# # Sample OpenSSL configuration # ############################################################# # Modify according to your needs CA_DIR = . RANDFILE = $ENV::CA_DIR/.rnd KEY_SIZE = 2048 KEY_COUNTRY = ES KEY_PROVINCE = Cantabria KEY_CITY = Santander KEY_ORG = Universidad de Cantabria KEY_ORGUNIT = Seguridad en redes de comunicaciones KEY_EMAIL = ############################################################# openssl_conf = openssl_init [ openssl_init ] oid_section = new_oids engines = engine_section [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ engine_section ] [ ca ] default_ca = CA_default [ CA_default ] # Where everything is kept dir = $ENV::CA_DIR # Where the issued certs are kept certs = $dir/certs # Database index file database = $dir/index.txt # Default place for new certs. new_certs_dir = $certs # The CA certificate certificate = $dir/ca.crt.pem # The current serial number serial = $dir/serial # Where the issued crl are kept crl_dir = $dir/crl # The current crl number crlnumber = $dir/crlnumber # The current CRL crl = $dir/crl.pem # The private key private_key = $dir/private/ca.key.pem # Private random number file RANDFILE = $dir/private/.rand # The extentions to add to the cert x509_extensions = usr_cert # How long to certify for default_days = 365 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. crl_extensions = crl_ext # How long before next CRL default_crl_days = 30 # IMPORTANT: The next must no longer be md5 # Use public key default default_md = default # Keep passed DN ordering preserve = no # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::KEY_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::KEY_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::KEY_ORG organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = $ENV::KEY_ORGUNIT commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_default = $ENV::KEY_EMAIL emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name # These extensions are added when 'ca' signs a request. [ usr_cert ] [ server_cert ] # Extensions to add to a certificate request [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation,digitalSignature,keyEncipherment # Extensions for a typical CA [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = cRLSign, keyCertSign # CRL extensions [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always [ tsa ] # the default TSA section default_tsa = tsa_config1 # These are used by the TSA reply generation only. [ tsa_config1 ] # TSA root directory dir = $ENV::CA_DIR # The current serial number (mandatory) serial = $dir/tsaserial # OpenSSL engine to use for signing crypto_device = builtin # The TSA signing certificate signer_cert = $dir/tsa.crt.pem # (optional) # Certificate chain to include in reply certs = $dir/cacert.pem # (optional) # The TSA private key (optional) signer_key = $dir/private/tsakey.pem # Policy if request did not specify it default_policy = tsa_policy1 # acceptable policies (optional) #other_policies = tsa_policy2, tsa_policy3 # Acceptable message digests (mandatory) digests = md5, sha1 # (optional) accuracy = secs:1, millisecs:500, microsecs:100 # number of digits after dot. (optional) clock_precision_digits = 0 # Is ordering defined for timestamps? ordering = yes # (optional, default: no) # Must the TSA name be included in the reply? tsa_name = yes # (optional, default: no) # Must the ESS cert id chain be included? ess_cert_id_chain = no # (optional, default: no)