X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fopenssl.cnf;h=1c0d5f0e3c701395840721ca75a2eb481d26b854;hp=27abc08bad1a53079790171e153ddc04aea193b2;hb=1e44804e3308e9a40b882e09e87d0f241b7d55ca;hpb=b2347661cef9447600a77b33575639a1bce6725c diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 27abc08bad..1c0d5f0e3c 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -5,6 +5,22 @@ RANDFILE = $ENV::HOME/.rnd oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 #################################################################### [ ca ] @@ -26,6 +42,11 @@ private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. @@ -92,7 +113,7 @@ commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 -SET-ex3 = SET extension number 3 +# SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password @@ -114,20 +135,34 @@ basicConstraints=CA:FALSE # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. -#nsCertType = server +# nsCertType = server # For an object signing certificate this would be used. -#nsCertType = objsign +# nsCertType = objsign # For normal client use this is typical -#nsCertType = client, email +# nsCertType = client, email -# This is typical also +# and for everything including object signing: +# nsCertType = client, email, objsign -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment +# This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl @@ -139,15 +174,41 @@ nsComment = "OpenSSL Generated Certificate" # Extensions for a typical CA -# It's a CA certificate -basicConstraints = CA:true + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true -# Key usage: again this should really be critical. -keyUsage = cRLSign, keyCertSign +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign # Some might want this also -#nsCertType = sslCA, emailCA +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# RAW DER hex encoding of an extension: beware experts only! +# 1.2.3.5=RAW:02:03 +# You can even override a supported extension: +# basicConstraints= critical, RAW:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always