github.com/paul-lee-attorney/fabric-ca-1.4.7-gm@v0.0.0-20201120102036-c7ad827cf9ac/testdata/openssl.cnf.base (about) 1 # 2 # Copyright IBM Corp. All Rights Reserved. 3 # 4 # SPDX-License-Identifier: Apache-2.0 5 # 6 #HOME = . 7 #RANDFILE = $ENV::HOME/.rnd 8 DOMAIN = FVT 9 SUBALT = IP:9.37.17.64 10 KEYUSE = nonRepudiation,digitalSignature,keyEncipherment 11 HTTP_PORT = 3755 12 #EXTKEYUSE = "ipsecEndSystem" 13 14 #################################################################### 15 # CA Definition 16 [ ca ] 17 default_ca = CA_default # The default ca section 18 19 #################################################################### 20 # Per the above, this is where we define CA values 21 [ CA_default ] 22 23 dir = /tmp/CAs/$DOMAIN # Where everything is kept 24 certs = $dir/certsdb # Where the issued certs are kept 25 new_certs_dir = $certs # default place for new certs. 26 database = $dir/index.txt # database index file. 27 certificate = $dir/cacert.pem # The CA certificate 28 private_key = $dir/private/cakey.pem# The private key 29 serial = $dir/serial # The current serial number 30 RANDFILE = $dir/private/.rand # private random number file 31 32 crldir = $dir/crl 33 crlnumber = $dir/crlnumber # the current crl number 34 crl = $crldir/crl.pem # The current CRL 35 unique_subject = no # allows for mulitple certs with 36 # the same SubjectName 37 38 # By default we use "user certificate" extensions when signing 39 x509_extensions = usr_cert # The extentions to add to the cert 40 41 # Honor extensions requested of us 42 copy_extensions = copy 43 44 # Comment out the following two lines for the "traditional" 45 # (and highly broken) format. 46 name_opt = ca_default # Subject Name options 47 cert_opt = ca_default # Certificate field options 48 49 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 50 # so this is commented out by default to leave a V1 CRL. 51 # crlnumber must also be commented out to leave a V1 CRL. 52 crl_extensions = crl_ext 53 default_days = 365 # how long to certify for 54 default_crl_days= 30 # how long before next CRL 55 default_md = sha1 # which md to use. 56 preserve = no # keep passed DN ordering 57 58 # A few difference way of specifying how similar the request should look 59 # For type CA, the listed attributes must be the same, and the optional 60 # and supplied fields are just that :-) 61 policy = policy_match 62 63 #################################################################### 64 # The default policy for the CA when signing requests, requires some 65 # resemblence to the CA cert 66 # 67 [ policy_match ] 68 countryName = optional # Must be the same as the CA 69 stateOrProvinceName = optional # Must be the same as the CA 70 organizationName = optional # Must be the same as the CA 71 organizationalUnitName = optional # not required 72 commonName = supplied # must be there, whatever it is 73 serialNumber = optional # not required 74 emailAddress = optional # not required 75 76 #################################################################### 77 # An alternative policy not referred to anywhere in this file. Can 78 # be used by specifying '-policy policy_anything' to ca(8). 79 # 80 [ policy_anything ] 81 countryName = optional 82 stateOrProvinceName = optional 83 localityName = optional 84 organizationName = optional 85 organizationalUnitName = optional 86 commonName = supplied 87 serialNumber = optional # not required 88 emailAddress = optional 89 90 #################################################################### 91 # This is where we define how to generate CSRs 92 [ req ] 93 default_bits = 1024 94 default_keyfile = privkey.pem 95 distinguished_name = req_distinguished_name # where to get DN for reqs 96 attributes = req_attributes # req attributes 97 x509_extensions = v3_ca # The extentions to add to self signed certs 98 req_extensions = v3_req # The extensions to add to req's 99 100 # This sets a mask for permitted string types. There are several options. 101 # default: PrintableString, T61String, BMPString. 102 # pkix : PrintableString, BMPString. 103 # utf8only: only UTF8Strings. 104 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 105 # MASK:XXXX a literal mask value. 106 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 107 # so use this option with caution! 108 string_mask = nombstr 109 110 111 #################################################################### 112 # Per "req" section, this is where we define DN info 113 [ req_distinguished_name ] 114 countryName = Country Name (2 letter code) 115 countryName_default = US 116 countryName_min = 2 117 countryName_max = 2 118 119 stateOrProvinceName = State or Province Name (full name) 120 stateOrProvinceName_default = NC 121 122 localityName = Locality Name (eg, city) 123 localityName_default = RTP 124 125 0.organizationName = Organization Name (eg, company) 126 0.organizationName_default = IBM 127 128 organizationalUnitName = Organizational Unit Name (eg, section) 129 organizationalUnitName_default = FVT 130 131 commonName = Common Name (eg, YOUR name) 132 commonName_max = 64 133 134 #emailAddress = Email Address 135 #emailAddress_max = 64 136 137 138 #################################################################### 139 # We don't want these, but the section must exist 140 [ req_attributes ] 141 #challengePassword = A challenge password 142 #challengePassword_min = 4 143 #challengePassword_max = 20 144 #unstructuredName = An optional company name 145 146 147 #################################################################### 148 # Extensions for when we sign normal certs (specified as default) 149 [ usr_cert ] 150 crlDistributionPoints=cdp_section 151 # User certs aren't CAs, by definition 152 basicConstraints=CA:false 153 nsComment = "OpenSSL Generated Certificate" 154 # Here are some examples of the usage of nsCertType. If it is omitted 155 # the certificate can be used for anything *except* object signing. 