github.com/macb/etcd@v0.3.1-0.20140227003422-a60481c6b1a0/fixtures/ca/openssl.cnf (about) 1 [ new_oids ] 2 3 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 4 # Add a simple OID like this: 5 # testoid1=1.2.3.4 6 # Or use config file substitution like this: 7 # testoid2=${testoid1}.5.6 8 9 # Policies used by the TSA examples. 10 tsa_policy1 = 1.2.3.4.1 11 tsa_policy2 = 1.2.3.4.5.6 12 tsa_policy3 = 1.2.3.4.5.7 13 14 #################################################################### 15 [ ca ] 16 default_ca = CA_default # The default ca section 17 18 #################################################################### 19 [ CA_default ] 20 21 dir = ./demoCA # Where everything is kept 22 certs = $dir/certs # Where the issued certs are kept 23 crl_dir = $dir/crl # Where the issued crl are kept 24 database = $dir/index.txt # database index file. 25 #unique_subject = no # Set to 'no' to allow creation of 26 # several ctificates with same subject. 27 new_certs_dir = $dir/newcerts # default place for new certs. 28 29 certificate = $dir/cacert.pem # The CA certificate 30 serial = $dir/serial # The current serial number 31 crlnumber = $dir/crlnumber # the current crl number 32 # must be commented out to leave a V1 CRL 33 crl = $dir/crl.pem # The current CRL 34 private_key = $dir/private/cakey.pem# The private key 35 RANDFILE = $dir/private/.rand # private random number file 36 37 x509_extensions = usr_cert # The extentions to add to the cert 38 39 # Comment out the following two lines for the "traditional" 40 # (and highly broken) format. 41 name_opt = ca_default # Subject Name options 42 cert_opt = ca_default # Certificate field options 43 44 # Extension copying option: use with caution. 45 # copy_extensions = copy 46 47 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 48 # so this is commented out by default to leave a V1 CRL. 49 # crlnumber must also be commented out to leave a V1 CRL. 50 # crl_extensions = crl_ext 51 52 default_days = 365 # how long to certify for 53 default_crl_days= 30 # how long before next CRL 54 default_md = default # use public key default MD 55 preserve = no # keep passed DN ordering 56 57 # A few difference way of specifying how similar the request should look 58 # For type CA, the listed attributes must be the same, and the optional 59 # and supplied fields are just that :-) 60 policy = policy_match 61 62 # For the CA policy 63 [ policy_match ] 64 countryName = match 65 stateOrProvinceName = match 66 organizationName = match 67 organizationalUnitName = optional 68 commonName = supplied 69 emailAddress = optional 70 71 # For the 'anything' policy 72 # At this point in time, you must list all acceptable 'object' 73 # types. 74 [ policy_anything ] 75 countryName = optional 76 stateOrProvinceName = optional 77 localityName = optional 78 organizationName = optional 79 organizationalUnitName = optional 80 commonName = supplied 81 emailAddress = optional 82 83 #################################################################### 84 [ req ] 85 default_bits = 1024 86 default_keyfile = privkey.pem 87 distinguished_name = req_distinguished_name 88 attributes = req_attributes 89 x509_extensions = v3_ca # The extentions to add to the self signed cert 90 91 # Passwords for private keys if not present they will be prompted for 92 # input_password = secret 93 # output_password = secret 94 95 # This sets a mask for permitted string types. There are several options. 96 # default: PrintableString, T61String, BMPString. 97 # pkix : PrintableString, BMPString (PKIX recommendation before 2004) 98 # utf8only: only UTF8Strings (PKIX recommendation after 2004). 99 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 100 # MASK:XXXX a literal mask value. 101 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 102 string_mask = utf8only 103 104 req_extensions = v3_req # The extensions to add to a certificate request 105 106 [ req_distinguished_name ] 107 countryName = Country Name (2 letter code) 108 countryName_default = AU 109 countryName_min = 2 110 countryName_max = 2 111 112 stateOrProvinceName = State or Province Name (full name) 113 stateOrProvinceName_default = Some-State 114 115 localityName = Locality Name (eg, city) 116 117 0.organizationName = Organization Name (eg, company) 118 0.organizationName_default = Internet Widgits Pty Ltd 119 120 # we can do this but it is not needed normally :-) 121 #1.organizationName = Second Organization Name (eg, company) 122 #1.organizationName_default = World Wide Web Pty Ltd 123 124 organizationalUnitName = Organizational Unit Name (eg, section) 125 #organizationalUnitName_default = 126 127 commonName = Common Name (e.g. server FQDN or YOUR name) 128 commonName_max = 64 129 130 emailAddress = Email Address 131 emailAddress_max = 64 132 133 # SET-ex3 = SET extension number 3 134 135 [ req_attributes ] 136 challengePassword = A challenge password 137 challengePassword_min = 4 138 challengePassword_max = 20 139 140 unstructuredName = An optional company name 141 142 [ usr_cert ] 143 144 # This is required for TSA certificates. 145 # This is required for client Auth and server Auth 146 extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth 147 148 # These extensions are added when 'ca' signs a request. 149 150 # This goes against PKIX guidelines but some CAs do it and some software 151 # requires this to avoid interpreting an end user certificate as a CA. 152 153 basicConstraints=CA:FALSE 154 155 # Here are some examples of the usage of nsCertType. If it is omitted 156 # the certificate can be used for anything *except* object signing. 157 158 # This is OK for an SSL server. 