[thirdparty/strongswan.git] / testing / hosts / winnetou / etc / openssl / ecdsa / openssl.cnf

# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
# Mario Strasser <mario.strasser@zhwin.ch>
#	

# This definitions were set by the ca_init script DO NOT change
# them manually.
CAHOME			= /etc/openssl/ecdsa 
RANDFILE		= $CAHOME/.rand

# Extra OBJECT IDENTIFIER info:
oid_section		= new_oids

[ new_oids ]
SmartcardLogin		= 1.3.6.1.4.1.311.20.2
ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2

####################################################################

[ ca ]
default_ca	= root_ca		# The default ca section

####################################################################

[ root_ca ]				

dir		= $CAHOME
certs		= $dir/certs		     # Where the issued certs are kept
crl_dir		= $dir/crl                   # Where the issued crl are kept
database	= $dir/index.txt             # database index file.
new_certs_dir   = $dir/newcerts              # default place for new certs.

certificate     = $dir/strongswan_ecCert.pem # The CA certificate
serial          = $dir/serial                # The current serial number
crl             = $dir/crl.pem               # The current CRL
crlnumber	= $dir/crlnumber	     # The current CRL serial number
private_key     = $dir/strongswan_ecKey.pem  # The private key
RANDFILE        = $dir/.rand                 # private random number file

x509_extensions = host_ext		     # The extensions to add to the cert

crl_extensions	= crl_ext  		     # The extensions to add to the CRL

default_days    = 1825                       # how long to certify for
default_crl_days= 30			     # how long before next CRL
default_md      = sha256                     # which md to use.
preserve        = no                         # keep passed DN ordering
email_in_dn	= no			     # allow/forbid EMail in DN

policy          = policy_match		     # specifying how similar the request must look

####################################################################

# the 'match' policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= optional
localityName            = optional
organizationName	= match
organizationalUnitName	= optional
userId			= optional
serialNumber		= optional
commonName		= supplied
emailAddress		= optional

# the 'anything' policy
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################

[ req ]
default_bits		= 1024
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions		= ca_ext	# The extensions to add to the self signed cert
# req_extensions 	= v3_req 	# The extensions to add to a certificate request


# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask 			= nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

####################################################################

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= CH
countryName_min			= 2
countryName_max			= 2

#stateOrProvinceName		= State or Province Name (full name)
#stateOrProvinceName_default	= ZH

#localityName			= Locality Name (eg, city)
#localityName_default		= Winterthur

organizationName		= Organization Name (eg, company)
organizationName_default	= Linux strongSwan

0.organizationalUnitName		= Organizational Unit Name (eg, section)
#0.organizationalUnitName_default	= Research

#1.organizationalUnitName	= Type (eg, Staff)
#1.organizationalUnitName_default = Staff

#userId				= UID 

commonName			= Common Name (eg, YOUR name)
commonName_default		= $ENV::COMMON_NAME
commonName_max			= 64

#0.emailAddress			= Email Address (eg, foo@bar.com)
#0.emailAddress_min              = 0
#0.emailAddress_max              = 40

#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
#1.emailAddress_min              = 0
#1.emailAddress_max              = 40

####################################################################

[ req_attributes ]

####################################################################

[ host_ext ]

basicConstraints		= CA:FALSE
keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid, issuer:always
subjectAltName			= DNS:$ENV::COMMON_NAME
#extendedKeyUsage		= OCSPSigning
crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_ec.crl

####################################################################

[ user_ext ]

basicConstraints		= CA:FALSE
keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid, issuer:always
subjectAltName                  = email:$ENV::COMMON_NAME 
#authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_ec.crl

####################################################################

[ ca_ext ]

basicConstraints               	= critical, CA:TRUE
keyUsage                        = cRLSign, keyCertSign
subjectKeyIdentifier           = hash
authorityKeyIdentifier         = keyid, issuer:always

####################################################################

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

#issuerAltName			= issuer:copy
authorityKeyIdentifier		= keyid:always, issuer:always

