[people/pmueller/ipfire-2.x.git] / config / ovpn / openssl / ovpn.cnf

HOME				= .
oid_section			= new_oids

[ new_oids ]

[ ca ]
default_ca			= openvpn

[ openvpn ]
dir				= /var/ipfire/ovpn
certs				= $dir/certs
crl_dir				= $dir/crl
database			= $dir/certs/index.txt
new_certs_dir			= $dir/certs
certificate			= $dir/ca/cacert.pem
serial				= $dir/certs/serial
crl				= $dir/crl.pem
private_key			= $dir/ca/cakey.pem
x509_extensions			= usr_cert
default_days			= 999999
default_crl_days		= 30
default_md			= sha256
preserve			= no
policy				= policy_match
email_in_dn			= no

[ policy_match ]
countryName			= optional
stateOrProvinceName		= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional

[ req ]
default_bits			= 2048
default_keyfile 		= privkey.pem
distinguished_name		= req_distinguished_name
attributes			= req_attributes
x509_extensions			= v3_ca
string_mask 			= nombstr

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= GB
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= 

localityName			= Locality Name (eg, city)
#localityName_default		= 

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= My Company Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
unstructuredName		= An optional company name

[ usr_cert ]
basicConstraints		= CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always
extendedKeyUsage               = clientAuth
keyUsage                       = digitalSignature

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints		= CA:FALSE
nsCertType			= server
nsComment			= "OpenSSL Generated Server Certificate"
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer:always 
extendedKeyUsage               = serverAuth
keyUsage                       = digitalSignature, keyEncipherment

[ v3_req ]
basicConstraints 		= CA:FALSE
keyUsage 			= nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always,issuer:always
basicConstraints 		= CA:true

[ crl_ext ]
authorityKeyIdentifier		= keyid:always,issuer:always

[ engine ]
default 			= openssl
Commit	Line	Data
c2b5d12b	1	HOME = .
c2b5d12b	2	oid_section = new_oids
6e13d0a5 MT	3
	4	[ new_oids ]
	5
	6	[ ca ]
c2b5d12b	7	default_ca = openvpn
6e13d0a5 MT	8
6e13d0a5 MT	9	[ openvpn ]
c2b5d12b EK	10	dir = /var/ipfire/ovpn
	11	certs = $dir/certs
	12	crl_dir = $dir/crl
	13	database = $dir/certs/index.txt
	14	new_certs_dir = $dir/certs
	15	certificate = $dir/ca/cacert.pem
	16	serial = $dir/certs/serial
	17	crl = $dir/crl.pem
	18	private_key = $dir/ca/cakey.pem
c2b5d12b EK	19	x509_extensions = usr_cert
	20	default_days = 999999
	21	default_crl_days = 30
	22	default_md = sha256
	23	preserve = no
	24	policy = policy_match
	25	email_in_dn = no
6e13d0a5 MT	26
6e13d0a5 MT	27	[ policy_match ]
c2b5d12b EK	28	countryName = optional
	29	stateOrProvinceName = optional
	30	organizationName = optional
	31	organizationalUnitName = optional
	32	commonName = supplied
	33	emailAddress = optional
6e13d0a5 MT	34
6e13d0a5 MT	35	[ req ]
c2b5d12b EK	36	default_bits = 2048
	37	default_keyfile = privkey.pem
	38	distinguished_name = req_distinguished_name
	39	attributes = req_attributes
	40	x509_extensions = v3_ca
	41	string_mask = nombstr
6e13d0a5 MT	42
	43	[ req_distinguished_name ]
	44	countryName = Country Name (2 letter code)
	45	countryName_default = GB
	46	countryName_min = 2
	47	countryName_max = 2
	48
	49	stateOrProvinceName = State or Province Name (full name)
	50	stateOrProvinceName_default =
	51
	52	localityName = Locality Name (eg, city)
	53	#localityName_default =
	54
	55	0.organizationName = Organization Name (eg, company)
	56	0.organizationName_default = My Company Ltd
	57
	58	organizationalUnitName = Organizational Unit Name (eg, section)
	59	#organizationalUnitName_default =
	60
	61	commonName = Common Name (eg, your name or your server\'s hostname)
	62	commonName_max = 64
	63
	64	emailAddress = Email Address
	65	emailAddress_max = 40
	66
	67	[ req_attributes ]
	68	challengePassword = A challenge password
	69	challengePassword_min = 4
	70	challengePassword_max = 20
	71	unstructuredName = An optional company name
	72
	73	[ usr_cert ]
c2b5d12b	74	basicConstraints = CA:FALSE
6e13d0a5	75	nsComment = "OpenSSL Generated Certificate"
c2b5d12b EK	76	subjectKeyIdentifier = hash
c2b5d12b EK	77	authorityKeyIdentifier = keyid,issuer:always
b66b02ab EK	78	extendedKeyUsage = clientAuth
b66b02ab EK	79	keyUsage = digitalSignature
6e13d0a5 MT	80
	81	[ server ]
	82
	83	# JY ADDED -- Make a cert with nsCertType set to "server"
c2b5d12b	84	basicConstraints = CA:FALSE
6e13d0a5 MT	85	nsCertType = server
6e13d0a5 MT	86	nsComment = "OpenSSL Generated Server Certificate"
c2b5d12b EK	87	subjectKeyIdentifier = hash
c2b5d12b EK	88	authorityKeyIdentifier = keyid,issuer:always
b66b02ab EK	89	extendedKeyUsage = serverAuth
b66b02ab EK	90	keyUsage = digitalSignature, keyEncipherment
6e13d0a5 MT	91
6e13d0a5 MT	92	[ v3_req ]
c2b5d12b EK	93	basicConstraints = CA:FALSE
c2b5d12b EK	94	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
6e13d0a5 MT	95
6e13d0a5 MT	96	[ v3_ca ]
c2b5d12b EK	97	subjectKeyIdentifier = hash
	98	authorityKeyIdentifier = keyid:always,issuer:always
	99	basicConstraints = CA:true
6e13d0a5 MT	100
6e13d0a5 MT	101	[ crl_ext ]
c2b5d12b	102	authorityKeyIdentifier = keyid:always,issuer:always
6e13d0a5 MT	103
6e13d0a5 MT	104	[ engine ]
c2b5d12b	105	default = openssl