You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291
  1. # For use with easy-rsa version 2.0
  2. #
  3. # OpenSSL example configuration file.
  4. # This is mostly being used for generation of certificate requests.
  5. #
  6. # This definition stops the following lines choking if HOME isn't
  7. # defined.
  8. HOME = .
  9. RANDFILE = $ENV::HOME/.rnd
  10. openssl_conf = openssl_init
  11. [ openssl_init ]
  12. # Extra OBJECT IDENTIFIER info:
  13. #oid_file = $ENV::HOME/.oid
  14. oid_section = new_oids
  15. engines = engine_section
  16. # To use this configuration file with the "-extfile" option of the
  17. # "openssl x509" utility, name here the section containing the
  18. # X.509v3 extensions to use:
  19. # extensions =
  20. # (Alternatively, use a configuration file that has only
  21. # X.509v3 extensions in its main [= default] section.)
  22. [ new_oids ]
  23. # We can add new OIDs in here for use by 'ca' and 'req'.
  24. # Add a simple OID like this:
  25. # testoid1=1.2.3.4
  26. # Or use config file substitution like this:
  27. # testoid2=${testoid1}.5.6
  28. ####################################################################
  29. [ ca ]
  30. default_ca = CA_default # The default ca section
  31. ####################################################################
  32. [ CA_default ]
  33. dir = $ENV::KEY_DIR # Where everything is kept
  34. certs = $dir # Where the issued certs are kept
  35. crl_dir = $dir # Where the issued crl are kept
  36. database = $dir/index.txt # database index file.
  37. new_certs_dir = $dir # default place for new certs.
  38. certificate = $dir/ca.crt # The CA certificate
  39. serial = $dir/serial # The current serial number
  40. crl = $dir/crl.pem # The current CRL
  41. private_key = $dir/ca.key # The private key
  42. RANDFILE = $dir/.rand # private random number file
  43. x509_extensions = usr_cert # The extentions to add to the cert
  44. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  45. # so this is commented out by default to leave a V1 CRL.
  46. # crl_extensions = crl_ext
  47. default_days = 3650 # how long to certify for
  48. default_crl_days= 30 # how long before next CRL
  49. default_md = md5 # which md to use.
  50. preserve = no # keep passed DN ordering
  51. # A few difference way of specifying how similar the request should look
  52. # For type CA, the listed attributes must be the same, and the optional
  53. # and supplied fields are just that :-)
  54. policy = policy_anything
  55. # For the CA policy
  56. [ policy_match ]
  57. countryName = match
  58. stateOrProvinceName = match
  59. organizationName = match
  60. organizationalUnitName = optional
  61. commonName = supplied
  62. name = optional
  63. emailAddress = optional
  64. # For the 'anything' policy
  65. # At this point in time, you must list all acceptable 'object'
  66. # types.
  67. [ policy_anything ]
  68. countryName = optional
  69. stateOrProvinceName = optional
  70. localityName = optional
  71. organizationName = optional
  72. organizationalUnitName = optional
  73. commonName = supplied
  74. name = optional
  75. emailAddress = optional
  76. ####################################################################
  77. [ req ]
  78. default_bits = $ENV::KEY_SIZE
  79. default_keyfile = privkey.pem
  80. distinguished_name = req_distinguished_name
  81. attributes = req_attributes
  82. x509_extensions = v3_ca # The extentions to add to the self signed cert
  83. # Passwords for private keys if not present they will be prompted for
  84. # input_password = secret
  85. # output_password = secret
  86. # This sets a mask for permitted string types. There are several options.
  87. # default: PrintableString, T61String, BMPString.
  88. # pkix : PrintableString, BMPString.
  89. # utf8only: only UTF8Strings.
  90. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  91. # MASK:XXXX a literal mask value.
  92. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  93. # so use this option with caution!
  94. string_mask = nombstr
  95. # req_extensions = v3_req # The extensions to add to a certificate request
  96. [ req_distinguished_name ]
  97. countryName = Country Name (2 letter code)
  98. countryName_default = $ENV::KEY_COUNTRY
  99. countryName_min = 2
  100. countryName_max = 2
  101. stateOrProvinceName = State or Province Name (full name)
  102. stateOrProvinceName_default = $ENV::KEY_PROVINCE
  103. localityName = Locality Name (eg, city)
  104. localityName_default = $ENV::KEY_CITY
  105. 0.organizationName = Organization Name (eg, company)
  106. 0.organizationName_default = $ENV::KEY_ORG
  107. # we can do this but it is not needed normally :-)
  108. #1.organizationName = Second Organization Name (eg, company)
  109. #1.organizationName_default = World Wide Web Pty Ltd
  110. organizationalUnitName = Organizational Unit Name (eg, section)
  111. #organizationalUnitName_default =
  112. commonName = Common Name (eg, your name or your server\'s hostname)
  113. commonName_max = 64
  114. name = Name
  115. name_max = 64
  116. emailAddress = Email Address
  117. emailAddress_default = $ENV::KEY_EMAIL
  118. emailAddress_max = 40
  119. # JY -- added for batch mode
  120. organizationalUnitName_default = $ENV::KEY_OU
  121. commonName_default = $ENV::KEY_CN
  122. name_default = $ENV::KEY_NAME
  123. # SET-ex3 = SET extension number 3
  124. [ req_attributes ]
  125. challengePassword = A challenge password
  126. challengePassword_min = 4
  127. challengePassword_max = 20
  128. unstructuredName = An optional company name
  129. [ usr_cert ]
  130. # These extensions are added when 'ca' signs a request.
