ESGFNodeInstallation: localopenssl.cnf

File localopenssl.cnf, 9.7 KB (added by terryk, 7 years ago)
Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10SAN                     = "email:noc@example.com"
11
12# Uncomment out to enable OpenSSL configuration see config(3)
13# openssl_conf = openssl_init
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[openssl_init]
23# Extra OBJECT IDENTIFIER info:
24oid_section = new_oids
25alg_section = algs
26
27[ new_oids ]
28
29# We can add new OIDs in here for use by any config aware application
30# Add a simple OID like this:
31# shortname=Long Object Identifier Name, 1.2.3.4
32# Or use config file substitution like this:
33# testoid2=OID2 LONG NAME, ${testoid1}.5.6, OTHER OID
34
35[ algs ]
36# Algorithm configuration options. Currently just fips_mode
37fips_mode = no
38
39####################################################################
40[ ca ]
41default_ca      = CA_default            # The default ca section
42
43####################################################################
44[ CA_default ]
45
46dir             = ../../CA              # Where everything is kept
47certs           = $dir/certs            # Where the issued certs are kept
48crl_dir         = $dir/crl              # Where the issued crl are kept
49database        = $dir/index.txt        # database index file.
50#unique_subject = no                    # Set to 'no' to allow creation of
51                                        # several ctificates with same subject.
52new_certs_dir   = $dir/newcerts         # default place for new certs.
53
54certificate     = $dir/cacert.pem       # The CA certificate
55serial          = $dir/serial           # The current serial number
56crlnumber       = $dir/crlnumber        # the current crl number
57                                        # must be commented out to leave a V1 CRL
58crl             = $dir/crl.pem          # The current CRL
59private_key     = $dir/private/cakey.pem# The private key
60RANDFILE        = $dir/private/.rand    # private random number file
61
62x509_extensions = usr_cert              # The extentions to add to the cert
63
64# Comment out the following two lines for the "traditional"
65# (and highly broken) format.
66name_opt        = ca_default            # Subject Name options
67cert_opt        = ca_default            # Certificate field options
68
69# Extension copying option: use with caution.
70#copy_extensions = copy
71
72# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
73# so this is commented out by default to leave a V1 CRL.
74# crlnumber must also be commented out to leave a V1 CRL.
75# crl_extensions        = crl_ext
76
77default_days    = 365                   # how long to certify for
78default_crl_days= 30                    # how long before next CRL
79default_md      = sha1                  # which md to use.
80preserve        = no                    # keep passed DN ordering
81
82# A few difference way of specifying how similar the request should look
83# For type CA, the listed attributes must be the same, and the optional
84# and supplied fields are just that :-)
85policy          = policy_match
86
87# For the CA policy
88[ policy_match ]
89countryName             = match
90stateOrProvinceName     = match
91organizationName        = match
92organizationalUnitName  = optional
93commonName              = supplied
94emailAddress            = optional
95
96# For the 'anything' policy
97# At this point in time, you must list all acceptable 'object'
98# types.
99[ policy_anything ]
100countryName             = optional
101stateOrProvinceName     = optional
102localityName            = optional
103organizationName        = optional
104organizationalUnitName  = optional
105commonName              = supplied
106emailAddress            = optional
107
108####################################################################
109[ req ]
110default_bits            = 1024
111default_md              = sha1
112default_keyfile         = privkey.pem
113distinguished_name      = req_distinguished_name
114attributes              = req_attributes
115x509_extensions = v3_ca # The extentions to add to the self signed cert
116
117# Passwords for private keys if not present they will be prompted for
118# input_password = secret
119# output_password = secret
120
121# This sets a mask for permitted string types. There are several options.
122# default: PrintableString, T61String, BMPString.
123# pkix   : PrintableString, BMPString.
124# utf8only: only UTF8Strings.
125# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
126# MASK:XXXX a literal mask value.
127# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
128# so use this option with caution!
129# we use PrintableString+UTF8String mask so if pure ASCII texts are used
130# the resulting certificates are compatible with Netscape
131string_mask = MASK:0x2002
132
133req_extensions = v3_req # The extensions to add to a certificate request
134
135[ req_distinguished_name ]
136countryName                     = Country Name (2 letter code)
137countryName_default             = GB
138countryName_min                 = 2
139countryName_max                 = 2
140
141stateOrProvinceName             = State or Province Name (full name)
142stateOrProvinceName_default     = Berkshire
143
144localityName                    = Locality Name (eg, city)
145localityName_default            = Newbury
146
1470.organizationName              = Organization Name (eg, company)
1480.organizationName_default      = My Company Ltd
149
150# we can do this but it is not needed normally :-)
151#1.organizationName             = Second Organization Name (eg, company)
152#1.organizationName_default     = World Wide Web Pty Ltd
153
154organizationalUnitName          = Organizational Unit Name (eg, section)
155#organizationalUnitName_default =
156
157commonName                      = Common Name (eg, your name or your server\'s hostname)
158commonName_max                  = 64
159
160emailAddress                    = Email Address
161emailAddress_max                = 64
162
163# SET-ex3                       = SET extension number 3
164
165[ req_attributes ]
166challengePassword               = A challenge password
167challengePassword_min           = 4
168challengePassword_max           = 20
169
170unstructuredName                = An optional company name
171
172[ usr_cert ]
173
174# These extensions are added when 'ca' signs a request.
