ca.cnf.in 4.68 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
#
# OpenSSL example configuration file.

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
prompt		= no
Leigh B. Stoller's avatar
Leigh B. Stoller committed
13
default_bits	= 1024
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

####################################################################
[ CA_default ]

dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/cakey.pem        # The private key
RANDFILE	= $dir/.rand		# private random number file
x509_extensions	= usr_cert		# The extentions to add to the cert
Leigh B Stoller's avatar
Leigh B Stoller committed
30
copy_extensions = copy			# For subjectaltnames in apache-ops.pem
31 32 33 34 35

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions	= crl_ext

36 37
default_days	= 2000			# how long to certify for
default_crl_days= 2000			# how long before next CRL
38
default_md	= sha1			# which md to use.
39
preserve	= no			# keep passed DN ordering
40
unique_subject  = no
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= match
emailAddress		= optional

56 57 58 59 60 61 62 63 64 65 66 67 68
[ CA_usercerts ]
dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/cakey.pem        # The private key
RANDFILE	= $dir/.rand		# private random number file

69 70
default_days	= 2000			# how long to certify for
default_crl_days= 2000			# how long before next CRL
71
default_md	= sha1			# which md to use.
72
preserve	= no			# keep passed DN ordering
73
unique_subject  = no
74
copy_extensions = copy
75
x509_extensions = v3_ca # Need this to set the version number to 3
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_sslxmlrpc

# For the sslxmlrpc policy
[ policy_sslxmlrpc ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= optional
emailAddress		= optional

91 92 93
[ v3_ca ]


94 95 96 97 98 99 100 101 102 103 104
[ usr_cert ]
# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
[ CA_syscerts ]
dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/cakey.pem        # The private key
RANDFILE	= $dir/.rand		# private random number file

default_days	= 2000			# how long to certify for
default_crl_days= 2000			# how long before next CRL
120
default_md	= sha1			# which md to use.
121 122 123 124
preserve	= no			# keep passed DN ordering
unique_subject  = no
copy_extensions = copy
policy		= policy_sslxmlrpc
125 126
# Added for update 5.16
x509_extensions = v3_ca # Need this to set the version number to 3
Leigh B. Stoller's avatar
Leigh B. Stoller committed
127 128 129 130 131 132 133

[ CA_crl ]
dir		= .			# Where everything is kept
database	= $dir/crl.txt		# database index file.
crl		= $dir/crl.pem 		# The current CRL
RANDFILE	= $dir/.rand		# private random number file
default_crl_days= 30			# how long before next CRL
Leigh B Stoller's avatar
Leigh B Stoller committed
134
# Added for update 5.10
135
default_md	= sha1			# CRL md to use
Leigh B. Stoller's avatar
Leigh B. Stoller committed
136 137
preserve	= no			# keep passed DN ordering
unique_subject  = no
138 139 140 141 142

[ typical_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:false