2
0

openssl-vms.cnf 9.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5. # This definition stops the following lines choking if HOME isn't
  6. # defined.
  7. HOME = .
  8. RANDFILE = $ENV::HOME/.rnd
  9. # Extra OBJECT IDENTIFIER info:
  10. #oid_file = $ENV::HOME/.oid
  11. oid_section = new_oids
  12. # To use this configuration file with the "-extfile" option of the
  13. # "openssl x509" utility, name here the section containing the
  14. # X.509v3 extensions to use:
  15. # extensions =
  16. # (Alternatively, use a configuration file that has only
  17. # X.509v3 extensions in its main [= default] section.)
  18. [ new_oids ]
  19. # We can add new OIDs in here for use by 'ca' and 'req'.
  20. # Add a simple OID like this:
  21. # testoid1=1.2.3.4
  22. # Or use config file substitution like this:
  23. # testoid2=${testoid1}.5.6
  24. ####################################################################
  25. [ ca ]
  26. default_ca = CA_default # The default ca section
  27. ####################################################################
  28. [ CA_default ]
  29. dir = sys\$disk:[.demoCA # Where everything is kept
  30. certs = $dir.certs] # Where the issued certs are kept
  31. crl_dir = $dir.crl] # Where the issued crl are kept
  32. database = $dir]index.txt # database index file.
  33. #unique_subject = no # Set to 'no' to allow creation of
  34. # several ctificates with same subject.
  35. new_certs_dir = $dir.newcerts] # default place for new certs.
  36. certificate = $dir]cacert.pem # The CA certificate
  37. serial = $dir]serial. # The current serial number
  38. crlnumber = $dir]crlnumber. # the current crl number
  39. # must be commented out to leave a V1 CRL
  40. crl = $dir]crl.pem # The current CRL
  41. private_key = $dir.private]cakey.pem# The private key
  42. RANDFILE = $dir.private].rand # private random number file
  43. x509_extensions = usr_cert # The extentions to add to the cert
  44. # Comment out the following two lines for the "traditional"
  45. # (and highly broken) format.
  46. name_opt = ca_default # Subject Name options
  47. cert_opt = ca_default # Certificate field options
  48. # Extension copying option: use with caution.
  49. # copy_extensions = copy
  50. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  51. # so this is commented out by default to leave a V1 CRL.
  52. # crlnumber must also be commented out to leave a V1 CRL.
  53. # crl_extensions = crl_ext
  54. default_days = 365 # how long to certify for
  55. default_crl_days= 30 # how long before next CRL
  56. default_md = sha1 # which md to use.
  57. preserve = no # keep passed DN ordering
  58. # A few difference way of specifying how similar the request should look
  59. # For type CA, the listed attributes must be the same, and the optional
  60. # and supplied fields are just that :-)
  61. policy = policy_match
  62. # For the CA policy
  63. [ policy_match ]
  64. countryName = match
  65. stateOrProvinceName = match
  66. organizationName = match
  67. organizationalUnitName = optional
  68. commonName = supplied
  69. emailAddress = optional
  70. # For the 'anything' policy
  71. # At this point in time, you must list all acceptable 'object'
  72. # types.
  73. [ policy_anything ]
  74. countryName = optional
  75. stateOrProvinceName = optional
  76. localityName = optional
  77. organizationName = optional
  78. organizationalUnitName = optional
  79. commonName = supplied
  80. emailAddress = optional
  81. ####################################################################
  82. [ req ]
  83. default_bits = 1024
  84. default_keyfile = privkey.pem
  85. distinguished_name = req_distinguished_name
  86. attributes = req_attributes
  87. x509_extensions = v3_ca # The extentions to add to the self signed cert
  88. # Passwords for private keys if not present they will be prompted for
  89. # input_password = secret
  90. # output_password = secret
  91. # This sets a mask for permitted string types. There are several options.
  92. # default: PrintableString, T61String, BMPString.
  93. # pkix : PrintableString, BMPString.
  94. # utf8only: only UTF8Strings.
  95. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  96. # MASK:XXXX a literal mask value.
  97. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  98. # so use this option with caution!
  99. string_mask = nombstr
  100. # req_extensions = v3_req # The extensions to add to a certificate request
  101. [ req_distinguished_name ]
  102. countryName = Country Name (2 letter code)
  103. countryName_default = AU
  104. countryName_min = 2
  105. countryName_max = 2
  106. stateOrProvinceName = State or Province Name (full name)
  107. stateOrProvinceName_default = Some-State
  108. localityName = Locality Name (eg, city)
  109. 0.organizationName = Organization Name (eg, company)
  110. 0.organizationName_default = Internet Widgits Pty Ltd
  111. # we can do this but it is not needed normally :-)
  112. #1.organizationName = Second Organization Name (eg, company)
  113. #1.organizationName_default = World Wide Web Pty Ltd
  114. organizationalUnitName = Organizational Unit Name (eg, section)
  115. #organizationalUnitName_default =
  116. commonName = Common Name (e.g. server FQDN or YOUR name)
  117. commonName_max = 64
  118. emailAddress = Email Address
  119. emailAddress_max = 64
  120. # SET-ex3 = SET extension number 3
  121. [ req_attributes ]
  122. challengePassword = A challenge password
  123. challengePassword_min = 4
  124. challengePassword_max = 20
  125. unstructuredName = An optional company name
  126. [ usr_cert ]
  127. # These extensions are added when 'ca' signs a request.
