source: TI12-security/trunk/java/axis2/xmlbWsseEchoClient/keys/openssl.cnf @ 4086

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/java/axis2/xmlbWsseEchoClient/keys/openssl.cnf@4086
Revision 4086, 7.6 KB checked in by cbyrom, 12 years ago (diff)

Fix client.properties file - change keystore type to 'jks' (cannot deal
with trusted certs with pkcs12) + remove unnecessary bouncy castle reference.

Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file               = $ENV::HOME/.oid
13oid_section             = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca      = CA_default            # The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir             = .                     # Where everything is kept
38certs           = $dir/certs            # Where the issued certs are kept
39crl_dir         = $dir/crl              # Where the issued crl are kept
40database        = $dir/index.txt        # database index file.
41#unique_subject = no                    # Set to 'no' to allow creation of
42                                        # several ctificates with same subject.
43new_certs_dir   = $dir                  # default place for new certs.
44
45certificate     = $dir/cacert.pem       # The CA certificate
46serial          = $dir/serial           # The current serial number
47#crlnumber      = $dir/crlnumber        # the current crl number must be
48                                        # commented out to leave a V1 CRL
49crl             = $dir/crl.pem          # The current CRL
50private_key     = $dir/cakey.pem# The private key
51RANDFILE        = $dir/private/.rand    # private random number file
52
53x509_extensions = usr_cert              # The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt        = ca_default            # Subject Name options
58cert_opt        = ca_default            # Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions        = crl_ext
67
68default_days    = 365                   # how long to certify for
69default_crl_days= 30                    # how long before next CRL
70default_md      = md5                   # which md to use.
71preserve        = no                    # keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy          = policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName             = match
81stateOrProvinceName     = match
82organizationName        = match
83organizationalUnitName  = optional
84commonName              = supplied
85emailAddress            = optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName             = optional
92stateOrProvinceName     = optional
93localityName            = optional
94organizationName        = optional
95organizationalUnitName  = optional
96commonName              = supplied
97emailAddress            = optional
98
99####################################################################
100[ req ]
101default_bits            = 1024
102default_keyfile         = privkey.pem
103distinguished_name      = req_distinguished_name
104attributes              = req_attributes
105x509_extensions = v3_ca # The extentions to add to the self signed cert
106
107# Passwords for private keys if not present they will be prompted for
108# input_password = secret
109# output_password = secret
110
111# This sets a mask for permitted string types. There are several options.
112# default: PrintableString, T61String, BMPString.
113# pkix   : PrintableString, BMPString.
114# utf8only: only UTF8Strings.
115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116# MASK:XXXX a literal mask value.
117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118# so use this option with caution!
119string_mask = nombstr
120
121# req_extensions = v3_req # The extensions to add to a certificate request
122
123[ req_distinguished_name ]
124countryName                     = Country Name (2 letter code)
125countryName_default             = LK
126countryName_min                 = 2
127countryName_max                 = 2
128
129stateOrProvinceName             = State or Province Name (full name)
130stateOrProvinceName_default     = Some-State
131
132localityName                    = Locality Name (eg, city)
133
1340.organizationName              = Organization Name (eg, company)
1350.organizationName_default      = Internet Widgits Pty Ltd
136
137# we can do this but it is not needed normally :-)
138#1.organizationName             = Second Organization Name (eg, company)
139#1.organizationName_default     = World Wide Web Pty Ltd
140
141organizationalUnitName          = Organizational Unit Name (eg, section)
142#organizationalUnitName_default =
143
144commonName                      = Common Name (eg, YOUR name)
145commonName_max                  = 64
146
147emailAddress                    = Email Address
148emailAddress_max                = 64
149
150# SET-ex3                       = SET extension number 3
151
152[ req_attributes ]
153challengePassword               = A challenge password
154challengePassword_min           = 4
155challengePassword_max           = 20
156
157unstructuredName                = An optional company name
158
159[ usr_cert ]
160
161# These extensions are added when 'ca' signs a request.
162
163# This goes against PKIX guidelines but some CAs do it and some software
164# requires this to avoid interpreting an end user certificate as a CA.
165
166basicConstraints=CA:FALSE
167
168# Here are some examples of the usage of nsCertType. If it is omitted
169# the certificate can be used for anything *except* object signing.
170
171# This is OK for an SSL server.
172# nsCertType                    = server
173
174# For an object signing certificate this would be used.
175# nsCertType = objsign
176
177# For normal client use this is typical
178# nsCertType = client, email
179
180# and for everything including object signing:
181# nsCertType = client, email, objsign
182
183# This is typical in keyUsage for a client certificate.
184# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
185
186# This will be displayed in Netscape's comment listbox.
187nsComment                       = "OpenSSL Generated Certificate"
188
189# PKIX recommendations harmless if included in all certificates.
190subjectKeyIdentifier=hash
191authorityKeyIdentifier=keyid,issuer:always
192
193# This stuff is for subjectAltName and issuerAltname.
194# Import the email address.
195# subjectAltName=email:copy
196# An alternative to produce certificates that aren't
197# deprecated according to PKIX.
198# subjectAltName=email:move
199
200# Copy subject details
201# issuerAltName=issuer:copy
202
203#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
204#nsBaseUrl
205#nsRevocationUrl
206#nsRenewalUrl
207#nsCaPolicyUrl
208#nsSslServerName
209
210[ v3_req ]
211
212# Extensions to add to a certificate request
213
214basicConstraints = CA:FALSE
215keyUsage = nonRepudiation, digitalSignature, keyEncipherment
216
217[ v3_ca ]
218
219
220# Extensions for a typical CA
221
222
223# PKIX recommendation.
224
225subjectKeyIdentifier=hash
226
227authorityKeyIdentifier=keyid:always,issuer:always
228
229# This is what PKIX recommends but some broken software chokes on critical
230# extensions.
231#basicConstraints = critical,CA:true
232# So we do this instead.
233basicConstraints = CA:true
234
235# Key usage: this is typical for a CA certificate. However since it will
236# prevent it being used as an test self-signed certificate it is best
237# left out by default.
238# keyUsage = cRLSign, keyCertSign
239
240# Some might want this also
241# nsCertType = sslCA, emailCA
242
243# Include email address in subject alt name: another PKIX recommendation
244# subjectAltName=email:copy
245# Copy issuer details
246# issuerAltName=issuer:copy
247
248# DER hex encoding of an extension: beware experts only!
249# obj=DER:02:03
250# Where 'obj' is a standard or added object
251# You can even override a supported extension:
252# basicConstraints= critical, DER:30:03:01:01:FF
253
254[ crl_ext ]
255
256# CRL extensions.
257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258
259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always
Note: See TracBrowser for help on using the repository browser.