robin.thoni
/
vpngen
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
2 Branches
Tree: a96a5d7f93
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a96a5d7f93'
${ noResults }
vpngen/vpngen/default/easy-rsa/openssl.cnf

openssl.cnf 8.1KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291 
  1. # For use with easy-rsa version 2.0

  2. 

  3. #

  4. # OpenSSL example configuration file.

  5. # This is mostly being used for generation of certificate requests.

  6. #

  7. 

  8. # This definition stops the following lines choking if HOME isn't

  9. # defined.

  10. HOME			= .

  11. RANDFILE		= $ENV::HOME/.rnd

  12. openssl_conf		= openssl_init

  13. 

  14. [ openssl_init ]

  15. # Extra OBJECT IDENTIFIER info:

  16. #oid_file		= $ENV::HOME/.oid

  17. oid_section		= new_oids

  18. engines                 = engine_section

  19. 

  20. # To use this configuration file with the "-extfile" option of the

  21. # "openssl x509" utility, name here the section containing the

  22. # X.509v3 extensions to use:

  23. # extensions		= 

  24. # (Alternatively, use a configuration file that has only

  25. # X.509v3 extensions in its main [= default] section.)

  26. 

  27. [ new_oids ]

  28. 

  29. # We can add new OIDs in here for use by 'ca' and 'req'.

  30. # Add a simple OID like this:

  31. # testoid1=1.2.3.4

  32. # Or use config file substitution like this:

  33. # testoid2=${testoid1}.5.6

  34. 

  35. ####################################################################

  36. [ ca ]

  37. default_ca	= CA_default		# The default ca section

  38. 

  39. ####################################################################

  40. [ CA_default ]

  41. 

  42. dir		= $ENV::KEY_DIR		# Where everything is kept

  43. certs		= $dir			# Where the issued certs are kept

  44. crl_dir		= $dir			# Where the issued crl are kept

  45. database	= $dir/index.txt	# database index file.

  46. new_certs_dir	= $dir			# default place for new certs.

  47. 

  48. certificate	= $dir/ca.crt	 	# The CA certificate

  49. serial		= $dir/serial 		# The current serial number

  50. crl		= $dir/crl.pem 		# The current CRL

  51. private_key	= $dir/ca.key	 	# The private key

  52. RANDFILE	= $dir/.rand		# private random number file

  53. 

  54. x509_extensions	= usr_cert		# The extentions to add to the cert

  55. 

  56. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

  57. # so this is commented out by default to leave a V1 CRL.

  58. # crl_extensions	= crl_ext

  59. 

  60. default_days	= 3650			# how long to certify for

  61. default_crl_days= 30			# how long before next CRL

  62. default_md	= md5			# which md to use.

  63. preserve	= no			# keep passed DN ordering

  64. 

  65. # A few difference way of specifying how similar the request should look

  66. # For type CA, the listed attributes must be the same, and the optional

  67. # and supplied fields are just that :-)

  68. policy		= policy_anything

  69. 

  70. # For the CA policy

  71. [ policy_match ]

  72. countryName		= match

  73. stateOrProvinceName	= match

  74. organizationName	= match

  75. organizationalUnitName	= optional

  76. commonName		= supplied

  77. name			= optional

  78. emailAddress		= optional

  79. 

  80. # For the 'anything' policy

  81. # At this point in time, you must list all acceptable 'object'

  82. # types.

  83. [ policy_anything ]

  84. countryName		= optional

  85. stateOrProvinceName	= optional

  86. localityName		= optional

  87. organizationName	= optional

  88. organizationalUnitName	= optional

  89. commonName		= supplied

  90. name			= optional

  91. emailAddress		= optional

  92. 

  93. ####################################################################

  94. [ req ]

  95. default_bits		= $ENV::KEY_SIZE

  96. default_keyfile 	= privkey.pem

  97. distinguished_name	= req_distinguished_name

  98. attributes		= req_attributes

  99. x509_extensions	= v3_ca	# The extentions to add to the self signed cert

  100. 

  101. # Passwords for private keys if not present they will be prompted for

  102. # input_password = secret

  103. # output_password = secret

  104. 

  105. # This sets a mask for permitted string types. There are several options. 

  106. # default: PrintableString, T61String, BMPString.

  107. # pkix	 : PrintableString, BMPString.

  108. # utf8only: only UTF8Strings.

  109. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

  110. # MASK:XXXX a literal mask value.

  111. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings

  112. # so use this option with caution!

  113. string_mask = nombstr

  114. 

  115. # req_extensions = v3_req # The extensions to add to a certificate request

  116. 

  117. [ req_distinguished_name ]

  118. countryName			= Country Name (2 letter code)

  119. countryName_default		= $ENV::KEY_COUNTRY

  120. countryName_min			= 2

  121. countryName_max			= 2

  122. 

  123. stateOrProvinceName		= State or Province Name (full name)

  124. stateOrProvinceName_default	= $ENV::KEY_PROVINCE

  125. 

  126. localityName			= Locality Name (eg, city)

  127. localityName_default		= $ENV::KEY_CITY

  128. 

  129. 0.organizationName		= Organization Name (eg, company)

  130. 0.organizationName_default	= $ENV::KEY_ORG

  131. 

  132. # we can do this but it is not needed normally :-)

  133. #1.organizationName		= Second Organization Name (eg, company)

  134. #1.organizationName_default	= World Wide Web Pty Ltd

  135. 

