#
-# SSLeay example configuration file.
+# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = $ENV::HOME/.rnd
+oid_file = $ENV::HOME/.oid
####################################################################
[ ca ]
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
-x509_extensions = x509v3_extensions # The extentions to add to the cert
+x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = CryptSoft Pty Ltd
+#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
emailAddress = Email Address
emailAddress_max = 40
+SET-ex3 = SET extension number 3
+
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
unstructuredName = An optional company name
-[ x509v3_extensions ]
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+#nsCertType = server
+
+# For an object signing certificate this would be used.
+#nsCertType = objsign
+
+# For normal client use this is typical
+#nsCertType = client, email
+
+# This is typical also
-nsCaRevocationUrl = http://www.cryptsoft.com/ca-crl.pem
-nsComment = "This is a comment"
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# under ASN.1, the 0 bit would be encoded as 80
-nsCertType = 0x40
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
-#nsCertSequence
-#nsCertExt
-#nsDataType
+[ v3_ca]
+
+# Extensions for a typical CA
+
+# It's a CA certificate
+basicConstraints = CA:true
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+
+# Key usage: again this should really be critical.
+keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# RAW DER hex encoding of an extension: beware experts only!
+# 1.2.3.5=RAW:02:03
+# You can even override a supported extension:
+# basicConstraints= critical, RAW:30:03:01:01:FF
projects / openssl.git / blobdiff