X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fopenssl-vms.cnf;h=e64cc9f3a634a45dfa06bdac5689ce6d0392e232;hb=8baa49aeac0d51504b8bcd0fd5c750c17af6fe62;hp=51a296b2d857da4cee6526c0cd473e968d7b2313;hpb=2cc7acd273bc39f1360aed52400d18bb65b88a95;p=openssl.git diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 51a296b2d8..e64cc9f3a6 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -3,10 +3,13 @@ # This is mostly being used for generation of certificate requests. # +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + # This definition stops the following lines choking if HOME isn't # defined. HOME = . -RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid @@ -15,7 +18,7 @@ oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: -# extensions = +# extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -53,7 +56,6 @@ crlnumber = $dir]crlnumber. # the current crl number # must be commented out to leave a V1 CRL crl = $dir]crl.pem # The current CRL private_key = $dir.private]cakey.pem# The private key -RANDFILE = $dir.private].rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert @@ -113,7 +115,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert # input_password = secret # output_password = secret -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). @@ -233,11 +235,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best @@ -335,8 +333,7 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir.cacert.pem] # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -signer_digest = sha1 # Signing digest to use. (Optional) - +signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) @@ -349,3 +346,5 @@ tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1)