removed whitespace
[strongswan.git] / testing / hosts / winnetou / etc / openssl / research / openssl.cnf
1 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
2 # Mario Strasser <mario.strasser@zhwin.ch>
3 #       
4
5 # This definitions were set by the ca_init script DO NOT change
6 # them manualy.
7 CAHOME                  = /etc/openssl/research
8 RANDFILE                = $CAHOME/.rand
9
10 # Extra OBJECT IDENTIFIER info:
11 oid_section             = new_oids
12
13 [ new_oids ]
14 SmartcardLogin          = 1.3.6.1.4.1.311.20.2
15 ClientAuthentication    = 1.3.6.1.4.1.311.20.2.2
16
17 ####################################################################
18
19 [ ca ]
20 default_ca      = root_ca               # The default ca section
21
22 ####################################################################
23
24 [ root_ca ]                             
25
26 dir             = $CAHOME
27 certs           = $dir/certs              # Where the issued certs are kept
28 crl_dir         = $dir/crl                # Where the issued crl are kept
29 database        = $dir/index.txt          # database index file.
30 new_certs_dir   = $dir/newcerts           # default place for new certs.
31
32 certificate     = $dir/researchCert.pem   # The CA certificate
33 serial          = $dir/serial             # The current serial number
34 crl             = $dir/crl.pem            # The current CRL
35 crlnumber       = $dir/crlnumber          # The current CRL serial number
36 private_key     = $dir/researchKey.pem    # The private key
37 RANDFILE        = $dir/.rand              # private random number file
38
39 x509_extensions = host_ext                # The extentions to add to the cert
40
41 crl_extensions  = crl_ext                 # The extentions to add to the CRL
42
43 default_days    = 1825                    # how long to certify for
44 default_crl_days= 30                      # how long before next CRL
45 default_md      = sha256                  # which md to use.
46 preserve        = no                      # keep passed DN ordering
47 email_in_dn     = no                      # allow/forbid EMail in DN
48
49 policy          = policy_match            # specifying how similar the request must look
50
51 ####################################################################
52
53 # the 'match' policy
54 [ policy_match ]
55 countryName             = match
56 stateOrProvinceName     = optional
57 localityName            = optional
58 organizationName        = match
59 organizationalUnitName  = optional
60 userId                  = optional
61 commonName              = supplied
62 emailAddress            = optional
63
64 # the 'anything' policy
65 [ policy_anything ]
66 countryName             = optional
67 stateOrProvinceName     = optional
68 localityName            = optional
69 organizationName        = optional
70 organizationalUnitName  = optional
71 commonName              = supplied
72 emailAddress            = optional
73
74 ####################################################################
75
76 [ req ]
77 default_bits            = 2048
78 default_keyfile         = privkey.pem
79 distinguished_name      = req_distinguished_name
80 attributes              = req_attributes
81 x509_extensions         = ca_ext        # The extentions to add to the self signed cert
82 # req_extensions        = v3_req        # The extensions to add to a certificate request
83
84
85 # This sets a mask for permitted string types. There are several options. 
86 # default: PrintableString, T61String, BMPString.
87 # pkix   : PrintableString, BMPString.
88 # utf8only: only UTF8Strings.
89 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
90 # MASK:XXXX a literal mask value.
91 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
92 # so use this option with caution!
93 string_mask                     = nombstr
94
95 # req_extensions = v3_req # The extensions to add to a certificate request
96
97 ####################################################################
98
99 [ req_distinguished_name ]
100 countryName                     = Country Name (2 letter code)
101 countryName_default             = CH
102 countryName_min                 = 2
103 countryName_max                 = 2
104
105 #stateOrProvinceName            = State or Province Name (full name)
106 #stateOrProvinceName_default    = ZH
107
108 #localityName                   = Locality Name (eg, city)
109 #localityName_default           = Winterthur
110
111 organizationName                = Organization Name (eg, company)
112 organizationName_default        = Linux strongSwan
113
114 0.organizationalUnitName                = Organizational Unit Name (eg, section)
115 0.organizationalUnitName_default        = Research
116
117 #1.organizationalUnitName       = Type (eg, Staff)
118 #1.organizationalUnitName_default = Staff
119
120 #userId                         = UID 
121
122 commonName                      = Common Name (eg, YOUR name)
123 commonName_default              = $ENV::COMMON_NAME
124 commonName_max                  = 64
125
126 #0.emailAddress                 = Email Address (eg, foo@bar.com)
127 #0.emailAddress_min              = 0
128 #0.emailAddress_max              = 40
129
130 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
131 #1.emailAddress_min              = 0
132 #1.emailAddress_max              = 40
133
134 ####################################################################
135
136 [ req_attributes ]
137
138 ####################################################################
139
140 [ host_ext ]
141
142 basicConstraints                = CA:FALSE
143 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
144 subjectKeyIdentifier            = hash
145 authorityKeyIdentifier          = keyid, issuer:always
146 subjectAltName                  = DNS:$ENV::COMMON_NAME
147 #extendedKeyUsage               = OCSPSigning
148 crlDistributionPoints           = URI:http://crl.strongswan.org/research.crl
149
150 ####################################################################
151
152 [ user_ext ]
153
154 basicConstraints                = CA:FALSE
155 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
156 subjectKeyIdentifier            = hash
157 authorityKeyIdentifier          = keyid, issuer:always
158 subjectAltName                  = email:$ENV::COMMON_NAME 
159 crlDistributionPoints           = URI:http://crl.strongswan.org/research.crl
160
161 ####################################################################
162
163 [ ca_ext ]
164
165 basicConstraints                = critical, CA:TRUE
166 keyUsage                        = cRLSign, keyCertSign
167 subjectKeyIdentifier           = hash
168 authorityKeyIdentifier         = keyid, issuer:always
169
170 ####################################################################
171
172 [ crl_ext ]
173
174 # CRL extensions.
175 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
176
177 #issuerAltName                  = issuer:copy
178 authorityKeyIdentifier          = keyid:always, issuer:always
179
180 # eof