  131. # This goes against PKIX guidelines but some CAs do it and some software
  132. # requires this to avoid interpreting an end user certificate as a CA.
  133. basicConstraints=CA:FALSE
  134. # Here are some examples of the usage of nsCertType. If it is omitted
  135. # the certificate can be used for anything *except* object signing.
  136. # This is OK for an SSL server.
  137. # nsCertType = server
  138. # For an object signing certificate this would be used.
  139. # nsCertType = objsign
  140. # For normal client use this is typical
  141. # nsCertType = client, email
  142. # and for everything including object signing:
  143. # nsCertType = client, email, objsign
  144. # This is typical in keyUsage for a client certificate.
  145. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  146. # This will be displayed in Netscape's comment listbox.
  147. nsComment = "Easy-RSA Generated Certificate"
  148. # PKIX recommendations harmless if included in all certificates.
  149. subjectKeyIdentifier=hash
  150. authorityKeyIdentifier=keyid,issuer:always
  151. extendedKeyUsage=clientAuth
  152. keyUsage = digitalSignature
  153. # This stuff is for subjectAltName and issuerAltname.
  154. # Import the email address.
  155. # subjectAltName=email:copy
  156. # Copy subject details
  157. # issuerAltName=issuer:copy
  158. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  159. #nsBaseUrl
  160. #nsRevocationUrl
  161. #nsRenewalUrl
  162. #nsCaPolicyUrl
  163. #nsSslServerName
  164. [ server ]
  165. # JY ADDED -- Make a cert with nsCertType set to "server"
  166. basicConstraints=CA:FALSE
  167. nsCertType = server
  168. nsComment = "Easy-RSA Generated Server Certificate"
  169. subjectKeyIdentifier=hash
  170. authorityKeyIdentifier=keyid,issuer:always
  171. extendedKeyUsage=serverAuth
  172. keyUsage = digitalSignature, keyEncipherment
  173. [ v3_req ]
  174. # Extensions to add to a certificate request
  175. basicConstraints = CA:FALSE
  176. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  177. [ v3_ca ]
  178. # Extensions for a typical CA
  179. # PKIX recommendation.
  180. subjectKeyIdentifier=hash
  181. authorityKeyIdentifier=keyid:always,issuer:always
  182. # This is what PKIX recommends but some broken software chokes on critical
  183. # extensions.
  184. #basicConstraints = critical,CA:true
  185. # So we do this instead.
  186. basicConstraints = CA:true
  187. # Key usage: this is typical for a CA certificate. However since it will
  188. # prevent it being used as an test self-signed certificate it is best
  189. # left out by default.
  190. # keyUsage = cRLSign, keyCertSign
  191. # Some might want this also
  192. # nsCertType = sslCA, emailCA
  193. # Include email address in subject alt name: another PKIX recommendation
  194. # subjectAltName=email:copy
  195. # Copy issuer details
  196. # issuerAltName=issuer:copy
  197. # DER hex encoding of an extension: beware experts only!
  198. # obj=DER:02:03
  199. # Where 'obj' is a standard or added object
  200. # You can even override a supported extension:
  201. # basicConstraints= critical, DER:30:03:01:01:FF
  202. [ crl_ext ]
  203. # CRL extensions.
  204. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  205. # issuerAltName=issuer:copy
  206. authorityKeyIdentifier=keyid:always,issuer:always
  207. [ engine_section ]
  208. #
  209. # If you are using PKCS#11
  210. # Install engine_pkcs11 of opensc (www.opensc.org)
  211. # And uncomment the following
  212. # verify that dynamic_path points to the correct location
  213. #
  214. #pkcs11 = pkcs11_section
  215. [ pkcs11_section ]
  216. engine_id = pkcs11
  217. dynamic_path = /usr/lib/engines/engine_pkcs11.so
  218. MODULE_PATH = $ENV::PKCS11_MODULE_PATH
  219. PIN = $ENV::PKCS11_PIN
  220. init = 0