github.com/canhui/fabric_ca2_2@v2.0.0-alpha+incompatible/images/fabric-ca-fvt/payload/openssl.cnf.base

#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
#HOME                    = .
#RANDFILE                = $ENV::HOME/.rnd
DOMAIN                  = FVT
SUBALT                  = IP:9.37.17.64
KEYUSE                  = nonRepudiation,digitalSignature,keyEncipherment
HTTP_PORT               = 3755
#EXTKEYUSE               = "ipsecEndSystem"

####################################################################
# CA Definition
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
# Per the above, this is where we define CA values
[ CA_default ]

dir             = /tmp/CAs/$DOMAIN # Where everything is kept
certs           = $dir/certsdb          # Where the issued certs are kept
new_certs_dir   = $certs                # default place for new certs.
database        = $dir/index.txt        # database index file.
certificate     = $dir/cacert.pem       # The CA certificate
private_key     = $dir/private/cakey.pem# The private key
serial          = $dir/serial           # The current serial number
RANDFILE        = $dir/private/.rand    # private random number file

crldir          = $dir/crl
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $crldir/crl.pem       # The current CRL
unique_subject	= no                    # allows for mulitple certs with
                                        # the same SubjectName

# By default we use "user certificate" extensions when signing
x509_extensions = usr_cert              # The extentions to add to the cert

# Honor extensions requested of us
copy_extensions	= copy

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions        = crl_ext
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

####################################################################
# The default policy for the CA when signing requests, requires some
# resemblence to the CA cert
#
[ policy_match ]
countryName             = optional      # Must be the same as the CA
stateOrProvinceName     = optional      # Must be the same as the CA
organizationName        = optional      # Must be the same as the CA
organizationalUnitName  = optional      # not required
commonName              = supplied      # must be there, whatever it is
serialNumber            = optional      # not required
emailAddress            = optional      # not required

####################################################################
# An alternative policy not referred to anywhere in this file. Can
# be used by specifying '-policy policy_anything' to ca(8).
#
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
serialNumber            = optional      # not required
emailAddress            = optional

####################################################################
# This is where we define how to generate CSRs
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name # where to get DN for reqs
attributes              = req_attributes         # req attributes
x509_extensions		= v3_ca  # The extentions to add to self signed certs
req_extensions		= v3_req # The extensions to add to req's

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr


####################################################################
# Per "req" section, this is where we define DN info
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = NC

localityName                    = Locality Name (eg, city)
localityName_default            = RTP

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = IBM

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = FVT

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

#emailAddress                    = Email Address
#emailAddress_max                = 64


####################################################################
# We don't want these, but the section must exist
[ req_attributes ]
#challengePassword              = A challenge password
#challengePassword_min          = 4
#challengePassword_max          = 20
#unstructuredName               = An optional company name


####################################################################
# Extensions for when we sign normal certs (specified as default)
[ usr_cert ]
crlDistributionPoints=cdp_section
# User certs aren't CAs, by definition
basicConstraints=CA:false
nsComment                     = "OpenSSL Generated Certificate"
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
#nsCertType = server
# For an object signing certificate this would be used.
#nsCertType = objsign
# For normal client use this is typical
#nsCertType = client, email
# and for everything including object signing:
#nsCertType = client, email, objsign

# keyUsage -- the supported names are:
# digitalSignature
# nonRepudiation
# keyEncipherment
# dataEncipherment
# keyAgreement
# keyCertSign
# cRLSign
# encipherOnly
# decipherOnly
# This is typical in keyUsage for a client certificate.
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
keyUsage = $KEYUSE

# extendedKeyUsage -- the supported names are:
# serverAuth
# clientAuth
# codeSigning
# emailProtection
# ipsecEndSystem -- obsolete
# ipsecTunnel    -- obsolete
# ipsecUser      -- obsolete
# timeStamping
# OCSPSigning
#extendedKeyUsage = $EXTKEYUSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
#subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
#subjectAltName=email:move
subjectAltName=$SUBALT

####################################################################
# Same as above, but cert req already has SubjectAltNames
[ usr_cert_has_san ]
crlDistributionPoints=cdp_section
basicConstraints=CA:false
nsComment                     = "OpenSSL Generated Certificate"
#nsCertType = server
#nsCertType = objsign
#nsCertType = client, email
#nsCertType = client, email, objsign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#subjectAltName=email:move
keyUsage = $KEYUSE
#extendedKeyUsage = $EXTKEYUSE


####################################################################
# Extension for requests
[ v3_req ]
# Lets at least make our requests PKIX complaint
#subjectAltName=email:move

subjectAltName=$SUBALT

####################################################################
# subjectAltName section
[ alt_section ]
#DNS.1=amphion.raleigh.ibm.com
#IP.1=9.42.105.138
#IP.2=13::17
#email.1=eabailey@us.ibm.com

####################################################################
# An alternative section of extensions, not referred to anywhere
# else in the config. We'll use this via '-extensions v3_ca' when
# using ca(8) to sign another CA.
#
[ v3_ca ]
crlDistributionPoints=cdp_section
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
#subjectAltName=email:move
# Copy issuer details
#issuerAltName=issuer:copy
subjectAltName=email:move
certificatePolicies=2.5.29.32.0

[ v3_ca_has_san ]
crlDistributionPoints=cdp_section
# Same as above, but CA req already has SubjectAltNames
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
#basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
# nsCertType = sslCA, emailCA
# Copy issuer details
#issuerAltName=issuer:copy
certificatePolicies=2.5.29.32.0


[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
issuingDistributionPoint=critical,@idp_section

[ idp_section ]
fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
#onlysomereasons=$IDPREASON

[ cdp_section ]
fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.pem
# revocation reason, where reason is one of:
#    unspecified
#    keyCompromise
#    CACompromise
#    affiliationChanged
#    superseded
#    cessationOfOperation
#    certificateHold
#    removeFromCRL
#reasons=$CDPREASON