X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fopenssl.cnf;h=41c2a37426c21f32d020ad8e951c929cdb979e67;hb=54180592d7259382bd6ed1198cdbcb0b3be50749;hp=a620b98cf78a18ca1c5a0220768726c6497890d6;hpb=c7235be6e36c4bef84594aa3b2f0561db84b63d8;p=openssl.git diff --git a/apps/openssl.cnf b/apps/openssl.cnf index a620b98cf7..41c2a37426 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -44,7 +44,7 @@ certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. + # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate @@ -55,7 +55,7 @@ crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file -x509_extensions = usr_cert # The extentions to add to the cert +x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. +default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -103,11 +103,11 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert +x509_extensions = v3_ca # The extensions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret @@ -145,7 +145,7 @@ localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = -commonName = Common Name (eg, YOUR name) +commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address @@ -212,7 +212,7 @@ authorityKeyIdentifier=keyid,issuer #nsSslServerName # This is required for TSA certificates. -extendedKeyUsage = critical,timeStamping +# extendedKeyUsage = critical,timeStamping [ v3_req ] @@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. @@ -264,7 +264,7 @@ basicConstraints = CA:true # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate @@ -297,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address.