Index: openssl/apps/openssl.cnf |
diff --git a/openssl/apps/openssl.cnf b/openssl/apps/openssl.cnf |
deleted file mode 100644 |
index 18760c6e673d76ea7d83995e7b6dc5ec48839adb..0000000000000000000000000000000000000000 |
--- a/openssl/apps/openssl.cnf |
+++ /dev/null |
@@ -1,350 +0,0 @@ |
-# |
-# OpenSSL example configuration file. |
-# This is mostly being used for generation of certificate requests. |
-# |
- |
-# This definition stops the following lines choking if HOME isn't |
-# defined. |
-HOME = . |
-RANDFILE = $ENV::HOME/.rnd |
- |
-# Extra OBJECT IDENTIFIER info: |
-#oid_file = $ENV::HOME/.oid |
-oid_section = new_oids |
- |
-# To use this configuration file with the "-extfile" option of the |
-# "openssl x509" utility, name here the section containing the |
-# X.509v3 extensions to use: |
-# extensions = |
-# (Alternatively, use a configuration file that has only |
-# X.509v3 extensions in its main [= default] section.) |
- |
-[ new_oids ] |
- |
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. |
-# Add a simple OID like this: |
-# testoid1=1.2.3.4 |
-# Or use config file substitution like this: |
-# testoid2=${testoid1}.5.6 |
- |
-# Policies used by the TSA examples. |
-tsa_policy1 = 1.2.3.4.1 |
-tsa_policy2 = 1.2.3.4.5.6 |
-tsa_policy3 = 1.2.3.4.5.7 |
- |
-#################################################################### |
-[ ca ] |
-default_ca = CA_default # The default ca section |
- |
-#################################################################### |
-[ CA_default ] |
- |
-dir = ./demoCA # Where everything is kept |
-certs = $dir/certs # Where the issued certs are kept |
-crl_dir = $dir/crl # Where the issued crl are kept |
-database = $dir/index.txt # database index file. |
-#unique_subject = no # Set to 'no' to allow creation of |
- # several ctificates with same subject. |
-new_certs_dir = $dir/newcerts # default place for new certs. |
- |
-certificate = $dir/cacert.pem # The CA certificate |
-serial = $dir/serial # The current serial number |
-crlnumber = $dir/crlnumber # the current crl number |
- # must be commented out to leave a V1 CRL |
-crl = $dir/crl.pem # The current CRL |
-private_key = $dir/private/cakey.pem# The private key |
-RANDFILE = $dir/private/.rand # private random number file |
- |
-x509_extensions = usr_cert # The extentions to add to the cert |
- |
-# Comment out the following two lines for the "traditional" |
-# (and highly broken) format. |
-name_opt = ca_default # Subject Name options |
-cert_opt = ca_default # Certificate field options |
- |
-# Extension copying option: use with caution. |
-# copy_extensions = copy |
- |
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs |
-# so this is commented out by default to leave a V1 CRL. |
-# crlnumber must also be commented out to leave a V1 CRL. |
-# crl_extensions = crl_ext |
- |
-default_days = 365 # how long to certify for |
-default_crl_days= 30 # how long before next CRL |
-default_md = default # use public key default MD |
-preserve = no # keep passed DN ordering |
- |
-# A few difference way of specifying how similar the request should look |
-# For type CA, the listed attributes must be the same, and the optional |
-# and supplied fields are just that :-) |
-policy = policy_match |
- |
-# For the CA policy |
-[ policy_match ] |
-countryName = match |
-stateOrProvinceName = match |
-organizationName = match |
-organizationalUnitName = optional |
-commonName = supplied |
-emailAddress = optional |
- |
-# For the 'anything' policy |
-# At this point in time, you must list all acceptable 'object' |
-# types. |
-[ policy_anything ] |
-countryName = optional |
-stateOrProvinceName = optional |
-localityName = optional |
-organizationName = optional |
-organizationalUnitName = optional |
-commonName = supplied |
-emailAddress = optional |
- |
-#################################################################### |
-[ req ] |
-default_bits = 1024 |
-default_keyfile = privkey.pem |
