/* vim:nowrap:noet:ts=8:ft=dosini updated: 040806 */ #define HTTP(URL) http:/%%/URL /* 'openssl.cnf' syntax described in '/usr/share/doc/openssl/doc/openssl.txt.gz' $ man 5ssl config; man 5ssl ca; man 5ssl req; man 5ssl x509 Background info: (PKI certificate and CRL) Book: Eric Rescorla "SSL and TLS, Designing and Building Secure Systems" Some elements of syntax not documented above! Sections can either be inlines, if their name is given plainly, or in a separate file if their name looks like a file name: oid_section =OIDSECTION_local oid_section =$ENV::HOME/.oid Multi-valued extensions have a short form and a long form. The short form is a list of names and values: subjectAltName =email:steve@here,email:steve@there The long form allows the values to be placed in a separate section in the same file if its name begin with a "@": subjectAltName =@subjectAltName_DEFAULT [subjectAltName_DEFAULT] email.1 =steve@here email.2 =steve@there Some popular extensions are described in: Semi official lists of OIDs are at: This file contains a set of 'DEFAULT' section that illustrate how to define sections to configure the various subcommands of OpenSSL. The unnamed section configures 'openssl x509' and 'openssl req -x509', the 'ca' sections configures 'openssl ca', and the 'req' section configures 'openssl req'. Each of these refers to other sections for some things, in particular extensions and prompts. Usually you will want to create some custom sections and make sure that they are called 'ca_options' (configurable in the 'ca' section) and 'req' (which cannot be changed). These can refer to the options in the 'DEFAULT' sections, which are mostly sensible, by using he '$' operator, as in "$ca_DEFAULT::default_md". */ /*[default]*/ /* This is the default unnamed section; values defined here are used for all OpenSSL subcommands, in particular 'x509', but also 'req' and 'ca', for which oever specific sections can be defined to override the defaults. This definition stops the following lines choking if HOME isn't defined. */ HOME =. RANDFILE =$ENV::HOME/.sslrand #if 0 /* Extra OBJECT IDENTIFIER definitions. */ oid_file =$ENV::HOME/.oid oid_section =OIDSECTION_local #endif /* To use this configuration file with the "-extfile" option of the "openssl x509" utility, name here the section containing the X.509v3 extensions to use; alternatively, use a configuration file that has only X.509v3 extensions in its main [=default] section. */ #if 1 extensions =extensions_DEFAULT #else extensions =$ENV::SSL_EXT #endif #if 0 [OIDSECTION_local] /* We can add new OIDs in here for use in the 'ca' and 'req' sections. */ exampleOID_1 =1.2.3.4 exampleOID_2 =${exampleOID_1}.5.6 #endif /* ###################################################################### */ #if 0 [ca] /* Section used by the 'openssl ca' command. */ # if 1 default_ca =ca_DEFAULT # else default_ca =$ENV::SSL_CA # endif #endif /* ###################################################################### */ [ca_DEFAULT] #if 0 oid_section = oid_file = #endif dir =. certs =$dir new_certs_dir =$dir crl_dir =$dir database =$dir/caIndex.txt serial =$dir/caSerial.txt #if 0 crlnumber =$dir/caCRLnumber.txt #endif private_key =$dir/caPrivate_Key.pem certificate =$dir/caCertificate.pem crl =$dir/caRevoked.pem #if 1 policy =policy_DEFAULT_PRIVATE #else policy =$ENV::SSL_POL #endif /* If 'preserve' is 'no', then any DN elements not mentioned in the policy are omitted. */ preserve =yes email_in_dn =no /* Setting this to 'copyall' should not be done, and 'copy' might be slightly dangerous. Read the man page. */ copy_extensions =copy /* Setting this to 'no' is only meaningful in post 0.9.8 releases */ unique_subject =yes nameopt = certopt = msie_hack =no /* Extensions to add to a self-signed certificate, a CA certificate. */ extensions =extensions_DEFAULT_CA /* Extensions to add to a generated certificate. If this section is present, then a V3 certificate is generated, otherwise V1. */ #if 1 x509_extensions =extensions_DEFAULT #else x509_extensions =$ENV::SSL_X509 #endif #if 0 /* Extensions to add to a CRL. If this section is present, then a V2 CRL is generated, otherwise V1. Note: Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL. */ # if 1 crl_extensions =crl_extensions_DEFAULT # else crl_extensions =$ENV::SSL_CRL # endif #endif #if 1 default_days =750 #else default_startdate = default_enddate = #endif default_crl_days =750 #if 0 default_crl_hours = #endif default_md =md5 [extensions_DEFAULT_CA] /* Extensions to put into a certificate when it is signed by a CA. PKIX recommends prefixing with 'critical' but some browsers break on critical extensions, so we have to omit it. */ basicConstraints =CA:TRUE /* Key usage: this is typical for a CA certificate. However since it will prevent it being used as a test self-signed certificate it should perhaps be left out by default. */ keyUsage =keyCertSign,cRLSign /* PKIX recommendations harmless if included in all certificates. */ subjectKeyIdentifier =hash authorityKeyIdentifier =keyid:always,issuer:always /* PKIX recommendation. Copy issuer details. */ subjectAltName =@subjectAltName_CA issuerAltName =issuer:copy /* Netscape extensions, documented here: This will be displayed in Netscape's comment listbox. */ nsComment ="OpenSSL CA certificate" #if 0 nsSSLServerName = /* Here are some examples of the usage of 'nsCertType'. If it is omitted the certificate can be used for anything except object signing. */ # if 1 nsCertType =sslCA,emailCA,objCA # else nsCertType =client,email,objsign #endif nsBaseURL =HTTP(CA.example.org/) nsRenewalURL =cgi/renewal.cgi? nsRevocationURL =cgi/revocation.cgi? nsCAPolicyURL =HTTP(CA.example.org/policyX509.html) nsCARevocationURL =HTTP(CA.example.org/caRevocation.pem) #endif [extensions_DEFAULT] /* Extensions to put into a certificate when it is signed by a CA. */ /* This goes against PKIX guidelines but some CAs do it and some software requires this to avoid interpreting an end user certificate as a CA. */ basicConstraints =CA:FALSE /* digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly */ keyUsage =nonRepudiation,digitalSignature,keyEncipherment /* PKIX recommendations. Harmless if included in all certificates. */ subjectKeyIdentifier =hash authorityKeyIdentifier =keyid,issuer:always /* PKIX recommendation. Copy issuer details. */ subjectAltName =@subjectAltName issuerAltName =issuer:copy /* Netscape extensions, documented here: This will be displayed in Netscape's comment listbox. */ nsComment ="OpenSSL generated certificate" #if 0 nsSSLServerName = /* Here are some examples of the usage of 'nsCertType'. If it is omitted the certificate can be used for anything except object signing. */ nsCertType =client,email,objsign nsBaseURL =HTTP(CA.example.org/) nsRenewalURL =cgi/renewal.cgi? nsRevocationURL =cgi/revocation.cgi? nsCAPolicyURL =HTTP(CA.example.org/policyX509.html) nsCARevocationURL =HTTP(CA.example.org/caRevocation.pem) #endif /* These are the CA signing policies, which describe which fields must be present in a CSR certificate to be signed and of these that must match those in the CA certificate. 'commonName' and 'subjectAltName' must be present because these are the fields that are being certified. */ [policy_DEFAULT_PRIVATE] /* Signing policy for private CAs, where all certificates are for DNs within the same organization. */ commonName =supplied subjectAltName =supplied countryName =match stateOrProvinceName =match localityName =match organizationName =match organizationalUnitName =optional emailAddress =optional [policy_DEFAULT_ROOT] /* Signing policy for a root CA, where any certificate at all may be signed. */ commonName =supplied subjectAltName =optional countryName =optional stateOrProvinceName =optional localityName =optional organizationName =optional organizationalUnitName =optional emailAddress =optional /* ###################################################################### */ [req_DEFAULT] /* Section used by the 'openssl req' command, both for CSR certificates and signed certificates. */ default_keyfile =newPrivate_Key.pem default_bits =1024 default_md =md5 encrypt_key =yes utf8 =no prompt =yes /* The extensions to put into a CSR certificate. */ req_extensions =req_extensions_DEFAULT /* The extensions to put into a certificate when it is self-signed. */ x509_extensions =extensions_DEFAULT_CA /* Fields to prompt for in a CSR certificate. */ distinguished_name =distinguished_name_DEFAULT attributes =attributes_DEFAULT /* Passwords for private keys if not present they will be prompted for */ #if 0 input_password =secret output_password =secret #endif /* This sets a mask for permitted string types. There are several options. default: PrintableString, T61String, BMPString. pkix: PrintableString, BMPString. utf8only: only UTF8Strings. nombstr: