Run util/openssl-format-source -v -c .

[openssl.git] / demos / certs / ca.cnf

diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index a1b6bd799e87124d9530ac243d02d2fe5f69d6dc..5a8a5f29ef51d196fd078341635c5fc2a3f4a121 100644 (file)
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -7,6 +7,7 @@
 HOME                   = .
 RANDFILE               = $ENV::HOME/.rnd
 CN                     = "Not Defined"
+default_ca             = ca
 
 ####################################################################
 [ req ]
@@ -15,7 +16,7 @@ default_keyfile       = privkey.pem
 # Don't prompt for fields: use those in section directly
 prompt                 = no
 distinguished_name     = req_distinguished_name
-x509_extensions        = v3_ca # The extentions to add to the self signed cert
+x509_extensions        = v3_ca # The extensions to add to the self signed cert
 string_mask = utf8only
 
 # req_extensions = v3_req # The extensions to add to a certificate request
@@ -41,6 +42,19 @@ nsComment                    = "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
+# OCSP responder certificate
+[ ocsp_cert ]
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                      = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+extendedKeyUsage=OCSPSigning
 
 [ dh_cert ]
 
@@ -66,4 +80,7 @@ authorityKeyIdentifier=keyid:always
 basicConstraints = critical,CA:true
 keyUsage = critical, cRLSign, keyCertSign
 
-
+# Minimal CA entry to allow generation of CRLs.
+[ca]
+database=index.txt
+crlnumber=crlnum.txt