-distinguished_name = req_distinguished_name |
-attributes = req_attributes |
-x509_extensions = v3_ca # The extentions to add to the self signed cert |
- |
-# Passwords for private keys if not present they will be prompted for |
-# input_password = secret |
-# output_password = secret |
- |
-# This sets a mask for permitted string types. There are several options. |
-# default: PrintableString, T61String, BMPString. |
-# pkix : PrintableString, BMPString (PKIX recommendation before 2004) |
-# utf8only: only UTF8Strings (PKIX recommendation after 2004). |
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). |
-# MASK:XXXX a literal mask value. |
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. |
-string_mask = utf8only |
- |
-# req_extensions = v3_req # The extensions to add to a certificate request |
- |
-[ req_distinguished_name ] |
-countryName = Country Name (2 letter code) |
-countryName_default = AU |
-countryName_min = 2 |
-countryName_max = 2 |
- |
-stateOrProvinceName = State or Province Name (full name) |
-stateOrProvinceName_default = Some-State |
- |
-localityName = Locality Name (eg, city) |
- |
-0.organizationName = Organization Name (eg, company) |
-0.organizationName_default = Internet Widgits Pty Ltd |
- |
-# we can do this but it is not needed normally :-) |
-#1.organizationName = Second Organization Name (eg, company) |
-#1.organizationName_default = World Wide Web Pty Ltd |
- |
-organizationalUnitName = Organizational Unit Name (eg, section) |
-#organizationalUnitName_default = |
- |
-commonName = Common Name (e.g. server FQDN or YOUR name) |
-commonName_max = 64 |
- |
-emailAddress = Email Address |
-emailAddress_max = 64 |
- |
-# SET-ex3 = SET extension number 3 |
- |
-[ req_attributes ] |
-challengePassword = A challenge password |
-challengePassword_min = 4 |
-challengePassword_max = 20 |
- |
-unstructuredName = An optional company name |
- |
-[ usr_cert ] |
- |
-# These extensions are added when 'ca' signs a request. |
- |
-# This goes against PKIX guidelines but some CAs do it and some software |
-# requires this to avoid interpreting an end user certificate as a CA. |
- |
-basicConstraints=CA:FALSE |
- |
-# Here are some examples of the usage of nsCertType. If it is omitted |
-# the certificate can be used for anything *except* object signing. |
- |
-# This is OK for an SSL server. |
-# nsCertType = server |
- |
-# For an object signing certificate this would be used. |
-# nsCertType = objsign |
- |
-# For normal client use this is typical |
-# nsCertType = client, email |
- |
-# and for everything including object signing: |
-# nsCertType = client, email, objsign |
- |
-# This is typical in keyUsage for a client certificate. |
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
- |
-# This will be displayed in Netscape's comment listbox. |
-nsComment = "OpenSSL Generated Certificate" |
- |
-# PKIX recommendations harmless if included in all certificates. |
-subjectKeyIdentifier=hash |
-authorityKeyIdentifier=keyid,issuer |
- |
-# This stuff is for subjectAltName and issuerAltname. |
-# Import the email address. |
-# subjectAltName=email:copy |
-# An alternative to produce certificates that aren't |
-# deprecated according to PKIX. |
-# subjectAltName=email:move |
- |
-# Copy subject details |
-# issuerAltName=issuer:copy |
- |
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
-#nsBaseUrl |
-#nsRevocationUrl |
-#nsRenewalUrl |
-#nsCaPolicyUrl |
-#nsSslServerName |
- |
-# This is required for TSA certificates. |
-# extendedKeyUsage = critical,timeStamping |
- |
-[ v3_req ] |
- |
-# Extensions to add to a certificate request |
- |
-basicConstraints = CA:FALSE |
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
- |
-[ v3_ca ] |
- |
- |
-# Extensions for a typical CA |
- |
- |
-# PKIX recommendation. |
- |
-subjectKeyIdentifier=hash |
- |
-authorityKeyIdentifier=keyid:always,issuer |
- |
-# This is what PKIX recommends but some broken software chokes on critical |
