Changeset 45:7ecc7152123b in freeDiameter for contrib/ca_script2/openssl.cnf
- Timestamp:
- Nov 26, 2009, 6:31:48 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
contrib/ca_script2/openssl.cnf
r44 r45 1 # 2 # OpenSSL example configuration file. 3 # This is mostly being used for generation of certificate requests. 4 # 1 # Note: for this file to be working, an environment var CA_ROOT_DIR = directory 2 # must be defined and pointing to the CA top-level directory. 5 3 6 # This definition stops the following lines choking if HOME isn't7 # defined.8 4 HOME = . 9 5 RANDFILE = $ENV::HOME/.rnd 10 6 11 # Extra OBJECT IDENTIFIER info:12 #oid_file = $ENV::HOME/.oid13 7 oid_section = new_oids 14 15 # To use this configuration file with the "-extfile" option of the16 # "openssl x509" utility, name here the section containing the17 # X.509v3 extensions to use:18 # extensions =19 # (Alternatively, use a configuration file that has only20 # X.509v3 extensions in its main [= default] section.)21 8 22 9 [ new_oids ] 23 10 24 # We can add new OIDs in here for use by 'ca' and 'req'. 25 # Add a simple OID like this: 26 # testoid1=1.2.3.4 27 # Or use config file substitution like this: 28 # testoid2=${testoid1}.5.6 11 12 #################################################################### 13 [ req ] 14 default_bits = 1024 15 # default_keyfile = privkey.pem 16 string_mask = utf8only 17 18 distinguished_name = req_distinguished_name 19 attributes = req_attributes 20 req_extensions = v3_req # overwrite with -reqexts 21 x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only 22 23 [ req_distinguished_name ] 24 countryName = Country Name (2 letter code) 25 countryName_default = JP 26 countryName_min = 2 27 countryName_max = 2 28 stateOrProvinceName = State or Province Name (full name) 29 stateOrProvinceName_default = Tokyo 30 localityName = Locality Name (eg, city) 31 localityName_default = Koganei 32 0.organizationName = Organization Name (eg, company) 33 0.organizationName_default = WIDE 34 1.organizationName = Second Organization Name (eg, company) 35 1.organizationName_default = NICT 36 organizationalUnitName = Organizational Unit Name (eg, section) 37 organizationalUnitName_default = AAA WG testbed 38 39 [ req_attributes ] 40 challengePassword = A challenge password 41 challengePassword_min = 0 42 challengePassword_max = 20 43 unstructuredName = An optional company name 44 45 [ v3_req ] 46 # Extensions to add to a certificate request 47 basicConstraints = CA:FALSE 48 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 49 50 [ v3_req_ca ] 51 # Extensions to add to a certificate request for CA 52 basicConstraints = CA:TRUE 53 29 54 30 55 #################################################################### … … 32 57 default_ca = CA_default # The default ca section 33 58 34 ####################################################################35 59 [ CA_default ] 36 60 37 dir = /etc/openssl-ca# Where everything is kept61 dir = $ENV::CA_ROOT_DIR # Where everything is kept 38 62 certs = $dir/certs # Where the issued certs are kept 39 63 crl_dir = $dir/crl # Where the issued crl are kept … … 45 69 certificate = $dir/public-www/cacert.pem # The CA certificate 46 70 serial = $dir/serial # The current serial number 47 # crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 71 crlnumber = $dir/crlnumber # the current crl number 49 72 crl = $dir/public-www/crl.pem # The current CRL 50 private_key = $dir/private/cakey.pem# The private key 51 RANDFILE = $dir/private/.rand # private random number file 52 73 private_key = $dir/private/cakey.pem # The private key 53 74 x509_extensions = usr_cert # The extentions to add to the cert 54 55 # Comment out the following two lines for the "traditional" 56 # (and highly broken) format. 75 # overwrite with -extensions 57 76 name_opt = ca_default # Subject Name options 58 77 cert_opt = ca_default # Certificate field options 78 crl_extensions = crl_ext 59 79 60 # Extension copying option: use with caution. 