X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fopenssl-vms.cnf;h=a3ca3930184d49a10b51c1ada98ade97643bb473;hb=d201dbc9a4d4ce7fd1f7ffc8f499cf261ba5e72a;hp=20ed61bc3e4deca99f108a104fbda4d2ecf2c485;hpb=ef236ec3b26300c0a18872c432122a74f9d5459e;p=openssl.git diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 20ed61bc3e..a3ca393018 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -44,7 +44,7 @@ certs = $dir.certs] # Where the issued certs are kept crl_dir = $dir.crl] # Where the issued crl are kept database = $dir]index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. + # several certs with same subject. new_certs_dir = $dir.newcerts] # default place for new certs. certificate = $dir]cacert.pem # The CA certificate @@ -55,7 +55,7 @@ crl = $dir]crl.pem # The current CRL private_key = $dir.private]cakey.pem# The private key RANDFILE = $dir.private].rand # private random number file -x509_extensions = usr_cert # The extentions to add to the cert +x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. @@ -103,11 +103,11 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert +x509_extensions = v3_ca # The extensions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret @@ -145,7 +145,7 @@ localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = -commonName = Common Name (eg, YOUR name) +commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address @@ -233,11 +233,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best @@ -335,11 +331,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir.cacert.pem] # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - +signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? @@ -348,3 +344,5 @@ tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1)