default_days = 365 # how long to certify for default_crl_days= 90 # how long before next CRL default_md = md5 # which md to use. #################################################################### [ ca ] default_ca = CA # The default ca section #################################################################### # Master - CA Section (for the CA Cert) ################################ [ CA ] preserve = no # keep passed DN ordering x509_extensions = x509v3_ext_root_ca # The extentions to add to the cert policy = policy_ca # all have to match default_days = 730 # 2 years [ x509v3_ext_root_ca ] #basicConstraints = CA:true # CA Cert basicConstraints = critical,CA:true # should be critical, but doesn't work # with M$-Products subjectKeyIdentifier=hash keyUsage = cRLSign, keyCertSign subjectAltName=email:copy nsCertType = sslCA, emailCA, objCA nsBaseUrl = $nsBaseUrl_def nsCaPolicyUrl = policy.html #nsComment = "TESTING ONLY - do not use !" #nsCaRevocationUrl = "https://????/CA/ca-revocation" #nsRenewalUrl = "cgi/check-renw.cgi?" #################################################################### # CA - Sign Section - maybe for certifying Sub-CAs ################################# [ signca ] preserve = no # keep passed DN ordering x509_extensions = x509v3_ext_root_sign_ca# The extentions to add to the cert policy = policy_anything [ x509v3_ext_root_sign_ca ] #basicConstraints = CA:true basicConstraints = critical,CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = cRLSign, keyCertSign subjectAltName=email:copy issuerAltName=issuer:copy #nsCaPolicyUrl = "policy.html" #nsRevocationUrl = "cgi/check-rev.cgi?" #nsCaRevocationUrl = "https://??????CA//ca-revocation" #nsRenewalUrl = "cgi/check-renw.cgi?" #nsComment = "TESTING ONLY - do not use !" #################################################################### # Server Section ################################### [ server ] x509_extensions = x509v3_ext_server default_days = 365 default_crl_days= 90 default_md = md5 preserve = no policy = policy_tfh [ x509v3_ext_server ] #basicConstraints=CA:FALSE nsCertType = server #SSL-Server subjectAltName=email:copy issuerAltName=issuer:copy #nsCaPolicyUrl = "http://?????????/CA/policy.html" nsBaseUrl = $nsBaseUrl_def nsRevocationUrl = $nsRevocationUrl_def #nsRenewalUrl = "cgi/check-renw.cgi?" #nsComment = "TESTING ONLY - do not use !" #################################################################### # Client Section ################################### [ client ] x509_extensions = x509v3_ext_client default_days = 365 default_crl_days= 90 default_md = md5 preserve = no policy = policy_anything [ x509v3_ext_client ] basicConstraints=CA:FALSE nsCertType = client, email #SSL Client keyUsage = nonRepudiation, digitalSignature, keyEncipherment #keyUsage = digitalSignature, keyEncipherment subjectAltName=email:copy issuerAltName=issuer:copy #nsCaPolicyUrl = "http://?????/CA/policy.html" nsBaseUrl = $nsBaseUrl_def nsRevocationUrl = $nsRevocationUrl_def #nsRenewalUrl = "cgi/check-renw.cgi?" nsComment = "TESTING ONLY - do not use !" #################################################################### # CA Policies Section ################################### # For the CA policy #################### [ policy_ca ] countryName = match localityName = optional stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = match emailAddress = match # For SSL-Servers... ########################### [ policy_tfh ] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress = supplied # For the 'anything' policy ############################ [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied #################################################################### # Certificate Requests Section ################################### [ req ] default_bits = 1024 #default_keyfile = XXX-you-have-to-specify-a-key-XXX.pem distinguished_name = req_distinguished_name attributes = req_attributes default_days = 365 [ req_distinguished_name ] # Here are the values/defaults for the certificate requests: countryName = Country code (2 letter code) countryName_value = "DE" stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = "" localityName = Locality Name localityName_value = "" 0.organizationName = Organization Name 0.organizationName_value = "OpenSSL 0.9.3 Testsuite" #1.organizationName* may follow here organizationalUnitName = Organizational Unit Name organizationalUnitName_value = "Unit" commonName = Common Name (SSL: Servername FQDN) commonName_max = 64 commonName_default = "" emailAddress = Email Address emailAddress_max = 64 emailAddress_default = $admin_email SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ x509v3_extensions ] # under ASN.1, the 0 bit would be encoded as 80 #nsBaseUrl #nsRenewalUrl #nsSslServerName #nsCertSequence #nsCertExt #nsDataType #nsComment = "TESTING ONLY - do not use !"