  128. # This goes against PKIX guidelines but some CAs do it and some software
  129. # requires this to avoid interpreting an end user certificate as a CA.
  130. basicConstraints=CA:FALSE
  131. # Here are some examples of the usage of nsCertType. If it is omitted
  132. # the certificate can be used for anything *except* object signing.
  133. # This is OK for an SSL server.
  134. # nsCertType = server
  135. # For an object signing certificate this would be used.
  136. # nsCertType = objsign
  137. # For normal client use this is typical
  138. # nsCertType = client, email
  139. # and for everything including object signing:
  140. # nsCertType = client, email, objsign
  141. # This is typical in keyUsage for a client certificate.
  142. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  143. # This will be displayed in Netscape's comment listbox.
  144. nsComment = "OpenSSL Generated Certificate"
  145. # PKIX recommendations harmless if included in all certificates.
  146. subjectKeyIdentifier=hash
  147. authorityKeyIdentifier=keyid,issuer
  148. # This stuff is for subjectAltName and issuerAltname.
  149. # Import the email address.
  150. # subjectAltName=email:copy
  151. # An alternative to produce certificates that aren't
  152. # deprecated according to PKIX.
  153. # subjectAltName=email:move
  154. # Copy subject details
  155. # issuerAltName=issuer:copy
  156. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  157. #nsBaseUrl
  158. #nsRevocationUrl
  159. #nsRenewalUrl
  160. #nsCaPolicyUrl
  161. #nsSslServerName
  162. [ v3_req ]
  163. # Extensions to add to a certificate request
  164. basicConstraints = CA:FALSE
  165. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  166. [ v3_ca ]
  167. # Extensions for a typical CA
  168. # PKIX recommendation.
  169. subjectKeyIdentifier=hash
  170. authorityKeyIdentifier=keyid:always,issuer:always
  171. # This is what PKIX recommends but some broken software chokes on critical
  172. # extensions.
  173. #basicConstraints = critical,CA:true
  174. # So we do this instead.
  175. basicConstraints = CA:true
  176. # Key usage: this is typical for a CA certificate. However since it will
  177. # prevent it being used as an test self-signed certificate it is best
  178. # left out by default.
  179. # keyUsage = cRLSign, keyCertSign
  180. # Some might want this also
  181. # nsCertType = sslCA, emailCA
  182. # Include email address in subject alt name: another PKIX recommendation
  183. # subjectAltName=email:copy
  184. # Copy issuer details
  185. # issuerAltName=issuer:copy
  186. # DER hex encoding of an extension: beware experts only!
  187. # obj=DER:02:03
  188. # Where 'obj' is a standard or added object
  189. # You can even override a supported extension:
  190. # basicConstraints= critical, DER:30:03:01:01:FF
  191. [ crl_ext ]
  192. # CRL extensions.
  193. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  194. # issuerAltName=issuer:copy
  195. authorityKeyIdentifier=keyid:always,issuer:always
  196. [ proxy_cert_ext ]
  197. # These extensions should be added when creating a proxy certificate
  198. # This goes against PKIX guidelines but some CAs do it and some software
  199. # requires this to avoid interpreting an end user certificate as a CA.
  200. basicConstraints=CA:FALSE
  201. # Here are some examples of the usage of nsCertType. If it is omitted
  202. # the certificate can be used for anything *except* object signing.
  203. # This is OK for an SSL server.
  204. # nsCertType = server
  205. # For an object signing certificate this would be used.
  206. # nsCertType = objsign
  207. # For normal client use this is typical
  208. # nsCertType = client, email
  209. # and for everything including object signing:
  210. # nsCertType = client, email, objsign
  211. # This is typical in keyUsage for a client certificate.
  212. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  213. # This will be displayed in Netscape's comment listbox.
  214. nsComment = "OpenSSL Generated Certificate"
  215. # PKIX recommendations harmless if included in all certificates.
  216. subjectKeyIdentifier=hash
  217. authorityKeyIdentifier=keyid,issuer:always
  218. # This stuff is for subjectAltName and issuerAltname.
  219. # Import the email address.
  220. # subjectAltName=email:copy
  221. # An alternative to produce certificates that aren't
  222. # deprecated according to PKIX.
  223. # subjectAltName=email:move
  224. # Copy subject details
  225. # issuerAltName=issuer:copy
  226. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  227. #nsBaseUrl
  228. #nsRevocationUrl
  229. #nsRenewalUrl
  230. #nsCaPolicyUrl
  231. #nsSslServerName
  232. # This really needs to be in place for it to be a proxy certificate.
  233. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo