ca.cnf.in 3.14 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
#
# OpenSSL example configuration file.

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
prompt		= no
Leigh Stoller's avatar
Leigh Stoller committed
13
default_bits	= 1024
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

####################################################################
[ CA_default ]

dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/cakey.pem        # The private key
RANDFILE	= $dir/.rand		# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions	= crl_ext

36 37
default_days	= 2000			# how long to certify for
default_crl_days= 2000			# how long before next CRL
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= match
emailAddress		= optional

55 56 57 58 59 60 61 62 63 64 65 66 67
[ CA_usercerts ]
dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/cakey.pem        # The private key
RANDFILE	= $dir/.rand		# private random number file

68 69
default_days	= 2000			# how long to certify for
default_crl_days= 2000			# how long before next CRL
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_sslxmlrpc

# For the sslxmlrpc policy
[ policy_sslxmlrpc ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= optional
emailAddress		= optional

87 88 89 90 91 92 93 94 95 96 97
[ usr_cert ]
# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always