61 # copy_extensions = copy 62 63 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64 # so this is commented out by default to leave a V1 CRL. 65 # crlnumber must also be commented out to leave a V1 CRL. 66 # crl_extensions = crl_ext 67 68 default_days = 365 # how long to certify for 69 default_crl_days= 30 # how long before next CRL 80 default_days = 3650 # how long to certify for 81 default_crl_days= 365 # how long before next CRL 70 82 default_md = sha1 # which md to use. 71 83 preserve = no # keep passed DN ordering 72 84 73 # A few difference way of specifying how similar the request should look 74 # For type CA, the listed attributes must be the same, and the optional 75 # and supplied fields are just that :-) 76 # policy = policy_match 85 # We accept to sign anything, but a real deployment would limit to proper domain etc... 77 86 policy = policy_anything 78 87 79 # For the CA policy80 [ policy_match ]81 countryName = match82 stateOrProvinceName = match83 organizationName = match84 organizationalUnitName = optional85 commonName = supplied86 emailAddress = optional87 88 # For the 'anything' policy89 # At this point in time, you must list all acceptable 'object'90 # types.91 88 [ policy_anything ] 92 89 countryName = optional … … 98 95 emailAddress = optional 99 96 100 ####################################################################101 [ req ]102 default_bits = 1024103 default_keyfile = privkey.pem104 distinguished_name = req_distinguished_name105 attributes = req_attributes106 x509_extensions = v3_ca # The extentions to add to the self signed cert107 108 # Passwords for private keys if not present they will be prompted for109 # input_password = fdsecret110 # output_password = fdsecret111 112 # This sets a mask for permitted string types. There are several options.113 # default: PrintableString, T61String, BMPString.114 # pkix : PrintableString, BMPString.115 # utf8only: only UTF8Strings.116 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).117 # MASK:XXXX a literal mask value.118 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings119 # so use this option with caution!120 string_mask = utf8only121 122 # req_extensions = v3_req # The extensions to add to a certificate request123 124 [ req_distinguished_name ]125 countryName = Country Name (2 letter code)126 countryName_default = JP127 countryName_min = 2128 countryName_max = 2129 130 stateOrProvinceName = State or Province Name (full name)131 stateOrProvinceName_default = Tokyo132 133 localityName = Locality Name (eg, city)134 localityName_default = Koganei135 136 0.organizationName = Organization Name (eg, company)137 0.organizationName_default = WIDE138 139 # we can do this but it is not needed normally :-)140 1.organizationName = Second Organization Name (eg, company)141 1.organizationName_default = NICT142 143 organizationalUnitName = Organizational Unit Name (eg, section)144 organizationalUnitName_default = AAA WG145 146 commonName = Common Name (i.e. Diameter Agent hostname)147 commonName_max = 64148 149 emailAddress = Email Address (i.e. Diameter agent administrator)150 emailAddress_max = 64151 152 # SET-ex3 = SET extension number 3153 154 [ req_attributes ]155 challengePassword = A challenge password156 challengePassword_min = 0157 challengePassword_max = 20158 159 unstructuredName = An optional company name160 161 97 [ usr_cert ] 162 163 # These extensions are added when 'ca' signs a request.164 165 # This goes against PKIX guidelines but some CAs do it and some software166 # requires this to avoid interpreting an end user certificate as a CA.167 168 98 basicConstraints=CA:FALSE 169 170 # Here are some examples of the usage of nsCertType. If it is omitted171 # the certificate can be used for anything *except* object signing.172 173 # This is OK for an SSL server.174 # nsCertType = server175 176 # For an object signing certificate this would be used.177 # nsCertType = objsign178 179 # For normal client use this is typical180 # nsCertType = client, email181 182 # and for everything including object signing:183 # nsCertType = client, email, objsign184 185 99 # This is typical in keyUsage for a client certificate. 186 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 187 188 # This will be displayed in Netscape's comment listbox. 