# # OpenSSL template configuration file. # # openssl.cnf: revision 1.2 (C) Alessandro Dotti Contra #=============================================================================== # DIRECTIVES FOR THE CA APPLICATION #=============================================================================== [ ca ] # Default ca section to look for when invoked. default_ca = CA_default #=============================================================================== # DEFAULT CA OPTION #=============================================================================== [ CA_default ] # The default directory that ca reads from and writes to. dir = . # The serial number to use for the next certificate issued. serial = $dir/serial # A ``database index file''--an ASCII file with a line for every certificate # issued. database = $dir/index.txt # A directory where a copy of each issued certificate is stored. new_certs_dir = $dir/newcerts # The name of the file that contains the certificate authority's certificate # (the ``CA cert'') to be used in signing (or revoking, etc.) a cert. certificate = $dir/cacert.pem # The private key of the certificate authority that corresponds to the CA # certificate referenced by the ``certificate'' attribute. private_key = $dir/private/cakey.pem # The default number of days a signed cert will be valid. default_days = 365 # he message digest algorithm to use. Possible values include md5, sha1 and # mdc2. default_md = md5 # Indicates whether to preserve the order of the Distinguished Name (DN) fields # to match the order passed in. preserve = no # The directory where issued crls are stored. crl_dir = $dir # The file name of the current certificate revocation list. crl = $dir/crl.pem # The period (in days) after which a crl is not valid anymore. default_crl_days= 365 # The name of the section that defines which fields are optional, supplied # or which must match the CA certificate. policy = policy_match #=============================================================================== # ATTRIBUTES THAT MUST MATCH, MUST BE PROVIDED OR ARE OPTIONAL #=============================================================================== [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional #=============================================================================== # DIRECTIVES FOR THE REQ COMMAND #=============================================================================== [ req ] # The default key size in bits. default_bits = 1024 # The name of the file to which a newly generated private key will be written. default_keyfile = key.pem # Default message digest algorithm. default_md = md5 # A mask for permitted string types. string_mask = nombstr # The name of the section file that defines the prompts used when asking the # user for information needed to generate a cert. distinguished_name = req_distinguished_name # The name of the section that contains a list of extensions to add to a # certificate request. req_extensions = v3_req #=============================================================================== # PROMPTS USED WHEN ASKING THE INFORMATIONS NEEDED TO GENERATE A CERTIFICATE #=============================================================================== [ req_distinguished_name ] # Variable name Prompt string #------------------------------------------------------------------------------- organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # # Variable name Value #------------------------------------------------------------------------------ organizationName_default = The Sample Company localityName_default = Metropolis stateOrProvinceName_default = New York countryName_default = US #=============================================================================== # x509 CERTIFICATES EXTENSIONS #=============================================================================== [ v3_ca ] # Is this certificate valid as a certificate authority cert? basicConstraints = CA:TRUE # Specifies how to identify the public key being certified. subjectKeyIdentifier = hash # Specifies how to identify the public key used to verify the signature on this # certificate or certificate revocation list (CRL). authorityKeyIdentifier = keyid:always,issuer:always #=============================================================================== # DIRECTIVES USED BY THE REQ COMMAND WHEN IT REQUESTS CERTS #=============================================================================== [ v3_req ] # Is this certificate valid as a certificate authority cert? basicConstraints = CA:FALSE # Specifies how to identify the public key being certified. subjectKeyIdentifier = hash