Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / 9ed821d7e5d875a3395740a9cc2545671fa429b7 / . / ap / lib / libssl / openssl-1.1.1o / apps / openssl.cnf
blob: 4acca4b0446f536598cc1b127b0975294c928c58 [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame^]1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# Note that you can include other files from the main configuration
7# file using the .include directive.
8#.include filename
9
10# This definition stops the following lines choking if HOME isn't
11# defined.
12HOME = .
13
14# Extra OBJECT IDENTIFIER info:
15#oid_file = $ENV::HOME/.oid
16oid_section = new_oids
17
18# To use this configuration file with the "-extfile" option of the
19# "openssl x509" utility, name here the section containing the
20# X.509v3 extensions to use:
21# extensions =
22# (Alternatively, use a configuration file that has only
23# X.509v3 extensions in its main [= default] section.)
24
25[ new_oids ]
26
27# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
28# Add a simple OID like this:
29# testoid1=1.2.3.4
30# Or use config file substitution like this:
31# testoid2=${testoid1}.5.6
32
33# Policies used by the TSA examples.
34tsa_policy1 = 1.2.3.4.1
35tsa_policy2 = 1.2.3.4.5.6
36tsa_policy3 = 1.2.3.4.5.7
37
38####################################################################
39[ ca ]
40default_ca = CA_default # The default ca section
41
42####################################################################
43[ CA_default ]
44
45dir = ./demoCA # Where everything is kept
46certs = $dir/certs # Where the issued certs are kept
47crl_dir = $dir/crl # Where the issued crl are kept
48database = $dir/index.txt # database index file.
49#unique_subject = no # Set to 'no' to allow creation of
50 # several certs with same subject.
51new_certs_dir = $dir/newcerts # default place for new certs.
52
53certificate = $dir/cacert.pem # The CA certificate
54serial = $dir/serial # The current serial number
55crlnumber = $dir/crlnumber # the current crl number
56 # must be commented out to leave a V1 CRL
57crl = $dir/crl.pem # The current CRL
58private_key = $dir/private/cakey.pem# The private key
59
60x509_extensions = usr_cert # The extensions to add to the cert
61
62# Comment out the following two lines for the "traditional"
63# (and highly broken) format.
64name_opt = ca_default # Subject Name options
65cert_opt = ca_default # Certificate field options
66
67# Extension copying option: use with caution.
68# copy_extensions = copy
69
70# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
71# so this is commented out by default to leave a V1 CRL.
72# crlnumber must also be commented out to leave a V1 CRL.
73# crl_extensions = crl_ext
74
75default_days = 365 # how long to certify for
76default_crl_days= 30 # how long before next CRL
77default_md = default # use public key default MD
78preserve = no # keep passed DN ordering
79
80# A few difference way of specifying how similar the request should look
81# For type CA, the listed attributes must be the same, and the optional
82# and supplied fields are just that :-)
83policy = policy_match
84
85# For the CA policy
86[ policy_match ]
87countryName = match
88stateOrProvinceName = match
89organizationName = match
90organizationalUnitName = optional
91commonName = supplied
92emailAddress = optional
93
94# For the 'anything' policy
95# At this point in time, you must list all acceptable 'object'
96# types.
97[ policy_anything ]
98countryName = optional
99stateOrProvinceName = optional
100localityName = optional
101organizationName = optional
102organizationalUnitName = optional
103commonName = supplied
104emailAddress = optional
105
106####################################################################
107[ req ]
108default_bits = 2048
109default_keyfile = privkey.pem
110distinguished_name = req_distinguished_name
111attributes = req_attributes
112x509_extensions = v3_ca # The extensions to add to the self signed cert
113
114# Passwords for private keys if not present they will be prompted for
115# input_password = secret
116# output_password = secret
117
118# This sets a mask for permitted string types. There are several options.
119# default: PrintableString, T61String, BMPString.
120# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
121# utf8only: only UTF8Strings (PKIX recommendation after 2004).
122# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
123# MASK:XXXX a literal mask value.
124# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
125string_mask = utf8only
126
127# req_extensions = v3_req # The extensions to add to a certificate request
128
129[ req_distinguished_name ]
130countryName = Country Name (2 letter code)
131countryName_default = AU
132countryName_min = 2
133countryName_max = 2
134
135stateOrProvinceName = State or Province Name (full name)
136stateOrProvinceName_default = Some-State
137
138localityName = Locality Name (eg, city)
139
1400.organizationName = Organization Name (eg, company)
1410.organizationName_default = Internet Widgits Pty Ltd
142
143# we can do this but it is not needed normally :-)
144#1.organizationName = Second Organization Name (eg, company)
145#1.organizationName_default = World Wide Web Pty Ltd
146
147organizationalUnitName = Organizational Unit Name (eg, section)
148#organizationalUnitName_default =
149
150commonName = Common Name (e.g. server FQDN or YOUR name)
151commonName_max = 64
152
153emailAddress = Email Address
154emailAddress_max = 64
155
156# SET-ex3 = SET extension number 3
157
158[ req_attributes ]
159challengePassword = A challenge password
160challengePassword_min = 4
161challengePassword_max = 20
162
163unstructuredName = An optional company name
164
165[ usr_cert ]
166
167# These extensions are added when 'ca' signs a request.
168
169# This goes against PKIX guidelines but some CAs do it and some software
170# requires this to avoid interpreting an end user certificate as a CA.
