source: TI12-security/trunk/java/axis2/xmlbWsseEchoClient/opensslFiles/openssl.cnf @ 4083

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/java/axis2/xmlbWsseEchoClient/opensslFiles/openssl.cnf@4083
Revision 4083, 7.6 KB checked in by cbyrom, 12 years ago (diff)

Add basic files required to run the openssl commands for generating
CA certificates and using these to sign public keys.

Line 
1#
2# OpenSSL example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME                    = .
9RANDFILE                = $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12#oid_file               = $ENV::HOME/.oid
13oid_section             = new_oids
14
15# To use this configuration file with the "-extfile" option of the
16# "openssl x509" utility, name here the section containing the
17# X.509v3 extensions to use:
18# extensions            =
19# (Alternatively, use a configuration file that has only
20# X.509v3 extensions in its main [= default] section.)
21
22[ new_oids ]
23
24# We can add new OIDs in here for use by 'ca' and 'req'.
25# Add a simple OID like this:
26# testoid1=1.2.3.4
27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6
29
30####################################################################
31[ ca ]
32default_ca      = CA_default            # The default ca section
33
34####################################################################
35[ CA_default ]
36
37dir             = .                     # Where everything is kept
38certs           = $dir/certs            # Where the issued certs are kept
39crl_dir         = $dir/crl              # Where the issued crl are kept
40database        = $dir/index.txt        # database index file.
41#unique_subject = no                    # Set to 'no' to allow creation of
42                                        # several ctificates with same subject.
43new_certs_dir   = $dir                  # default place for new certs.
44
45certificate     = $dir/cacert.pem       # The CA certificate
46serial          = $dir/serial           # The current serial number
47#crlnumber      = $dir/crlnumber        # the current crl number must be
48                                        # commented out to leave a V1 CRL
49crl             = $dir/crl.pem          # The current CRL
50private_key     = $dir/cakey.pem# The private key
51RANDFILE        = $dir/private/.rand    # private random number file
52
53x509_extensions = usr_cert              # The extentions to add to the cert
54
55# Comment out the following two lines for the "traditional"
56# (and highly broken) format.
57name_opt        = ca_default            # Subject Name options
58cert_opt        = ca_default            # Certificate field options
59
60# Extension copying option: use with caution.
61# copy_extensions = copy
62
63# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64# so this is commented out by default to leave a V1 CRL.
65# crlnumber must also be commented out to leave a V1 CRL.
66# crl_extensions        = crl_ext
67
68default_days    = 365                   # how long to certify for
69default_crl_days= 30                    # how long before next CRL
70default_md      = md5                   # which md to use.
71preserve        = no                    # keep passed DN ordering
72
73# A few difference way of specifying how similar the request should look
74# For type CA, the listed attributes must be the same, and the optional
75# and supplied fields are just that :-)
76policy          = policy_match
77
78# For the CA policy
79[ policy_match ]
80countryName             = match
81stateOrProvinceName     = match
82organizationName        = match
83organizationalUnitName  = optional
84commonName              = supplied
85emailAddress            = optional
86
87# For the 'anything' policy
88# At this point in time, you must list all acceptable 'object'
89# types.
90[ policy_anything ]
91countryName             = optional
92stateOrProvinceName     = optional
93localityName            = optional
94organizationName        = optional
95organizationalUnitName  = optional
96commonName              = supplied
97emailAddress            = optional
98
99####################################################################
100[ req ]
101default_bits            = 1024
102default_keyfile         = privkey.pem
103distinguished_name      = req_distinguished_name
104attributes              = req_attributes
105x509_extensions = v3_ca # The extentions to add to the self signed cert
106
107# Passwords for private keys if not present they will be prompted for
108# input_password = secret
109# output_password = secret
110
111# This sets a mask for permitted string types. There are several options.
112# default: PrintableString, T61String, BMPString.
113# pkix   : PrintableString, BMPString.