175
176# This goes against PKIX guidelines but some CAs do it and some software
177# requires this to avoid interpreting an end user certificate as a CA.
178
179basicConstraints=CA:FALSE
180
181# Here are some examples of the usage of nsCertType. If it is omitted
182# the certificate can be used for anything *except* object signing.
183
184# This is OK for an SSL server.
185# nsCertType                    = server
186
187# For an object signing certificate this would be used.
188# nsCertType = objsign
189
190# For normal client use this is typical
191# nsCertType = client, email
192
193# and for everything including object signing:
194# nsCertType = client, email, objsign
195
196# This is typical in keyUsage for a client certificate.
197# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
198
199# This will be displayed in Netscape's comment listbox.
200nsComment                       = "OpenSSL Generated Certificate"
201
202# PKIX recommendations harmless if included in all certificates.
203subjectKeyIdentifier=hash
204authorityKeyIdentifier=keyid,issuer
205
206# This stuff is for subjectAltName and issuerAltname.
207# Import the email address.
208# subjectAltName=email:copy
209# An alternative to produce certificates that aren't
210# deprecated according to PKIX.
211# subjectAltName=email:move
212
213# Copy subject details
214# issuerAltName=issuer:copy
215
216#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
217#nsBaseUrl
218#nsRevocationUrl
219#nsRenewalUrl
220#nsCaPolicyUrl
221#nsSslServerName
222
223[ v3_req ]
224
225# Extensions to add to a certificate request
226
227basicConstraints = CA:FALSE
228keyUsage = nonRepudiation, digitalSignature, keyEncipherment
229subjectAltName=${ENV::SAN}
230
231[ v3_ca ]
232
233
234# Extensions for a typical CA
235
236
237# PKIX recommendation.
238
239subjectKeyIdentifier=hash
240
241authorityKeyIdentifier=keyid:always,issuer:always
242
243# This is what PKIX recommends but some broken software chokes on critical
244# extensions.
245#basicConstraints = critical,CA:true
246# So we do this instead.
247basicConstraints = CA:true
248
249# Key usage: this is typical for a CA certificate. However since it will
250# prevent it being used as an test self-signed certificate it is best
251# left out by default.
252# keyUsage = cRLSign, keyCertSign
253
254# Some might want this also
255# nsCertType = sslCA, emailCA
256
257# Include email address in subject alt name: another PKIX recommendation
258# subjectAltName=email:copy
259# Copy issuer details
260# issuerAltName=issuer:copy
261
262# DER hex encoding of an extension: beware experts only!
263# obj=DER:02:03
264# Where 'obj' is a standard or added object
265# You can even override a supported extension:
266# basicConstraints= critical, DER:30:03:01:01:FF
267
268[ crl_ext ]
269
270# CRL extensions.
271# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
272
273# issuerAltName=issuer:copy
274authorityKeyIdentifier=keyid:always,issuer:always
275
276[ proxy_cert_ext ]
277# These extensions should be added when creating a proxy certificate
278
279# This goes against PKIX guidelines but some CAs do it and some software
280# requires this to avoid interpreting an end user certificate as a CA.
281
282basicConstraints=CA:FALSE
283
284# Here are some examples of the usage of nsCertType. If it is omitted
285# the certificate can be used for anything *except* object signing.
286
287# This is OK for an SSL server.
288# nsCertType                    = server
289
290# For an object signing certificate this would be used.
291# nsCertType = objsign
292
293# For normal client use this is typical
294# nsCertType = client, email
295
296# and for everything including object signing:
297# nsCertType = client, email, objsign
298
299# This is typical in keyUsage for a client certificate.
300# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
301
302# This will be displayed in Netscape's comment listbox.
303nsComment                       = "OpenSSL Generated Certificate"
304
305# PKIX recommendations harmless if included in all certificates.
306subjectKeyIdentifier=hash
307authorityKeyIdentifier=keyid,issuer:always
308
309# This stuff is for subjectAltName and issuerAltname.
310# Import the email address.
311# subjectAltName=email:copy
312# An alternative to produce certificates that aren't
313# deprecated according to PKIX.
314# subjectAltName=email:move
315
316# Copy subject details
317# issuerAltName=issuer:copy
318
319#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
320#nsBaseUrl
321#nsRevocationUrl
322#nsRenewalUrl
323#nsCaPolicyUrl
324#nsSslServerName
325
326# This really needs to be in place for it to be a proxy certificate.
327proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo