# openssl.cnf - VSD OpenSSL configuration. # HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default # The root ca section template_ca = CA_template # The template ca section #################################################################### [ CA_default ] dir = @vsdconfdir@/ca # Where CA stuff is kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_match certs = @vsdconfdir@/ssl.crt # issued certs crls = @vsdconfdir@/ssl.crl # issued crls keys = @vsdconfdir@/ssl.key # issued crls cacerts = @vsdconfdir@/ssl.crt # issued cacerts [ CA_template ] dir = @vsdconfdir@/ca # Where CA stuff is kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_match certs = @vsdconfdir@/ssl.crt # issued certs crls = @vsdconfdir@/ssl.crl # issued crls keys = @vsdconfdir@/ssl.key # issued crls cacerts = @vsdconfdir@/ssl.crt # issued cacerts [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = UK countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = England localityName = Locality Name (eg, city) localityName_default = Manchester 0.organizationName = Organization Name (eg, company) 0.organizationName_default = VSD ISP organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = VSD CA commonName = Common Name (eg name) commonName_default = VSD CA commonName_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 #unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "VSD Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = cRLSign, keyCertSign [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always