114# utf8only: only UTF8Strings.
115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116# MASK:XXXX a literal mask value.
117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
118# so use this option with caution!
119string_mask = nombstr
120
121# req_extensions = v3_req # The extensions to add to a certificate request
122
123[ req_distinguished_name ]
124countryName                     = Country Name (2 letter code)
125countryName_default             = LK
126countryName_min                 = 2
127countryName_max                 = 2
128
129stateOrProvinceName             = State or Province Name (full name)
130stateOrProvinceName_default     = Some-State
131
132localityName                    = Locality Name (eg, city)
133
1340.organizationName              = Organization Name (eg, company)
1350.organizationName_default      = Internet Widgits Pty Ltd
136
137# we can do this but it is not needed normally :-)
138#1.organizationName             = Second Organization Name (eg, company)
139#1.organizationName_default     = World Wide Web Pty Ltd
140
141organizationalUnitName          = Organizational Unit Name (eg, section)
142#organizationalUnitName_default =
143
144commonName                      = Common Name (eg, YOUR name)
145commonName_max                  = 64
146
147emailAddress                    = Email Address
148emailAddress_max                = 64
149
150# SET-ex3                       = SET extension number 3
151
152[ req_attributes ]
153challengePassword               = A challenge password
154challengePassword_min           = 4
155challengePassword_max           = 20
156
157unstructuredName                = An optional company name
158
159[ usr_cert ]
160
161# These extensions are added when 'ca' signs a request.
162
163# This goes against PKIX guidelines but some CAs do it and some software
164# requires this to avoid interpreting an end user certificate as a CA.
165
166basicConstraints=CA:FALSE
167
168# Here are some examples of the usage of nsCertType. If it is omitted
169# the certificate can be used for anything *except* object signing.
170
171# This is OK for an SSL server.
172# nsCertType                    = server
173
174# For an object signing certificate this would be used.
175# nsCertType = objsign
176
177# For normal client use this is typical
178# nsCertType = client, email
179
180# and for everything including object signing:
181# nsCertType = client, email, objsign
182
183# This is typical in keyUsage for a client certificate.
184# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
185
186# This will be displayed in Netscape's comment listbox.
187nsComment                       = "OpenSSL Generated Certificate"
188
189# PKIX recommendations harmless if included in all certificates.
190subjectKeyIdentifier=hash
191authorityKeyIdentifier=keyid,issuer:always
192
193# This stuff is for subjectAltName and issuerAltname.
194# Import the email address.
195# subjectAltName=email:copy
196# An alternative to produce certificates that aren't
197# deprecated according to PKIX.
198# subjectAltName=email:move
199
200# Copy subject details
201# issuerAltName=issuer:copy
202
203#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
204#nsBaseUrl
205#nsRevocationUrl
206#nsRenewalUrl
207#nsCaPolicyUrl
208#nsSslServerName
209
210[ v3_req ]
211
212# Extensions to add to a certificate request
213
214basicConstraints = CA:FALSE
215keyUsage = nonRepudiation, digitalSignature, keyEncipherment
216
217[ v3_ca ]
218
219
220# Extensions for a typical CA
221
222
223# PKIX recommendation.
224
225subjectKeyIdentifier=hash
226
227authorityKeyIdentifier=keyid:always,issuer:always
228
229# This is what PKIX recommends but some broken software chokes on critical
230# extensions.
231#basicConstraints = critical,CA:true
232# So we do this instead.
233basicConstraints = CA:true
234
235# Key usage: this is typical for a CA certificate. However since it will
236# prevent it being used as an test self-signed certificate it is best
237# left out by default.
238# keyUsage = cRLSign, keyCertSign
239
240# Some might want this also
241# nsCertType = sslCA, emailCA
242
243# Include email address in subject alt name: another PKIX recommendation
244# subjectAltName=email:copy
245# Copy issuer details
246# issuerAltName=issuer:copy
247
248# DER hex encoding of an extension: beware experts only!
249# obj=DER:02:03
250# Where 'obj' is a standard or added object
251# You can even override a supported extension:
252# basicConstraints= critical, DER:30:03:01:01:FF
253
254[ crl_ext ]
255
256# CRL extensions.
257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258
259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always
Note: See TracBrowser for help on using the repository browser.