in time, you must list all acceptable 'object'
104# types.
105[ policy_anything ]
106countryName             = optional
107stateOrProvinceName     = optional
108localityName            = optional
109organizationName        = optional
110organizationalUnitName  = optional
111commonName              = supplied
112emailAddress            = optional
113
114####################################################################
115[ req ]
116default_bits            = 1024
117default_keyfile         = privkey.pem
118distinguished_name      = req_distinguished_name
119attributes              = req_attributes
120x509_extensions = v3_ca # The extentions to add to the self signed cert
121
122# Passwords for private keys if not present they will be prompted for
123# input_password = secret
124# output_password = secret
125
126# This sets a mask for permitted string types. There are several options.
127# default: PrintableString, T61String, BMPString.
128# pkix   : PrintableString, BMPString.
129# utf8only: only UTF8Strings.
130# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
131# MASK:XXXX a literal mask value.
132# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
133# so use this option with caution!
134string_mask = nombstr
135
136# req_extensions = v3_req # The extensions to add to a certificate request
137
138[ req_distinguished_name ]
139countryName                     = Country Name (2 letter code)
140countryName_default             = AU
141countryName_min                 = 2
142countryName_max                 = 2
143
144stateOrProvinceName             = State or Province Name (full name)
145stateOrProvinceName_default     = Some-State
146
147localityName                    = Locality Name (eg, city)
148
1490.organizationName              = Organization Name (eg, company)
1500.organizationName_default      = Internet Widgits Pty Ltd
151
152# we can do this but it is not needed normally :-)
153#1.organizationName             = Second Organization Name (eg, company)
154#1.organizationName_default     = World Wide Web Pty Ltd
155
156organizationalUnitName          = Organizational Unit Name (eg, section)
157#organizationalUnitName_default =
158
159commonName                      = Common Name (eg, YOUR name)
160commonName_max                  = 64
161
162emailAddress                    = Email Address
163emailAddress_max                = 64
164
165# SET-ex3                       = SET extension number 3
166
167[ req_attributes ]
168challengePassword               = A challenge password
169challengePassword_min           = 4
170challengePassword_max           = 20
171
172unstructuredName                = An optional company name
173
174[ usr_cert ]
175
176# These extensions are added when 'ca' signs a request.
177
178# This goes against PKIX guidelines but some CAs do it and some software
179# requires this to avoid interpreting an end user certificate as a CA.
180
181basicConstraints=CA:FALSE
182
183# Here are some examples of the usage of nsCertType. If it is omitted
184# the certificate can be used for anything *except* object signing.
185
186# This is OK for an SSL server.
187# nsCertType                    = server
188
189# For an object signing certificate this would be used.
190# nsCertType = objsign
191
192# For normal client use this is typical
193# nsCertType = client, email
194
195# and for everything including object signing:
196# nsCertType = client, email, objsign
197
198# This is typical in keyUsage for a client certificate.
199# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
200
201# This will be displayed in Netscape's comment listbox.
202nsComment                       = "OpenSSL Generated Certificate"
203
204# PKIX recommendations harmless if included in all certificates.
205subjectKeyIdentifier=hash
206authorityKeyIdentifier=keyid,issuer
207
208# This stuff is for subjectAltName and issuerAltname.
209# Import the email address.
210# subjectAltName=email:copy
211# An alternative to produce certificates that aren't
212# deprecated according to PKIX.
213# subjectAltName=email:move
214
215# Copy subject details
216# issuerAltName=issuer:copy
217
218#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
219#nsBaseUrl
220#nsRevocationUrl
221#nsRenewalUrl
222#nsCaPolicyUrl
223#nsSslServerName
224
225[ v3_req ]
226
227# Extensions to add to a certificate request
228
229basicConstraints = CA:FALSE
230keyUsage = nonRepudiation, digitalSignature, keyEncipherment
231
232[ v3_ca ]
233
234
235# Extensions for a typical CA
236
237
238# PKIX recommendation.
239
240subjectKeyIdentifier=hash
241
242authorityKeyIdentifier=keyid:always,issuer:always
243
244# This is what PKIX recommends but some broken software chokes on critical
245# extensions.
246#basicConstraints = critical,CA:true
247# So we do this instead.
248basicConstraints = CA:true
249
250# Key usage: this is typical for a CA certificate. However since it will
251# prevent it being used as an test self-signed certificate it is best
252# left out by default.
253# keyUsage = cRLSign, keyCertSign
254
255# Some might want this also
256# nsCertType = sslCA, emailCA
257
258# Include email address in subject alt name: another PKIX recommendation
259# subjectAltName=email:copy
260# Copy issuer details
261# issuerAltName=issuer:copy
262
263# DER hex encoding of an extension: beware experts only!
264# obj=DER:02:03
265# Where 'obj' is a standard or added object
266# You can even override a supported extension:
267# basicConstraints= critical, DER:30:03:01:01:FF
268
269[ crl_ext ]
270
271# CRL extensions.
272# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
273
274# issuerAltName=issuer:copy
275authorityKeyIdentifier=keyid:always,issuer:always
276
277[ proxy_cert_ext ]
278# These extensions should be added when creating a proxy certificate
279
280# This goes against PKIX guidelines but some CAs do it and some software
281# requires this to avoid interpreting an end user certificate as a CA.
282
283basicConstraints=CA:FALSE
284
285# Here are some examples of the usage of nsCertType. If it is omitted
286# the certificate can be used for anything *except* object signing.
287
288# This is OK for an SSL server.
289# nsCertType                    = server
290
291# For an object signing certificate this would be used.
292# nsCertType = objsign
293
294# For normal client use this is typical
295# nsCertType = client, email
296
297# and for everything including object signing:
298# nsCertType = client, email, objsign
299
300# This is typical in keyUsage for a client certificate.
301# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
302
303# This will be displayed in Netscape's comment listbox.
304nsComment                       = "OpenSSL Generated Certificate"
305
306# PKIX recommendations harmless if included in all certificates.
307subjectKeyIdentifier=hash
308authorityKeyIdentifier=keyid,issuer:always
309
310# This stuff is for subjectAltName and issuerAltname.
311# Import the email address.
312# subjectAltName=email:copy
313# An alternative to produce certificates that aren't
314# deprecated according to PKIX.
315# subjectAltName=email:move
316
317# Copy subject details
318# issuerAltName=issuer:copy
319
320#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
321#nsBaseUrl
322#nsRevocationUrl
323#nsRenewalUrl
324#nsCaPolicyUrl
325#nsSslServerName
326
327# This really needs to be in place for it to be a proxy certificate.
328proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracBrowser for help on using the repository browser.