1 # openssl.cnf - OpenSSL configuration file
4 # This definitions were set by the ca_init script DO NOT change
6 CAHOME = /etc/openssl/sales
7 RANDFILE = $CAHOME/.rand
9 ####################################################################
12 default_ca = root_ca # The default ca section
14 ####################################################################
19 certs = $dir/certs # Where the issued certs are kept
20 crl_dir = $dir/crl # Where the issued crl are kept
21 database = $dir/index.txt # database index file.
22 new_certs_dir = $dir/newcerts # default place for new certs.
24 certificate = $dir/salesCert.pem # The CA certificate
25 serial = $dir/serial # The current serial number
26 crl = $dir/crl.pem # The current CRL
27 crlnumber = $dir/crlnumber # The current CRL serial number
28 private_key = $dir/salesKey.pem # The private key
29 RANDFILE = $dir/.rand # private random number file
31 x509_extensions = host_ext # The extensions to add to the cert
33 crl_extensions = crl_ext # The extensions to add to the CRL
35 default_days = 1825 # how long to certify for
36 default_crl_days= 30 # how long before next CRL
37 default_md = sha256 # which md to use.
38 preserve = no # keep passed DN ordering
39 email_in_dn = no # allow/forbid EMail in DN
41 policy = policy_match # specifying how similar the request must look
43 ####################################################################
48 stateOrProvinceName = optional
49 localityName = optional
50 organizationName = match
51 organizationalUnitName = optional
54 emailAddress = optional
56 # the 'anything' policy
58 countryName = optional
59 stateOrProvinceName = optional
60 localityName = optional
61 organizationName = optional
62 organizationalUnitName = optional
64 emailAddress = optional
66 ####################################################################
70 default_keyfile = privkey.pem
71 distinguished_name = req_distinguished_name
72 attributes = req_attributes
73 x509_extensions = ca_ext # The extensions to add to the self signed cert
74 # req_extensions = v3_req # The extensions to add to a certificate request
77 # This sets a mask for permitted string types. There are several options.
78 # default: PrintableString, T61String, BMPString.
79 # pkix : PrintableString, BMPString.
80 # utf8only: only UTF8Strings.
81 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
82 # MASK:XXXX a literal mask value.
83 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
84 # so use this option with caution!
87 # req_extensions = v3_req # The extensions to add to a certificate request
89 ####################################################################
91 [ req_distinguished_name ]
92 countryName = Country Name (2 letter code)
93 countryName_default = CH
97 #stateOrProvinceName = State or Province Name (full name)
98 #stateOrProvinceName_default = ZH
100 #localityName = Locality Name (eg, city)
101 #localityName_default = Winterthur
103 organizationName = Organization Name (eg, company)
104 organizationName_default = Linux strongSwan
106 0.organizationalUnitName = Organizational Unit Name (eg, section)
107 0.organizationalUnitName_default = Sales
109 #1.organizationalUnitName = Type (eg, Staff)
110 #1.organizationalUnitName_default = Staff
114 commonName = Common Name (eg, YOUR name)
115 commonName_default = $ENV::COMMON_NAME
118 #0.emailAddress = Email Address (eg, foo@bar.com)
119 #0.emailAddress_min = 0
120 #0.emailAddress_max = 40
122 #1.emailAddress = Second Email Address (eg, foo@bar.com)
123 #1.emailAddress_min = 0
124 #1.emailAddress_max = 40
126 ####################################################################
130 ####################################################################
134 basicConstraints = CA:FALSE
135 keyUsage = digitalSignature, keyEncipherment, keyAgreement
136 subjectKeyIdentifier = hash
137 authorityKeyIdentifier = keyid, issuer:always
138 subjectAltName = DNS:$ENV::COMMON_NAME
139 #extendedKeyUsage = OCSPSigning
140 crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
142 ####################################################################
146 basicConstraints = CA:FALSE
147 keyUsage = digitalSignature, keyEncipherment, keyAgreement
148 subjectKeyIdentifier = hash
149 authorityKeyIdentifier = keyid, issuer:always
150 subjectAltName = email:$ENV::COMMON_NAME
151 crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
152 #authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882
154 ####################################################################
158 basicConstraints = critical, CA:TRUE
159 keyUsage = cRLSign, keyCertSign
160 subjectKeyIdentifier = hash
161 authorityKeyIdentifier = keyid, issuer:always
163 ####################################################################
168 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
170 #issuerAltName = issuer:copy
171 authorityKeyIdentifier = keyid:always, issuer:always