171
172basicConstraints=CA:FALSE
173
174# Here are some examples of the usage of nsCertType. If it is omitted
175# the certificate can be used for anything *except* object signing.
176
177# This is OK for an SSL server.
178# nsCertType = server
179
180# For an object signing certificate this would be used.
181# nsCertType = objsign
182
183# For normal client use this is typical
184# nsCertType = client, email
185
186# and for everything including object signing:
187# nsCertType = client, email, objsign
188
189# This is typical in keyUsage for a client certificate.
190# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
191
192# This will be displayed in Netscape's comment listbox.
193nsComment = "OpenSSL Generated Certificate"
194
195# PKIX recommendations harmless if included in all certificates.
196subjectKeyIdentifier=hash
197authorityKeyIdentifier=keyid,issuer
198
199# This stuff is for subjectAltName and issuerAltname.
200# Import the email address.
201# subjectAltName=email:copy
202# An alternative to produce certificates that aren't
203# deprecated according to PKIX.
204# subjectAltName=email:move
205
206# Copy subject details
207# issuerAltName=issuer:copy
208
209#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
210#nsBaseUrl
211#nsRevocationUrl
212#nsRenewalUrl
213#nsCaPolicyUrl
214#nsSslServerName
215
216# This is required for TSA certificates.
217# extendedKeyUsage = critical,timeStamping
218
219[ v3_req ]
220
221# Extensions to add to a certificate request
222
223basicConstraints = CA:FALSE
224keyUsage = nonRepudiation, digitalSignature, keyEncipherment
225
226[ v3_ca ]
227
228
229# Extensions for a typical CA
230
231
232# PKIX recommendation.
233
234subjectKeyIdentifier=hash
235
236authorityKeyIdentifier=keyid:always,issuer
237
238basicConstraints = critical,CA:true
239
240# Key usage: this is typical for a CA certificate. However since it will
241# prevent it being used as an test self-signed certificate it is best
242# left out by default.
243# keyUsage = cRLSign, keyCertSign
244
245# Some might want this also
246# nsCertType = sslCA, emailCA
247
248# Include email address in subject alt name: another PKIX recommendation
249# subjectAltName=email:copy
250# Copy issuer details
251# issuerAltName=issuer:copy
252
253# DER hex encoding of an extension: beware experts only!
254# obj=DER:02:03
255# Where 'obj' is a standard or added object
256# You can even override a supported extension:
257# basicConstraints= critical, DER:30:03:01:01:FF
258
259[ crl_ext ]
260
261# CRL extensions.
262# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
263
264# issuerAltName=issuer:copy
265authorityKeyIdentifier=keyid:always
266
267[ proxy_cert_ext ]
268# These extensions should be added when creating a proxy certificate
269
270# This goes against PKIX guidelines but some CAs do it and some software
271# requires this to avoid interpreting an end user certificate as a CA.
272
273basicConstraints=CA:FALSE
274
275# Here are some examples of the usage of nsCertType. If it is omitted
276# the certificate can be used for anything *except* object signing.
277
278# This is OK for an SSL server.
279# nsCertType = server
280
281# For an object signing certificate this would be used.
282# nsCertType = objsign
283
284# For normal client use this is typical
285# nsCertType = client, email
286
287# and for everything including object signing:
288# nsCertType = client, email, objsign
289
290# This is typical in keyUsage for a client certificate.
291# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
292
293# This will be displayed in Netscape's comment listbox.
294nsComment = "OpenSSL Generated Certificate"
295
296# PKIX recommendations harmless if included in all certificates.
297subjectKeyIdentifier=hash
298authorityKeyIdentifier=keyid,issuer
299
300# This stuff is for subjectAltName and issuerAltname.
301# Import the email address.
302# subjectAltName=email:copy
303# An alternative to produce certificates that aren't
304# deprecated according to PKIX.
305# subjectAltName=email:move
306
307# Copy subject details
308# issuerAltName=issuer:copy
309
310#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
311#nsBaseUrl
312#nsRevocationUrl
313#nsRenewalUrl
314#nsCaPolicyUrl
315#nsSslServerName
316
317# This really needs to be in place for it to be a proxy certificate.
318proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
319
320####################################################################
321[ tsa ]
322
323default_tsa = tsa_config1 # the default TSA section
324
325[ tsa_config1 ]
326
327# These are used by the TSA reply generation only.
328dir = ./demoCA # TSA root directory
329serial = $dir/tsaserial # The current serial number (mandatory)
330crypto_device = builtin # OpenSSL engine to use for signing
331signer_cert = $dir/tsacert.pem # The TSA signing certificate
332 # (optional)
333certs = $dir/cacert.pem # Certificate chain to include in reply
334 # (optional)
335signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
336signer_digest = sha256 # Signing digest to use. (Optional)
337default_policy = tsa_policy1 # Policy if request did not specify it
338 # (optional)
339other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
340digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
341accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
342clock_precision_digits = 0 # number of digits after dot. (optional)
343ordering = yes # Is ordering defined for timestamps?
344 # (optional, default: no)
345tsa_name = yes # Must the TSA name be included in the reply?
346 # (optional, default: no)
347ess_cert_id_chain = no # Must the ESS cert id chain be included?
348 # (optional, default: no)
349ess_cert_id_alg = sha1 # algorithm to compute certificate
350 # identifier (optional, default: sha1)