156 # This is OK for an SSL server. 157 #nsCertType = server 158 # For an object signing certificate this would be used. 159 #nsCertType = objsign 160 # For normal client use this is typical 161 #nsCertType = client, email 162 # and for everything including object signing: 163 #nsCertType = client, email, objsign 164 165 # keyUsage -- the supported names are: 166 # digitalSignature 167 # nonRepudiation 168 # keyEncipherment 169 # dataEncipherment 170 # keyAgreement 171 # keyCertSign 172 # cRLSign 173 # encipherOnly 174 # decipherOnly 175 # This is typical in keyUsage for a client certificate. 176 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment 177 keyUsage = $KEYUSE 178 179 # extendedKeyUsage -- the supported names are: 180 # serverAuth 181 # clientAuth 182 # codeSigning 183 # emailProtection 184 # ipsecEndSystem -- obsolete 185 # ipsecTunnel -- obsolete 186 # ipsecUser -- obsolete 187 # timeStamping 188 # OCSPSigning 189 #extendedKeyUsage = $EXTKEYUSE 190 191 # PKIX recommendations harmless if included in all certificates. 192 subjectKeyIdentifier=hash 193 authorityKeyIdentifier=keyid,issuer 194 195 # This stuff is for subjectAltName and issuerAltname. 196 # Import the email address. 197 #subjectAltName=email:copy 198 # An alternative to produce certificates that aren't 199 # deprecated according to PKIX. 200 #subjectAltName=email:move 201 subjectAltName=$SUBALT 202 203 #################################################################### 204 # Same as above, but cert req already has SubjectAltNames 205 [ usr_cert_has_san ] 206 crlDistributionPoints=cdp_section 207 basicConstraints=CA:false 208 nsComment = "OpenSSL Generated Certificate" 209 #nsCertType = server 210 #nsCertType = objsign 211 #nsCertType = client, email 212 #nsCertType = client, email, objsign 213 subjectKeyIdentifier=hash 214 authorityKeyIdentifier=keyid,issuer 215 #subjectAltName=email:move 216 keyUsage = $KEYUSE 217 #extendedKeyUsage = $EXTKEYUSE 218 219 220 #################################################################### 221 # Extension for requests 222 [ v3_req ] 223 # Lets at least make our requests PKIX complaint 224 #subjectAltName=email:move 225 226 subjectAltName=$SUBALT 227 228 #################################################################### 229 # subjectAltName section 230 [ alt_section ] 231 #DNS.1=amphion.raleigh.ibm.com 232 #IP.1=9.42.105.138 233 #IP.2=13::17 234 #email.1=eabailey@us.ibm.com 235 236 #################################################################### 237 # An alternative section of extensions, not referred to anywhere 238 # else in the config. We'll use this via '-extensions v3_ca' when 239 # using ca(8) to sign another CA. 240 # 241 [ v3_ca ] 242 crlDistributionPoints=cdp_section 243 # PKIX recommendation. 244 subjectKeyIdentifier=hash 245 authorityKeyIdentifier=keyid:always,issuer:always 246 247 # This is what PKIX recommends but some broken software chokes on critical 248 # extensions. 249 basicConstraints = critical,CA:true 250 # So we do this instead. 251 #basicConstraints = CA:true 252 253 # Key usage: this is typical for a CA certificate. However since it will 254 # prevent it being used as an test self-signed certificate it is best 255 # left out by default. 256 keyUsage = cRLSign, keyCertSign 257 258 # Some might want this also 259 # nsCertType = sslCA, emailCA 260 261 # Include email address in subject alt name: another PKIX recommendation 262 #subjectAltName=email:move 263 # Copy issuer details 264 #issuerAltName=issuer:copy 265 subjectAltName=email:move 266 certificatePolicies=2.5.29.32.0 267 268 [ v3_ca_has_san ] 269 crlDistributionPoints=cdp_section 270 # Same as above, but CA req already has SubjectAltNames 271 subjectKeyIdentifier=hash 272 authorityKeyIdentifier=keyid:always,issuer:always 273 basicConstraints = critical,CA:true 274 #basicConstraints = CA:true 275 keyUsage = cRLSign, keyCertSign 276 # nsCertType = sslCA, emailCA 277 # Copy issuer details 278 #issuerAltName=issuer:copy 279 certificatePolicies=2.5.29.32.0 280 281 282 [ crl_ext ] 283 # CRL extensions. 284 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 285 # issuerAltName=issuer:copy 286 authorityKeyIdentifier=keyid:always,issuer:always 287 issuingDistributionPoint=critical,@idp_section 288 289 [ idp_section ] 290 fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der 291 #onlysomereasons=$IDPREASON 292 293 [ cdp_section ] 294 fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.pem 295 # revocation reason, where reason is one of: 296 # unspecified 297 # keyCompromise 298 # CACompromise 299 # affiliationChanged 300 # superseded 301 # cessationOfOperation 302 # certificateHold 303 # removeFromCRL 304 #reasons=$CDPREASON