added strongSwan EC Root CA
[strongswan.git] / testing / hosts / winnetou / etc / openssl / ecdsa / openssl.cnf
1 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
2 # Mario Strasser <mario.strasser@zhwin.ch>
3 #
4 # $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $
5 #       
6
7 # This definitions were set by the ca_init script DO NOT change
8 # them manualy.
9 CAHOME                  = /etc/openssl/ecdsa 
10 RANDFILE                = $CAHOME/.rand
11
12 # Extra OBJECT IDENTIFIER info:
13 oid_section             = new_oids
14
15 [ new_oids ]
16 SmartcardLogin          = 1.3.6.1.4.1.311.20.2
17 ClientAuthentication    = 1.3.6.1.4.1.311.20.2.2
18
19 ####################################################################
20
21 [ ca ]
22 default_ca      = root_ca               # The default ca section
23
24 ####################################################################
25
26 [ root_ca ]                             
27
28 dir             = $CAHOME
29 certs           = $dir/certs                 # Where the issued certs are kept
30 crl_dir         = $dir/crl                   # Where the issued crl are kept
31 database        = $dir/index.txt             # database index file.
32 new_certs_dir   = $dir/newcerts              # default place for new certs.
33
34 certificate     = $dir/strongswan_ecCert.pem # The CA certificate
35 serial          = $dir/serial                # The current serial number
36 crl             = $dir/crl.pem               # The current CRL
37 crlnumber       = $dir/crlnumber             # The current CRL serial number
38 private_key     = $dir/strongswan_ecKey.pem  # The private key
39 RANDFILE        = $dir/.rand                 # private random number file
40
41 x509_extensions = host_ext                   # The extentions to add to the cert
42
43 crl_extensions  = crl_ext                    # The extentions to add to the CRL
44
45 default_days    = 1825                       # how long to certify for
46 default_crl_days= 30                         # how long before next CRL
47 default_md      = sha256                     # which md to use.
48 preserve        = no                         # keep passed DN ordering
49 email_in_dn     = no                         # allow/forbid EMail in DN
50
51 policy          = policy_match               # specifying how similar the request must look
52
53 ####################################################################
54
55 # the 'match' policy
56 [ policy_match ]
57 countryName             = match
58 stateOrProvinceName     = optional
59 localityName            = optional
60 organizationName        = match
61 organizationalUnitName  = optional
62 userId                  = optional
63 serialNumber            = optional
64 commonName              = supplied
65 emailAddress            = optional
66
67 # the 'anything' policy
68 [ policy_anything ]
69 countryName             = optional
70 stateOrProvinceName     = optional
71 localityName            = optional
72 organizationName        = optional
73 organizationalUnitName  = optional
74 commonName              = supplied
75 emailAddress            = optional
76
77 ####################################################################
78
79 [ req ]
80 default_bits            = 1024
81 default_keyfile         = privkey.pem
82 distinguished_name      = req_distinguished_name
83 attributes              = req_attributes
84 x509_extensions         = ca_ext        # The extentions to add to the self signed cert
85 # req_extensions        = v3_req        # The extensions to add to a certificate request
86
87
88 # This sets a mask for permitted string types. There are several options. 
89 # default: PrintableString, T61String, BMPString.
90 # pkix   : PrintableString, BMPString.
91 # utf8only: only UTF8Strings.
92 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
93 # MASK:XXXX a literal mask value.
94 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
95 # so use this option with caution!
96 string_mask                     = nombstr
97
98 # req_extensions = v3_req # The extensions to add to a certificate request
99
100 ####################################################################
101
102 [ req_distinguished_name ]
103 countryName                     = Country Name (2 letter code)
104 countryName_default             = CH
105 countryName_min                 = 2
106 countryName_max                 = 2
107
108 #stateOrProvinceName            = State or Province Name (full name)
109 #stateOrProvinceName_default    = ZH
110
111 #localityName                   = Locality Name (eg, city)
112 #localityName_default           = Winterthur
113
114 organizationName                = Organization Name (eg, company)
115 organizationName_default        = Linux strongSwan
116
117 0.organizationalUnitName                = Organizational Unit Name (eg, section)
118 #0.organizationalUnitName_default       = Research
119
120 #1.organizationalUnitName       = Type (eg, Staff)
121 #1.organizationalUnitName_default = Staff
122
123 #userId                         = UID 
124
125 commonName                      = Common Name (eg, YOUR name)
126 commonName_default              = $ENV::COMMON_NAME
127 commonName_max                  = 64
128
129 #0.emailAddress                 = Email Address (eg, foo@bar.com)
130 #0.emailAddress_min              = 0
131 #0.emailAddress_max              = 40
132
133 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
134 #1.emailAddress_min              = 0
135 #1.emailAddress_max              = 40
136
137 ####################################################################
138
139 [ req_attributes ]
140
141 ####################################################################
142
143 [ host_ext ]
144
145 basicConstraints                = CA:FALSE
146 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
147 subjectKeyIdentifier            = hash
148 authorityKeyIdentifier          = keyid, issuer:always
149 subjectAltName                  = DNS:$ENV::COMMON_NAME
150 #extendedKeyUsage               = OCSPSigning
151 crlDistributionPoints           = URI:http://crl.strongswan.org/strongswan_ec.crl
152
153 ####################################################################
154
155 [ user_ext ]
156
157 basicConstraints                = CA:FALSE
158 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
159 subjectKeyIdentifier            = hash
160 authorityKeyIdentifier          = keyid, issuer:always
161 subjectAltName                  = email:$ENV::COMMON_NAME 
162 #authorityInfoAccess            = OCSP;URI:http://ocsp.strongswan.org:8880
163 crlDistributionPoints           = URI:http://crl.strongswan.org/strongswan_ec.crl
164
165 ####################################################################
166
167 [ ca_ext ]
168
169 basicConstraints                = critical, CA:TRUE
170 keyUsage                        = cRLSign, keyCertSign
171 subjectKeyIdentifier           = hash
172 authorityKeyIdentifier         = keyid, issuer:always
173
174 ####################################################################
175
176 [ crl_ext ]
177
178 # CRL extensions.
179 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
180
181 #issuerAltName                  = issuer:copy
182 authorityKeyIdentifier          = keyid:always, issuer:always
183
184 # eof