contrib/PKI/ca_script2/openssl.cnf - freeDiameter-old - Gitiles

 # Note: for this file to be working, an environment var CA_ROOT_DIR = directory
 # must be defined and pointing to the CA top-level directory.

 HOME			= .
 RANDFILE		= $ENV::HOME/.rnd

 oid_section		= new_oids

 [ new_oids ]


 ####################################################################
 [ req ]
 default_bits		= 1024
 # default_keyfile 	= privkey.pem
 string_mask 		= utf8only

 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 req_extensions 		= v3_req    # overwrite with -reqexts
 x509_extensions		= ca_cert   # overwrite with -extensions; used for self-signed keys only

 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_default		= JP
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 stateOrProvinceName_default	= Tokyo
 localityName			= Locality Name (eg, city)
 localityName_default		= Koganei
 0.organizationName		= Organization Name (eg, company)
 0.organizationName_default	= WIDE
 1.organizationName		= Second Organization Name (eg, company)
 1.organizationName_default	= NICT
 organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= AAA WG testbed

 [ req_attributes ]
 challengePassword		= A challenge password
 challengePassword_min		= 0
 challengePassword_max		= 20
 unstructuredName		= An optional company name

 [ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 [ v3_req_ca ]
 # Extensions to add to a certificate request for CA
 basicConstraints = CA:TRUE


 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section

 [ CA_default ]

 dir		= $ENV::CA_ROOT_DIR	# Where everything is kept
 certs		= $dir/public		# Where the issued certs are kept
 crl_dir		= $dir/public		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
 					# several ctificates with same subject.
 new_certs_dir	= $dir/public		# default place for new certs.

 certificate	= $dir/public/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 crl		= $dir/public/local.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem	# The private key
 x509_extensions	= usr_cert		# The extentions to add to the cert
 					# overwrite with -extensions
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
 crl_extensions	= crl_ext

 default_days	= 3650			# how long to certify for
 default_crl_days= 365			# how long before next CRL
 default_md	= sha1			# which md to use.
 preserve	= no			# keep passed DN ordering

 # We accept to sign anything, but a real deployment would limit to proper domain etc...
 policy			= policy_anything

 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional

 [ usr_cert ]
 basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

 [ ca_cert ]
 # Extensions for a typical CA
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = critical,CA:true  # Remove "critical," in case of problems
 keyUsage = cRLSign, keyCertSign
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy

 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
	# Note: for this file to be working, an environment var CA_ROOT_DIR = directory
	# must be defined and pointing to the CA top-level directory.

	HOME = .
	RANDFILE = $ENV::HOME/.rnd

	oid_section = new_oids

	[ new_oids ]


	####################################################################
	[ req ]
	default_bits = 1024
	# default_keyfile = privkey.pem
	string_mask = utf8only

	distinguished_name = req_distinguished_name
	attributes = req_attributes
	req_extensions = v3_req # overwrite with -reqexts
	x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = JP
	countryName_min = 2
	countryName_max = 2
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Tokyo
	localityName = Locality Name (eg, city)
	localityName_default = Koganei
	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = WIDE
	1.organizationName = Second Organization Name (eg, company)
	1.organizationName_default = NICT
	organizationalUnitName = Organizational Unit Name (eg, section)
	organizationalUnitName_default = AAA WG testbed

	[ req_attributes ]
	challengePassword = A challenge password
	challengePassword_min = 0
	challengePassword_max = 20
	unstructuredName = An optional company name

	[ v3_req ]
	# Extensions to add to a certificate request
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment

	[ v3_req_ca ]
	# Extensions to add to a certificate request for CA
	basicConstraints = CA:TRUE


	####################################################################
	[ ca ]
	default_ca = CA_default # The default ca section

	[ CA_default ]

	dir = $ENV::CA_ROOT_DIR # Where everything is kept
	certs = $dir/public # Where the issued certs are kept
	crl_dir = $dir/public # Where the issued crl are kept
	database = $dir/index.txt # database index file.
	#unique_subject = no # Set to 'no' to allow creation of
	# several ctificates with same subject.
	new_certs_dir = $dir/public # default place for new certs.

	certificate = $dir/public/cacert.pem # The CA certificate
	serial = $dir/serial # The current serial number
	crlnumber = $dir/crlnumber # the current crl number
	crl = $dir/public/local.pem # The current CRL
	private_key = $dir/private/cakey.pem # The private key
	x509_extensions = usr_cert # The extentions to add to the cert
	# overwrite with -extensions
	name_opt = ca_default # Subject Name options
	cert_opt = ca_default # Certificate field options
	crl_extensions = crl_ext

	default_days = 3650 # how long to certify for
	default_crl_days= 365 # how long before next CRL
	default_md = sha1 # which md to use.
	preserve = no # keep passed DN ordering

	# We accept to sign anything, but a real deployment would limit to proper domain etc...
	policy = policy_anything

	[ policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ usr_cert ]
	basicConstraints=CA:FALSE
	# This is typical in keyUsage for a client certificate.
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer

	[ ca_cert ]
	# Extensions for a typical CA
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid:always,issuer:always
	basicConstraints = critical,CA:true # Remove "critical," in case of problems
	keyUsage = cRLSign, keyCertSign
	# subjectAltName=email:copy
	# Copy issuer details
	# issuerAltName=issuer:copy

	[ crl_ext ]
	# CRL extensions.
	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
	# issuerAltName=issuer:copy
	authorityKeyIdentifier=keyid:always,issuer:always