# eof
Commit	Line	Data
1bd02e86 AS	1	# openssl.cnf - OpenSSL configuration file for the ZHW PKI
1bd02e86 AS	2	# Mario Strasser <mario.strasser@zhwin.ch>
1bd02e86 AS	3	#
	4
	5	# This definitions were set by the ca_init script DO NOT change
2db6d5b8	6	# them manually.
1bd02e86 AS	7	CAHOME = /etc/openssl/ecdsa
	8	RANDFILE = $CAHOME/.rand
	9
	10	# Extra OBJECT IDENTIFIER info:
	11	oid_section = new_oids
	12
	13	[ new_oids ]
	14	SmartcardLogin = 1.3.6.1.4.1.311.20.2
	15	ClientAuthentication = 1.3.6.1.4.1.311.20.2.2
	16
	17	####################################################################
	18
	19	[ ca ]
	20	default_ca = root_ca # The default ca section
	21
	22	####################################################################
	23
	24	[ root_ca ]
	25
	26	dir = $CAHOME
	27	certs = $dir/certs # Where the issued certs are kept
	28	crl_dir = $dir/crl # Where the issued crl are kept
	29	database = $dir/index.txt # database index file.
	30	new_certs_dir = $dir/newcerts # default place for new certs.
	31
	32	certificate = $dir/strongswan_ecCert.pem # The CA certificate
	33	serial = $dir/serial # The current serial number
	34	crl = $dir/crl.pem # The current CRL
	35	crlnumber = $dir/crlnumber # The current CRL serial number
	36	private_key = $dir/strongswan_ecKey.pem # The private key
	37	RANDFILE = $dir/.rand # private random number file
	38
f3bb1bd0	39	x509_extensions = host_ext # The extensions to add to the cert
1bd02e86	40
f3bb1bd0	41	crl_extensions = crl_ext # The extensions to add to the CRL
1bd02e86 AS	42
	43	default_days = 1825 # how long to certify for
	44	default_crl_days= 30 # how long before next CRL
	45	default_md = sha256 # which md to use.
	46	preserve = no # keep passed DN ordering
	47	email_in_dn = no # allow/forbid EMail in DN
	48
	49	policy = policy_match # specifying how similar the request must look
	50
	51	####################################################################
	52
	53	# the 'match' policy
	54	[ policy_match ]
	55	countryName = match
	56	stateOrProvinceName = optional
	57	localityName = optional
	58	organizationName = match
	59	organizationalUnitName = optional
	60	userId = optional
	61	serialNumber = optional
	62	commonName = supplied
	63	emailAddress = optional
	64
	65	# the 'anything' policy
	66	[ policy_anything ]
	67	countryName = optional
	68	stateOrProvinceName = optional
	69	localityName = optional
	70	organizationName = optional
	71	organizationalUnitName = optional
	72	commonName = supplied
	73	emailAddress = optional
	74
	75	####################################################################
	76
	77	[ req ]
	78	default_bits = 1024
	79	default_keyfile = privkey.pem
	80	distinguished_name = req_distinguished_name
	81	attributes = req_attributes
f3bb1bd0	82	x509_extensions = ca_ext # The extensions to add to the self signed cert
1bd02e86 AS	83	# req_extensions = v3_req # The extensions to add to a certificate request
	84
	85
	86	# This sets a mask for permitted string types. There are several options.
	87	# default: PrintableString, T61String, BMPString.
	88	# pkix : PrintableString, BMPString.
	89	# utf8only: only UTF8Strings.
	90	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
	91	# MASK:XXXX a literal mask value.
	92	# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
	93	# so use this option with caution!
	94	string_mask = nombstr
	95
	96	# req_extensions = v3_req # The extensions to add to a certificate request
	97
	98	####################################################################
	99
	100	[ req_distinguished_name ]
	101	countryName = Country Name (2 letter code)
	102	countryName_default = CH
	103	countryName_min = 2
	104	countryName_max = 2
	105
	106	#stateOrProvinceName = State or Province Name (full name)
	107	#stateOrProvinceName_default = ZH
	108
	109	#localityName = Locality Name (eg, city)
	110	#localityName_default = Winterthur
	111
	112	organizationName = Organization Name (eg, company)
	113	organizationName_default = Linux strongSwan
	114
	115	0.organizationalUnitName = Organizational Unit Name (eg, section)
	116	#0.organizationalUnitName_default = Research
	117
	118	#1.organizationalUnitName = Type (eg, Staff)
	119	#1.organizationalUnitName_default = Staff
	120
	121	#userId = UID
	122
	123	commonName = Common Name (eg, YOUR name)
	124	commonName_default = $ENV::COMMON_NAME
	125	commonName_max = 64
	126
	127	#0.emailAddress = Email Address (eg, foo@bar.com)
	128	#0.emailAddress_min = 0
	129	#0.emailAddress_max = 40
	130
	131	#1.emailAddress = Second Email Address (eg, foo@bar.com)
	132	#1.emailAddress_min = 0
	133	#1.emailAddress_max = 40
	134
	135	####################################################################
	136
	137	[ req_attributes ]
	138
	139	####################################################################
	140
	141	[ host_ext ]
	142
	143	basicConstraints = CA:FALSE
	144	keyUsage = digitalSignature, keyEncipherment, keyAgreement
	145	subjectKeyIdentifier = hash
	146	authorityKeyIdentifier = keyid, issuer:always
147	subjectAltName = DNS:$ENV::COMMON_NAME
148	#extendedKeyUsage = OCSPSigning
149	crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl
150
151	####################################################################
152
153	[ user_ext ]
154
155	basicConstraints = CA:FALSE
156	keyUsage = digitalSignature, keyEncipherment, keyAgreement
157	subjectKeyIdentifier = hash
158	authorityKeyIdentifier = keyid, issuer:always
159	subjectAltName = email:$ENV::COMMON_NAME
160	#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
161	crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl
162
163	####################################################################
164
165	[ ca_ext ]
166
167	basicConstraints = critical, CA:TRUE
168	keyUsage = cRLSign, keyCertSign
169	subjectKeyIdentifier = hash
170	authorityKeyIdentifier = keyid, issuer:always
171
172	####################################################################
173
174	[ crl_ext ]
175
176	# CRL extensions.
177	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
178
179	#issuerAltName = issuer:copy
180	authorityKeyIdentifier = keyid:always, issuer:always
181
182	# eof