159 # nsCertType = server 160 161 # For an object signing certificate this would be used. 162 # nsCertType = objsign 163 164 # For normal client use this is typical 165 # nsCertType = client, email 166 167 # and for everything including object signing: 168 # nsCertType = client, email, objsign 169 170 # This is typical in keyUsage for a client certificate. 171 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 172 173 # This will be displayed in Netscape's comment listbox. 174 nsComment = "OpenSSL Generated Certificate" 175 176 # PKIX recommendations harmless if included in all certificates. 177 subjectKeyIdentifier=hash 178 authorityKeyIdentifier=keyid,issuer 179 180 # This stuff is for subjectAltName and issuerAltname. 181 # Import the email address. 182 # subjectAltName=email:copy 183 # An alternative to produce certificates that aren't 184 # deprecated according to PKIX. 185 # subjectAltName=email:move 186 187 # Copy subject details 188 # issuerAltName=issuer:copy 189 190 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 191 #nsBaseUrl 192 #nsRevocationUrl 193 #nsRenewalUrl 194 #nsCaPolicyUrl 195 #nsSslServerName 196 197 [ v3_req ] 198 199 # Extensions to add to a certificate request 200 201 basicConstraints = CA:FALSE 202 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 203 extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth 204 subjectAltName = @alt_names 205 206 [ v3_ca ] 207 208 209 # Extensions for a typical CA 210 211 212 # PKIX recommendation. 213 214 subjectKeyIdentifier=hash 215 216 authorityKeyIdentifier=keyid:always,issuer 217 218 # This is what PKIX recommends but some broken software chokes on critical 219 # extensions. 220 #basicConstraints = critical,CA:true 221 # So we do this instead. 222 basicConstraints = CA:true 223 keyUsage = keyCertSign, cRLSign 224 225 # Key usage: this is typical for a CA certificate. However since it will 226 # prevent it being used as an test self-signed certificate it is best 227 # left out by default. 228 # keyUsage = cRLSign, keyCertSign 229 230 # Some might want this also 231 # nsCertType = sslCA, emailCA 232 233 # Include email address in subject alt name: another PKIX recommendation 234 # subjectAltName=email:copy 235 # Copy issuer details 236 # issuerAltName=issuer:copy 237 238 # DER hex encoding of an extension: beware experts only! 239 # obj=DER:02:03 240 # Where 'obj' is a standard or added object 241 # You can even override a supported extension: 242 # basicConstraints= critical, DER:30:03:01:01:FF 243 244 [ crl_ext ] 245 246 # CRL extensions. 247 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 248 249 # issuerAltName=issuer:copy 250 authorityKeyIdentifier=keyid:always 251 252 [ proxy_cert_ext ] 253 # These extensions should be added when creating a proxy certificate 254 255 # This goes against PKIX guidelines but some CAs do it and some software 256 # requires this to avoid interpreting an end user certificate as a CA. 257 258 basicConstraints=CA:FALSE 259 260 # Here are some examples of the usage of nsCertType. If it is omitted 261 # the certificate can be used for anything *except* object signing. 262 263 # This is OK for an SSL server. 264 # nsCertType = server 265 266 # For an object signing certificate this would be used. 267 # nsCertType = objsign 268 269 # For normal client use this is typical 270 # nsCertType = client, email 271 272 # and for everything including object signing: 273 # nsCertType = client, email, objsign 274 275 # This is typical in keyUsage for a client certificate. 276 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 277 278 # This will be displayed in Netscape's comment listbox. 279 nsComment = "OpenSSL Generated Certificate" 280 281 # PKIX recommendations harmless if included in all certificates. 282 subjectKeyIdentifier=hash 283 authorityKeyIdentifier=keyid,issuer 284 285 # This stuff is for subjectAltName and issuerAltname. 286 # Import the email address. 287 # subjectAltName=email:copy 288 # An alternative to produce certificates that aren't 289 # deprecated according to PKIX. 290 # subjectAltName=email:move 291 292 # Copy subject details 293 # issuerAltName=issuer:copy 294 295 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 296 #nsBaseUrl 297 #nsRevocationUrl 298 #nsRenewalUrl 299 #nsCaPolicyUrl 300 #nsSslServerName 301 302 # This really needs to be in place for it to be a proxy certificate. 303 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 304 305 #################################################################### 306 [ tsa ] 307 308 default_tsa = tsa_config1 # the default TSA section 309 310 [ tsa_config1 ] 311 312 # These are used by the TSA reply generation only. 313 dir = ./demoCA # TSA root directory 314 serial = $dir/tsaserial # The current serial number (mandatory) 315 crypto_device = builtin # OpenSSL engine to use for signing 316 signer_cert = $dir/tsacert.pem # The TSA signing certificate 317 # (optional) 318 certs = $dir/cacert.pem # Certificate chain to include in reply 319 # (optional) 320 signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 321 322 default_policy = tsa_policy1 # Policy if request did not specify it 323 # (optional) 324 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 325 digests = md5, sha1 # Acceptable message digests (mandatory) 326 accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 327 clock_precision_digits = 0 # number of digits after dot. (optional) 328 ordering = yes # Is ordering defined for timestamps? 329 # (optional, default: no) 330 tsa_name = yes # Must the TSA name be included in the reply? 331 # (optional, default: no) 332 ess_cert_id_chain = no # Must the ESS cert id chain be included? 333 # (optional, default: no) 334 335 336 [alt_names] 337 IP.1 = 127.0.0.1