support of crlnumber in research and sales CAs
[strongswan.git] / testing / hosts / winnetou / etc / openssl / sales / openssl.cnf
1 # openssl.cnf -  OpenSSL configuration file for the ZHW PKI
2 # Mario Strasser <mario.strasser@zhwin.ch>
3 #
4 # $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $
5 #       
6
7 # This definitions were set by the ca_init script DO NOT change
8 # them manualy.
9 CAHOME                  = /etc/openssl/sales 
10 RANDFILE                = $CAHOME/.rand
11
12 # Extra OBJECT IDENTIFIER info:
13 oid_section             = new_oids
14
15 [ new_oids ]
16 SmartcardLogin          = 1.3.6.1.4.1.311.20.2
17 ClientAuthentication    = 1.3.6.1.4.1.311.20.2.2
18
19 ####################################################################
20
21 [ ca ]
22 default_ca      = root_ca               # The default ca section
23
24 ####################################################################
25
26 [ root_ca ]                             
27
28 dir             = $CAHOME
29 certs           = $dir/certs              # Where the issued certs are kept
30 crl_dir         = $dir/crl                # Where the issued crl are kept
31 database        = $dir/index.txt          # database index file.
32 new_certs_dir   = $dir/newcerts           # default place for new certs.
33
34 certificate     = $dir/salesCert.pem      # The CA certificate
35 serial          = $dir/serial             # The current serial number
36 crl             = $dir/crl.pem            # The current CRL
37 crlnumber       = $dir/crlnumber          # The current CRL serial number
38 private_key     = $dir/salesKey.pem       # The private key
39 RANDFILE        = $dir/.rand              # private random number file
40
41 x509_extensions = host_ext                # The extentions to add to the cert
42
43 crl_extensions  = crl_ext                 # The extentions to add to the CRL
44
45 default_days    = 1825                    # how long to certify for
46 default_crl_days= 30                      # how long before next CRL
47 default_md      = sha1                    # which md to use.
48 preserve        = no                      # keep passed DN ordering
49 email_in_dn     = no                      # allow/forbid EMail in DN
50
51 policy          = policy_match            # specifying how similar the request must look
52
53 ####################################################################
54
55 # the 'match' policy
56 [ policy_match ]
57 countryName             = match
58 stateOrProvinceName     = optional
59 localityName            = optional
60 organizationName        = match
61 organizationalUnitName  = optional
62 userId                  = optional
63 commonName              = supplied
64 emailAddress            = optional
65
66 # the 'anything' policy
67 [ policy_anything ]
68 countryName             = optional
69 stateOrProvinceName     = optional
70 localityName            = optional
71 organizationName        = optional
72 organizationalUnitName  = optional
73 commonName              = supplied
74 emailAddress            = optional
75
76 ####################################################################
77
78 [ req ]
79 default_bits            = 1024
80 default_keyfile         = privkey.pem
81 distinguished_name      = req_distinguished_name
82 attributes              = req_attributes
83 x509_extensions         = ca_ext        # The extentions to add to the self signed cert
84 # req_extensions        = v3_req        # The extensions to add to a certificate request
85
86
87 # This sets a mask for permitted string types. There are several options. 
88 # default: PrintableString, T61String, BMPString.
89 # pkix   : PrintableString, BMPString.
90 # utf8only: only UTF8Strings.
91 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
92 # MASK:XXXX a literal mask value.
93 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
94 # so use this option with caution!
95 string_mask                     = nombstr
96
97 # req_extensions = v3_req # The extensions to add to a certificate request
98
99 ####################################################################
100
101 [ req_distinguished_name ]
102 countryName                     = Country Name (2 letter code)
103 countryName_default             = CH
104 countryName_min                 = 2
105 countryName_max                 = 2
106
107 #stateOrProvinceName            = State or Province Name (full name)
108 #stateOrProvinceName_default    = ZH
109
110 #localityName                   = Locality Name (eg, city)
111 #localityName_default           = Winterthur
112
113 organizationName                = Organization Name (eg, company)
114 organizationName_default        = Linux strongSwan
115
116 0.organizationalUnitName                = Organizational Unit Name (eg, section)
117 0.organizationalUnitName_default        = Sales
118
119 #1.organizationalUnitName       = Type (eg, Staff)
120 #1.organizationalUnitName_default = Staff
121
122 #userId                         = UID 
123
124 commonName                      = Common Name (eg, YOUR name)
125 commonName_default              = $ENV::COMMON_NAME
126 commonName_max                  = 64
127
128 #0.emailAddress                 = Email Address (eg, foo@bar.com)
129 #0.emailAddress_min              = 0
130 #0.emailAddress_max              = 40
131
132 #1.emailAddress                  = Second Email Address (eg, foo@bar.com)
133 #1.emailAddress_min              = 0
134 #1.emailAddress_max              = 40
135
136 ####################################################################
137
138 [ req_attributes ]
139
140 ####################################################################
141
142 [ host_ext ]
143
144 basicConstraints                = CA:FALSE
145 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
146 subjectKeyIdentifier            = hash
147 authorityKeyIdentifier          = keyid, issuer:always
148 subjectAltName                  = DNS:$ENV::COMMON_NAME
149 #extendedKeyUsage               = OCSPSigning
150 crlDistributionPoints           = URI:http://crl.strongswan.org/sales.crl
151
152 ####################################################################
153
154 [ user_ext ]
155
156 basicConstraints                = CA:FALSE
157 keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
158 subjectKeyIdentifier            = hash
159 authorityKeyIdentifier          = keyid, issuer:always
160 subjectAltName                  = email:$ENV::COMMON_NAME 
161 crlDistributionPoints           = URI:http://crl.strongswan.org/sales.crl
162
163 ####################################################################
164
165 [ ca_ext ]
166
167 basicConstraints                = critical, CA:TRUE
168 keyUsage                        = cRLSign, keyCertSign
169 subjectKeyIdentifier           = hash
170 authorityKeyIdentifier         = keyid, issuer:always
171
172 ####################################################################
173
174 [ crl_ext ]
175
176 # CRL extensions.
177 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
178
179 #issuerAltName                  = issuer:copy
180 authorityKeyIdentifier          = keyid:always, issuer:always
181
182 # eof