Add support for signer_digest option in TS.

[openssl.git] / apps / openssl-vms.cnf

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 52ade566533039bc822b0010ce9c450dc8e48a44..ba6977c01cf62a89d660659e27930a4f5e002e83 100644 (file)
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -44,7 +44,7 @@ certs         = $dir.certs]           # Where the issued certs are kept
 crl_dir                = $dir.crl]             # Where the issued crl are kept
 database       = $dir]index.txt        # database index file.
 #unique_subject        = no                    # Set to 'no' to allow creation of
-                                       # several ctificates with same subject.
+                                       # several certs with same subject.
 new_certs_dir  = $dir.newcerts]                # default place for new certs.
 
 certificate    = $dir]cacert.pem       # The CA certificate
@@ -55,7 +55,7 @@ crl           = $dir]crl.pem          # The current CRL
 private_key    = $dir.private]cakey.pem# The private key
 RANDFILE       = $dir.private].rand    # private random number file
 
-x509_extensions        = usr_cert              # The extentions to add to the cert
+x509_extensions        = usr_cert              # The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress              = optional
 
 ####################################################################
 [ req ]
-default_bits           = 1024
+default_bits           = 2048
 default_keyfile        = privkey.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
-x509_extensions        = v3_ca # The extentions to add to the self signed cert
+x509_extensions        = v3_ca # The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -145,7 +145,7 @@ localityName                        = Locality Name (eg, city)
 organizationalUnitName         = Organizational Unit Name (eg, section)
 #organizationalUnitName_default        =
 
-commonName                     = Common Name (eg, YOUR name)
+commonName                     = Common Name (e.g. server FQDN or YOUR name)
 commonName_max                 = 64
 
 emailAddress                   = Email Address
@@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 subjectKeyIdentifier=hash
 
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
@@ -264,7 +264,7 @@ basicConstraints = CA:true
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@ nsComment                   = "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
@@ -335,6 +335,7 @@ signer_cert = $dir/tsacert.pem      # The TSA signing certificate
 certs          = $dir.cacert.pem]      # Certificate chain to include in reply
                                        # (optional)
 signer_key     = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha1                  # Signing digest to use. (Optional)
 
 default_policy = tsa_policy1           # Policy if request did not specify it
                                        # (optional)