testing/hosts/winnetou/etc/openssl/research/openssl.cnf

   1 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
   2 # Mario Strasser <mario.strasser@zhwin.ch>
   3 #
   4 # $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
   5 #
   6
   7 # This definitions were set by the ca_init script DO NOT change
   8 # them manualy.
   9 CAHOME                  = /etc/openssl/research
  10 RANDFILE                = $CAHOME/.rand
  11
  12 # Extra OBJECT IDENTIFIER info:
  13 oid_section             = new_oids
  14
  15 [ new_oids ]
  16 SmartcardLogin          = 1.3.6.1.4.1.311.20.2
  17 ClientAuthentication    = 1.3.6.1.4.1.311.20.2.2
  18
  19 ####################################################################
  20
  21 [ ca ]
  22 default_ca      = root_ca               # The default ca section
  23
  24 ####################################################################
  25
  26 [ root_ca ]
  27
  28 dir             = $CAHOME
  29 certs           = $dir/certs              # Where the issued certs are kept
  30 crl_dir         = $dir/crl                # Where the issued crl are kept
  31 database        = $dir/index.txt          # database index file.
  32 new_certs_dir   = $dir/newcerts           # default place for new certs.
  33
  34 certificate     = $dir/researchCert.pem   # The CA certificate
  35 serial          = $dir/serial             # The current serial number
  36 crl             = $dir/crl.pem            # The current CRL
  37 crlnumber       = $dir/crlnumber          # The current CRL serial number
  38 private_key     = $dir/researchKey.pem    # The private key
  39 RANDFILE        = $dir/.rand              # private random number file
  40
  41 x509_extensions = host_ext                # The extentions to add to the cert
  42
  43 crl_extensions  = crl_ext                 # The extentions to add to the CRL
  44
  45 default_days    = 1825                    # how long to certify for
  46 default_crl_days= 30                      # how long before next CRL
  47 default_md      = sha1                    # which md to use.
  48 preserve        = no                      # keep passed DN ordering
  49 email_in_dn     = no                      # allow/forbid EMail in DN
  50
  51 policy          = policy_match            # specifying how similar the request must look
  52
  53 ####################################################################
  54
  55 # the 'match' policy
  56 [ policy_match ]
  57 countryName             = match
  58 stateOrProvinceName     = optional
  59 localityName            = optional
  60 organizationName        = match
  61 organizationalUnitName  = optional
  62 userId                  = optional
  63 commonName              = supplied
  64 emailAddress            = optional
  65
  66 # the 'anything' policy
  67 [ policy_anything ]
  68 countryName             = optional
  69 stateOrProvinceName     = optional
  70 localityName            = optional
  71 organizationName        = optional
  72 organizationalUnitName  = optional
  73 commonName              = supplied
  74 emailAddress            = optional
  75
  76 ####################################################################
  77
  78 [ req ]
  79 default_bits            = 1024
  80 default_keyfile         = privkey.pem
  81 distinguished_name      = req_distinguished_name
  82 attributes              = req_attributes
  83 x509_extensions         = ca_ext        # The extentions to add to the self signed cert
  84 # req_extensions        = v3_req        # The extensions to add to a certificate request
  85
  86
  87 # This sets a mask for permitted string types. There are several options.
  88 # default: PrintableString, T61String, BMPString.
  89 # pkix   : PrintableString, BMPString.
  90 # utf8only: only UTF8Strings.
  91 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  92 # MASK:XXXX a literal mask value.
  93 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  94 # so use this option with caution!
  95 string_mask                     = nombstr
  96
  97 # req_extensions = v3_req # The extensions to add to a certificate request
  98
  99 ####################################################################
 100
 101 [ req_distinguished_name ]
 102 countryName                     = Country Name (2 letter code)
 103 countryName_default             = CH
 104 countryName_min                 = 2
 105 countryName_max                 = 2
 106
 107 #stateOrProvinceName            = State or Province Name (full name)
 108 #stateOrProvinceName_default    = ZH
 109
 110 #localityName                   = Locality Name (eg, city)
 111 #localityName_default           = Winterthur
 112
 113 organizationName                = Organization Name (eg, company)
 114 organizationName_default        = Linux strongSwan
 115
 116 0.organizationalUnitName                = Organizational Unit Name (eg, section)
 117 0.organizationalUnitName_default        = Research
 118
 119 #1.organizationalUnitName       = Type (eg, Staff)
 120 #1.organizationalUnitName_default = Staff
 121
 122 #userId                         = UID
 123
 124 commonName                      = Common Name (eg, YOUR name)
 125 commonName_default              = $ENV::COMMON_NAME
 126 commonName_max                  = 64
 127
 128 #0.emailAddress                 = Email Address (eg, foo@bar.com)
 129 #0.emailAddress_min              = 0
 130 #0.emailAddress_max              = 40
 131
 132 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
 133 #1.emailAddress_min              = 0
 134 #1.emailAddress_max              = 40
 135
 136 ####################################################################
 137
 138 [ req_attributes ]
 139
 140 ####################################################################
 141
 142 [ host_ext ]
 143
 144 basicConstraints                = CA:FALSE
 145 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 146 subjectKeyIdentifier            = hash
 147 authorityKeyIdentifier          = keyid, issuer:always
 148 subjectAltName                  = DNS:$ENV::COMMON_NAME
 149 #extendedKeyUsage               = OCSPSigning
 150 crlDistributionPoints           = URI:http://crl.strongswan.org/research.crl
 151
 152 ####################################################################
 153
 154 [ user_ext ]
 155
 156 basicConstraints                = CA:FALSE
 157 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
 158 subjectKeyIdentifier            = hash
 159 authorityKeyIdentifier          = keyid, issuer:always
 160 subjectAltName                  = email:$ENV::COMMON_NAME
 161 crlDistributionPoints           = URI:http://crl.strongswan.org/research.crl
 162
 163 ####################################################################
 164
 165 [ ca_ext ]
 166
 167 basicConstraints                = critical, CA:TRUE
 168 keyUsage                        = cRLSign, keyCertSign
 169 subjectKeyIdentifier           = hash
 170 authorityKeyIdentifier         = keyid, issuer:always
 171
 172 ####################################################################
 173
 174 [ crl_ext ]
 175
 176 # CRL extensions.
 177 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 178
 179 #issuerAltName                  = issuer:copy
 180 authorityKeyIdentifier          = keyid:always, issuer:always
 181
 182 # eof