Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
3 - 1 
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
2 
 
3 
# This definition stops the following lines choking if HOME isn't
4 
# defined.
5 
HOME			= .
6 
RANDFILE		= $ENV::HOME/.rnd
7 
openssl_conf		= openssl_init
8 
 
9 
[ openssl_init ]
10 
# Extra OBJECT IDENTIFIER info:
11 
#oid_file		= $ENV::HOME/.oid
12 
oid_section		= new_oids
13 
engines			= engine_section
14 
 
15 
# To use this configuration file with the "-extfile" option of the
16 
# "openssl x509" utility, name here the section containing the
17 
# X.509v3 extensions to use:
18 
# extensions		=
19 
# (Alternatively, use a configuration file that has only
20 
# X.509v3 extensions in its main [= default] section.)
21 
 
22 
[ new_oids ]
23 
 
24 
# We can add new OIDs in here for use by 'ca' and 'req'.
25 
# Add a simple OID like this:
26 
# testoid1=1.2.3.4
27 
# Or use config file substitution like this:
28 
# testoid2=${testoid1}.5.6
29 
 
30 
####################################################################
31 
[ ca ]
32 
default_ca	= CA_default		# The default ca section
33 
 
34 
####################################################################
35 
[ CA_default ]
36 
 
37 
dir		= $ENV::KEY_DIR		# Where everything is kept
38 
certs		= $dir			# Where the issued certs are kept
39 
crl_dir		= $dir			# Where the issued crl are kept
40 
database	= $dir/index.txt	# database index file.
41 
new_certs_dir	= $dir			# default place for new certs.
42 
 
43 
certificate	= $dir/ca.crt	 	# The CA certificate
44 
serial		= $dir/serial 		# The current serial number
45 
crl		= $dir/crl.pem 		# The current CRL
46 
private_key	= $dir/ca.key		# The private key
47 
RANDFILE	= $dir/.rand		# private random number file
48 
 
49 
x509_extensions	= usr_cert		# The extentions to add to the cert
50 
 
51 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
52 
# so this is commented out by default to leave a V1 CRL.
53 
# crl_extensions	= crl_ext
54 
 
55 
default_days	= 3650			# how long to certify for
56 
default_crl_days= 30			# how long before next CRL
57 
default_md	= md5			# use public key default MD
58 
preserve	= no			# keep passed DN ordering
59 
 
60 
# A few difference way of specifying how similar the request should look
61 
# For type CA, the listed attributes must be the same, and the optional
62 
# and supplied fields are just that :-)
63 
policy		= policy_anything
64 
 
65 
# For the CA policy
66 
[ policy_match ]
67 
countryName		= match
68 
stateOrProvinceName	= match
69 
organizationName	= match
70 
organizationalUnitName	= optional
71 
commonName		= supplied
72 
name			= optional
73 
emailAddress		= optional
74 
 
75 
# For the 'anything' policy
76 
# At this point in time, you must list all acceptable 'object'
77 
# types.
78 
[ policy_anything ]
79 
countryName		= optional
80 
stateOrProvinceName	= optional
81 
localityName		= optional
82 
organizationName	= optional
83 
organizationalUnitName	= optional
84 
commonName		= supplied
85 
name			= optional
86 
emailAddress		= optional
87 
 
88 
####################################################################
89 
[ req ]
90 
default_bits		= $ENV::KEY_SIZE
91 
default_keyfile 	= privkey.pem
92 
distinguished_name	= req_distinguished_name
93 
attributes		= req_attributes
94 
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
95 
 
96 
# Passwords for private keys if not present they will be prompted for
97 
# input_password = secret
98 
# output_password = secret
99 
 
100 
# This sets a mask for permitted string types. There are several options.
101 
# default: PrintableString, T61String, BMPString.
102 
# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
103 
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
104 
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
105 
# MASK:XXXX a literal mask value.
106 
string_mask = nombstr
107 
 
108 
# req_extensions = v3_req # The extensions to add to a certificate request
109 
 
110 
[ req_distinguished_name ]
111 
countryName			= Country Name (2 letter code)
112 
countryName_default		= $ENV::KEY_COUNTRY
113 
countryName_min			= 2
114 
countryName_max			= 2
115 
 
116 
stateOrProvinceName		= State or Province Name (full name)
117 
stateOrProvinceName_default	= $ENV::KEY_PROVINCE
118 
 
119 
localityName			= Locality Name (eg, city)
120 
localityName_default		= $ENV::KEY_CITY
121 
 
122 
0.organizationName		= Organization Name (eg, company)
123 
0.organizationName_default	= $ENV::KEY_ORG
124 
 
125 
# we can do this but it is not needed normally :-)
126 
#1.organizationName		= Second Organization Name (eg, company)
127 
#1.organizationName_default	= World Wide Web Pty Ltd
128 
 
129 
organizationalUnitName		= Organizational Unit Name (eg, section)
130 
#organizationalUnitName_default	=
131 
 
132 
commonName			= Common Name (eg, your name or your server\'s hostname)
133 
commonName_max			= 64
134 
 