PrintableString, T61String (no BMPStrings or UTF8Strings). MASK:XXXX a literal mask value. WARNING current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution! */ string_mask =nombstr [req_extensions_DEFAULT_CA] /* Extensions to put into a CSR certificate. */ basicConstraints =CA:TRUE /* digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly */ keyUsage =nonRepudiation,digitalSignature,keyEncipherment /* PKIX recommendation. Copy issuer details. */ subjectAltName =@subjectAltName_CA issuerAltName =issuer:copy nsComment ="OpenSSL generated CA self-signed certificate" [req_extensions_DEFAULT] /* Extensions to put into a CSR certificate. */ basicConstraints =CA:FALSE /* digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly */ keyUsage =nonRepudiation,digitalSignature,keyEncipherment nsComment ="OpenSSL generated certificate request" [distinguished_name_DEFAULT] /* Default fields to prompt for when creating a CSR certificate. Excellent example here: */ countryName =Country Name (2 letter code) countryName_default =XX countryName_min =2 countryName_max =2 stateOrProvinceName =State or Province Name (full name) stateOrProvinceName_default = localityName =Locality Name (eg, city) localityName_default = #if 1 organizationName =Organization Name (eg, company) organizationName_default =*A proper name or a domain name usually* organizationalUnitName =Organizational Unit Name (eg, section) organizationalUnitName_DEFAULT=*must differ between CA and site* #else 0.organizationName =Organization Name (eg, company) 0.organizationName_default =Hewlett Packard 1.organizationName =Second Organization Name (eg, company) 1.organizationName_default =COMPAQ 0.organizationalUnitName =Organizational Unit Name (eg, section) 0.organizationalUnitName_DEFAULT=Research laboratories 1.organizationalUnitName =Organizational Unit Name (eg, section) 1.organizationalUnitName_DEFAULT=Development center #endif #if 1 commonName =Common Name commonName_default =*name beng certified* commonName_max =64 #else 0.commonName =Common Name 0.commonName_default =(uscms.org|(www-(btevafs|numi)|cc).fnal.gov) 0.commonName_max =64 1.commonName =Common Name 1.commonName_default =uscms.org 1.commonName_max =64 2.commonName =Common Name 2.commonName_default =www-btevafs.fnal.gov 2.commonName_max =64 3.commonName =Common Name 3.commonName_default =www-numi.fnal.gov 3.commonName_max =64 4.commonName =Common Name 4.commonName_default =cc.fnal.gov 4.commonName_max =64 #endif emailAddress =Email Address emailAddress_max =60 #if 0 subjectAltName =Subject Alt Name subjectAltName_default =@subjectAltName_DEFAULT #endif #if 0 SET-ex3 =SET extension number 3 #endif [distinguished_name_DEFAULT_noprompt] C =countryName ST =stateOrProvinceName L =localityName O =organizationName OU =organizationalUnitName CN =Common Name emailAddress =webmaster@example.org #if 0 subjectAltName =@subjectAltName_DEFAULT #endif /* The 'DNS' field of 'subjectAltName' is extraordinarily important because it is what should be used instead of 'CommonName' to match host names for authentication, and there can be several and they can have wildcards as described in RFC 2459. PKIX recommendation. Include email address in subject alt name. */ [subjectAltName_DEFAULT_CA] /* Defaults for the 'subjectAltName' field */ DNS.0 =example.org DNS.1 =*.example.org DNS.2 =SSL.example.org DNS.3 =WWW.example.org IP =192.0.2.1 #if 0 RFC822.0 =root@example.org RFC822.1 =keymaster@example.org #endif email.0 =root@example.org email.1 =keymaster@example.org URI =HTTP(CA.example.org/) [subjectAltName_DEFAULT] /* Defaults for the 'subjectAltName' field */ DNS.0 =example.org DNS.1 =*.example.org DNS.2 =SSL.example.org DNS.3 =WWW.example.org DNS.4 =POP3.example.org DNS.5 =SMTP.example.org IP =192.0.2.1 #if 0 RFC822.0 =root@example.org RFC822.1 =webmaster@example.org #endif email.0 =root@example.org email.1 =webmaster@example.org URI =HTTP(WWW.example.org/about.html) [attributes_DEFAULT] /* Special attributes for a CSR certificate. */ challengePassword =A challenge password for the CA to ask challengePassword_min =4 challengePassword_max =20 unstructuredName =An optional company name [crl_extensions_DEFAULT] /* Extensions that go into a CRL (V2) certificate. Only issuerAltName and authorityKeyIdentifier make sense in a CRL. */ authorityKeyIdentifier =keyid:always,issuer:always /* PKIX recommendation. Copy issuer details. */ issuerAltName =issuer:copy