  136. organizationalUnitName		= Organizational Unit Name (eg, section)

  137. #organizationalUnitName_default	=

  138. 

  139. commonName			= Common Name (eg, your name or your server\'s hostname)

  140. commonName_max			= 64

  141. 

  142. name				= Name

  143. name_max			= 64

  144. 

  145. emailAddress			= Email Address

  146. emailAddress_default		= $ENV::KEY_EMAIL

  147. emailAddress_max		= 40

  148. 

  149. # JY -- added for batch mode

  150. organizationalUnitName_default = $ENV::KEY_OU

  151. commonName_default = $ENV::KEY_CN

  152. name_default = $ENV::KEY_NAME

  153. 

  154. # SET-ex3			= SET extension number 3

  155. 

  156. [ req_attributes ]

  157. challengePassword		= A challenge password

  158. challengePassword_min		= 4

  159. challengePassword_max		= 20

  160. 

  161. unstructuredName		= An optional company name

  162. 

  163. [ usr_cert ]

  164. 

  165. # These extensions are added when 'ca' signs a request.

  166. 

  167. # This goes against PKIX guidelines but some CAs do it and some software

  168. # requires this to avoid interpreting an end user certificate as a CA.

  169. 

  170. basicConstraints=CA:FALSE

  171. 

  172. # Here are some examples of the usage of nsCertType. If it is omitted

  173. # the certificate can be used for anything *except* object signing.

  174. 

  175. # This is OK for an SSL server.

  176. # nsCertType			= server

  177. 

  178. # For an object signing certificate this would be used.

  179. # nsCertType = objsign

  180. 

  181. # For normal client use this is typical

  182. # nsCertType = client, email

  183. 

  184. # and for everything including object signing:

  185. # nsCertType = client, email, objsign

  186. 

  187. # This is typical in keyUsage for a client certificate.

  188. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

  189. 

  190. # This will be displayed in Netscape's comment listbox.

  191. nsComment			= "Easy-RSA Generated Certificate"

  192. 

  193. # PKIX recommendations harmless if included in all certificates.

  194. subjectKeyIdentifier=hash

  195. authorityKeyIdentifier=keyid,issuer:always

  196. extendedKeyUsage=clientAuth

  197. keyUsage = digitalSignature

  198. 

  199. # This stuff is for subjectAltName and issuerAltname.

  200. # Import the email address.

  201. # subjectAltName=email:copy

  202. 

  203. # Copy subject details

  204. # issuerAltName=issuer:copy

  205. 

  206. #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem

  207. #nsBaseUrl

  208. #nsRevocationUrl

  209. #nsRenewalUrl

  210. #nsCaPolicyUrl

  211. #nsSslServerName

  212. 

  213. [ server ]

  214. 

  215. # JY ADDED -- Make a cert with nsCertType set to "server"

  216. basicConstraints=CA:FALSE

  217. nsCertType			= server

  218. nsComment			= "Easy-RSA Generated Server Certificate"

  219. subjectKeyIdentifier=hash

  220. authorityKeyIdentifier=keyid,issuer:always

  221. extendedKeyUsage=serverAuth

  222. keyUsage = digitalSignature, keyEncipherment

  223. 

  224. [ v3_req ]

  225. 

  226. # Extensions to add to a certificate request

  227. 

  228. basicConstraints = CA:FALSE

  229. keyUsage = nonRepudiation, digitalSignature, keyEncipherment

  230. 

  231. [ v3_ca ]

  232. 

  233. 

  234. # Extensions for a typical CA

  235. 

  236. 

  237. # PKIX recommendation.

  238. 

  239. subjectKeyIdentifier=hash

  240. 

  241. authorityKeyIdentifier=keyid:always,issuer:always

  242. 

  243. # This is what PKIX recommends but some broken software chokes on critical

  244. # extensions.

  245. #basicConstraints = critical,CA:true

  246. # So we do this instead.

  247. basicConstraints = CA:true

  248. 

  249. # Key usage: this is typical for a CA certificate. However since it will

  250. # prevent it being used as an test self-signed certificate it is best

  251. # left out by default.

  252. # keyUsage = cRLSign, keyCertSign

  253. 

  254. # Some might want this also

  255. # nsCertType = sslCA, emailCA

  256. 

  257. # Include email address in subject alt name: another PKIX recommendation

  258. # subjectAltName=email:copy

  259. # Copy issuer details

  260. # issuerAltName=issuer:copy

  261. 

  262. # DER hex encoding of an extension: beware experts only!

  263. # obj=DER:02:03

  264. # Where 'obj' is a standard or added object

  265. # You can even override a supported extension:

  266. # basicConstraints= critical, DER:30:03:01:01:FF

  267. 

  268. [ crl_ext ]

  269. 

  270. # CRL extensions.

  271. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

  272. 

  273. # issuerAltName=issuer:copy

  274. authorityKeyIdentifier=keyid:always,issuer:always

  275. 

  276. [ engine_section ]

  277. #

  278. # If you are using PKCS#11

  279. # Install engine_pkcs11 of opensc (www.opensc.org)

  280. # And uncomment the following

  281. # verify that dynamic_path points to the correct location

  282. #

  283. #pkcs11 = pkcs11_section

  284. 

  285. [ pkcs11_section ]

  286. engine_id = pkcs11

  287. dynamic_path = /usr/lib/engines/engine_pkcs11.so

  288. MODULE_PATH = $ENV::PKCS11_MODULE_PATH

  289. PIN = $ENV::PKCS11_PIN

  290. init = 0