135 
name				= Name
136 
name_max			= 64
137 
 
138 
emailAddress			= Email Address
139 
emailAddress_default		= $ENV::KEY_EMAIL
140 
emailAddress_max		= 40
141 
 
142 
# JY -- added for batch mode
143 
organizationalUnitName_default = $ENV::KEY_OU
144 
commonName_default = $ENV::KEY_CN
145 
name_default = $ENV::KEY_NAME
146 
 
147 
 
148 
# SET-ex3			= SET extension number 3
149 
 
150 
[ req_attributes ]
151 
challengePassword		= A challenge password
152 
challengePassword_min		= 4
153 
challengePassword_max		= 20
154 
 
155 
unstructuredName		= An optional company name
156 
 
157 
[ usr_cert ]
158 
 
159 
# These extensions are added when 'ca' signs a request.
160 
 
161 
# This goes against PKIX guidelines but some CAs do it and some software
162 
# requires this to avoid interpreting an end user certificate as a CA.
163 
 
164 
basicConstraints=CA:FALSE
165 
 
166 
# Here are some examples of the usage of nsCertType. If it is omitted
167 
# the certificate can be used for anything *except* object signing.
168 
 
169 
# This is OK for an SSL server.
170 
# nsCertType			= server
171 
 
172 
# For an object signing certificate this would be used.
173 
# nsCertType = objsign
174 
 
175 
# For normal client use this is typical
176 
# nsCertType = client, email
177 
 
178 
# and for everything including object signing:
179 
# nsCertType = client, email, objsign
180 
 
181 
# This is typical in keyUsage for a client certificate.
182 
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
183 
 
184 
# This will be displayed in Netscape's comment listbox.
185 
nsComment			= "Easy-RSA Generated Certificate"
186 
 
187 
# PKIX recommendations harmless if included in all certificates.
188 
subjectKeyIdentifier=hash
189 
authorityKeyIdentifier=keyid,issuer:always
190 
extendedKeyUsage=clientAuth
191 
keyUsage = digitalSignature
192 
 
193 
 
194 
# This stuff is for subjectAltName and issuerAltname.
195 
# Import the email address.
196 
# subjectAltName=email:copy
197 
 
198 
# Copy subject details
199 
# issuerAltName=issuer:copy
200 
 
201 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
202 
#nsBaseUrl
203 
#nsRevocationUrl
204 
#nsRenewalUrl
205 
#nsCaPolicyUrl
206 
#nsSslServerName
207 
 
208 
[ server ]
209 
 
210 
# JY ADDED -- Make a cert with nsCertType set to "server"
211 
basicConstraints=CA:FALSE
212 
nsCertType                     = server
213 
nsComment                      = "Easy-RSA Generated Server Certificate"
214 
subjectKeyIdentifier=hash
215 
authorityKeyIdentifier=keyid,issuer:always
216 
extendedKeyUsage=serverAuth
217 
keyUsage = digitalSignature, keyEncipherment
218 
 
219 
[ v3_req ]
220 
 
221 
# Extensions to add to a certificate request
222 
 
223 
basicConstraints = CA:FALSE
224 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
225 
 
226 
[ v3_ca ]
227 
 
228 
 
229 
# Extensions for a typical CA
230 
 
231 
 
232 
# PKIX recommendation.
233 
 
234 
subjectKeyIdentifier=hash
235 
 
236 
authorityKeyIdentifier=keyid:always,issuer:always
237 
 
238 
# This is what PKIX recommends but some broken software chokes on critical
239 
# extensions.
240 
#basicConstraints = critical,CA:true
241 
# So we do this instead.
242 
basicConstraints = CA:true
243 
 
244 
# Key usage: this is typical for a CA certificate. However since it will
245 
# prevent it being used as an test self-signed certificate it is best
246 
# left out by default.
247 
# keyUsage = cRLSign, keyCertSign
248 
 
249 
# Some might want this also
250 
# nsCertType = sslCA, emailCA
251 
 
252 
# Include email address in subject alt name: another PKIX recommendation
253 
# subjectAltName=email:copy
254 
# Copy issuer details
255 
# issuerAltName=issuer:copy
256 
 
257 
# DER hex encoding of an extension: beware experts only!
258 
# obj=DER:02:03
259 
# Where 'obj' is a standard or added object
260 
# You can even override a supported extension:
261 
# basicConstraints= critical, DER:30:03:01:01:FF
262 
 
263 
[ crl_ext ]
264 
 
265 
# CRL extensions.
266 
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
267 
 
268 
# issuerAltName=issuer:copy
269 
authorityKeyIdentifier=keyid:always,issuer:always
270 
 
271 
[ engine_section ]
272 
#
273 
# If you are using PKCS#11
274 
# Install engine_pkcs11 of opensc (www.opensc.org)
275 
# And uncomment the following
276 
# verify that dynamic_path points to the correct location
277 
#
278 
#pkcs11 = pkcs11_section
279 
 
280 
[ pkcs11_section ]
281 
engine_id = pkcs11
282 
dynamic_path = /usr/lib/engines/engine_pkcs11.so
283 
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
284 
PIN = $ENV::PKCS11_PIN
285 
init = 0