189 nsComment = "OpenSSL Generated Certificate" 190 191 # PKIX recommendations harmless if included in all certificates. 100 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 192 101 subjectKeyIdentifier=hash 193 102 authorityKeyIdentifier=keyid,issuer 194 103 195 # This stuff is for subjectAltName and issuerAltname. 196 # Import the email address. 197 # subjectAltName=email:copy 198 # An alternative to produce certificates that aren't 199 # deprecated according to PKIX. 200 # subjectAltName=email:move 201 202 # Copy subject details 203 # issuerAltName=issuer:copy 204 205 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 206 #nsBaseUrl 207 #nsRevocationUrl 208 #nsRenewalUrl 209 #nsCaPolicyUrl 210 #nsSslServerName 211 212 [ v3_req ] 213 214 # Extensions to add to a certificate request 215 216 basicConstraints = CA:FALSE 217 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 218 219 [ v3_ca ] 220 221 104 [ ca_cert ] 222 105 # Extensions for a typical CA 223 224 225 # PKIX recommendation.226 227 106 subjectKeyIdentifier=hash 228 229 107 authorityKeyIdentifier=keyid:always,issuer:always 230 231 # This is what PKIX recommends but some broken software chokes on critical 232 # extensions. 233 #basicConstraints = critical,CA:true 234 # So we do this instead. 235 basicConstraints = CA:true 236 237 # Key usage: this is typical for a CA certificate. However since it will 238 # prevent it being used as an test self-signed certificate it is best 239 # left out by default. 240 # keyUsage = cRLSign, keyCertSign 241 242 # Some might want this also 243 # nsCertType = sslCA, emailCA 244 245 # Include email address in subject alt name: another PKIX recommendation 108 basicConstraints = critical,CA:true # Remove "critical," in case of problems 109 keyUsage = cRLSign, keyCertSign 246 110 # subjectAltName=email:copy 247 111 # Copy issuer details 248 112 # issuerAltName=issuer:copy 249 113 250 # DER hex encoding of an extension: beware experts only!251 # obj=DER:02:03252 # Where 'obj' is a standard or added object253 # You can even override a supported extension:254 # basicConstraints= critical, DER:30:03:01:01:FF255 256 114 [ crl_ext ] 257 258 115 # CRL extensions. 259 116 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 260 261 117 # issuerAltName=issuer:copy 262 118 authorityKeyIdentifier=keyid:always,issuer:always 263 119 264 [ proxy_cert_ext ]265 # These extensions should be added when creating a proxy certificate266 120 267 # This goes against PKIX guidelines but some CAs do it and some software268 # requires this to avoid interpreting an end user certificate as a CA.269 270 basicConstraints=CA:FALSE271 272 # Here are some examples of the usage of nsCertType. If it is omitted273 # the certificate can be used for anything *except* object signing.274 275 # This is OK for an SSL server.276 # nsCertType = server277 278 # For an object signing certificate this would be used.279 # nsCertType = objsign280 281 # For normal client use this is typical282 # nsCertType = client, email283 284 # and for everything including object signing:285 # nsCertType = client, email, objsign286 287 # This is typical in keyUsage for a client certificate.288 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment289 290 # This will be displayed in Netscape's comment listbox.291 nsComment = "OpenSSL Generated Certificate"292 293 # PKIX recommendations harmless if included in all certificates.294 subjectKeyIdentifier=hash295 authorityKeyIdentifier=keyid,issuer:always296 297 # This stuff is for subjectAltName and issuerAltname.298 # Import the email address.299 # subjectAltName=email:copy300 # An alternative to produce certificates that aren't301 # deprecated according to PKIX.302 # subjectAltName=email:move303 304 # Copy subject details305 # issuerAltName=issuer:copy306 307 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem308 #nsBaseUrl309 #nsRevocationUrl310 #nsRenewalUrl311 #nsCaPolicyUrl312 #nsSslServerName313 314 # This really needs to be in place for it to be a proxy certificate.315 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracChangeset
for help on using the changeset viewer.