-# extensions. |
-#basicConstraints = critical,CA:true |
-# So we do this instead. |
-basicConstraints = CA:true |
- |
-# Key usage: this is typical for a CA certificate. However since it will |
-# prevent it being used as an test self-signed certificate it is best |
-# left out by default. |
-# keyUsage = cRLSign, keyCertSign |
- |
-# Some might want this also |
-# nsCertType = sslCA, emailCA |
- |
-# Include email address in subject alt name: another PKIX recommendation |
-# subjectAltName=email:copy |
-# Copy issuer details |
-# issuerAltName=issuer:copy |
- |
-# DER hex encoding of an extension: beware experts only! |
-# obj=DER:02:03 |
-# Where 'obj' is a standard or added object |
-# You can even override a supported extension: |
-# basicConstraints= critical, DER:30:03:01:01:FF |
- |
-[ crl_ext ] |
- |
-# CRL extensions. |
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
- |
-# issuerAltName=issuer:copy |
-authorityKeyIdentifier=keyid:always |
- |
-[ proxy_cert_ext ] |
-# These extensions should be added when creating a proxy certificate |
- |
-# This goes against PKIX guidelines but some CAs do it and some software |
-# requires this to avoid interpreting an end user certificate as a CA. |
- |
-basicConstraints=CA:FALSE |
- |
-# Here are some examples of the usage of nsCertType. If it is omitted |
-# the certificate can be used for anything *except* object signing. |
- |
-# This is OK for an SSL server. |
-# nsCertType = server |
- |
-# For an object signing certificate this would be used. |
-# nsCertType = objsign |
- |
-# For normal client use this is typical |
-# nsCertType = client, email |
- |
-# and for everything including object signing: |
-# nsCertType = client, email, objsign |
- |
-# This is typical in keyUsage for a client certificate. |
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
- |
-# This will be displayed in Netscape's comment listbox. |
-nsComment = "OpenSSL Generated Certificate" |
- |
-# PKIX recommendations harmless if included in all certificates. |
-subjectKeyIdentifier=hash |
-authorityKeyIdentifier=keyid,issuer |
- |
-# This stuff is for subjectAltName and issuerAltname. |
-# Import the email address. |
-# subjectAltName=email:copy |
-# An alternative to produce certificates that aren't |
-# deprecated according to PKIX. |
-# subjectAltName=email:move |
- |
-# Copy subject details |
-# issuerAltName=issuer:copy |
- |
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
-#nsBaseUrl |
-#nsRevocationUrl |
-#nsRenewalUrl |
-#nsCaPolicyUrl |
-#nsSslServerName |
- |
-# This really needs to be in place for it to be a proxy certificate. |
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
- |
-#################################################################### |
-[ tsa ] |
- |
-default_tsa = tsa_config1 # the default TSA section |
- |
-[ tsa_config1 ] |
- |
-# These are used by the TSA reply generation only. |
-dir = ./demoCA # TSA root directory |
-serial = $dir/tsaserial # The current serial number (mandatory) |
-crypto_device = builtin # OpenSSL engine to use for signing |
-signer_cert = $dir/tsacert.pem # The TSA signing certificate |
- # (optional) |
-certs = $dir/cacert.pem # Certificate chain to include in reply |
- # (optional) |
-signer_key = $dir/private/tsakey.pem # The TSA private key (optional) |
- |
-default_policy = tsa_policy1 # Policy if request did not specify it |
- # (optional) |
-other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
-digests = md5, sha1 # Acceptable message digests (mandatory) |
-accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
-clock_precision_digits = 0 # number of digits after dot. (optional) |
-ordering = yes # Is ordering defined for timestamps? |
- # (optional, default: no) |
-tsa_name = yes # Must the TSA name be included in the reply? |
- # (optional, default: no) |
-ess_cert_id_chain = no # Must the ESS cert id chain be included? |
- # (optional, default: no) |