# # SSLeay example configuration file. # This is mostly being used for generation of certificate requests. # RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = niktest1 # The default ca section #################################################################### [ niktest1 ] dir = $ENV::CAROOT/data # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = ext_user # The extentions to add to the cert default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering [ subord ] sdir = $ENV::CAROOT/subord # Where everything is kept certs = $sdir/certs # Where the issued certs are kept crl_dir = $sdir/crl # Where the issued crl are kept database = $sdir/index.txt # database index file. new_certs_dir = $sdir/newcerts # default place for new certs. certificate = $sdir/cacert.pem # The CA certificate serial = $sdir/serial # The current serial number crl = $sdir/crl.pem # The current CRL private_key = $sdir/private/cakey.pem# The private key RANDFILE = $sdir/private/.rand # private random number file x509_extensions = ext_user # The extentions to add to the cert default_days = 10 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match #stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied #emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional #stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied #emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = NL countryName_min = 2 countryName_max = 2 #stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Some-State #localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = NIKHEF # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = CryptSoft Pty Ltd #organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = NIKHEF low-security TEST certification auth #emailAddress = Email Address #emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ ext_ca ] nsCaRevocationUrl = http://certificate.nikhef.nl/niktest1/cacrl.pem nsComment = "This CA is for testing only (niktest1)" basicConstraints = critical, CA:true nsCertType = objCA,emailCA,sslCA crlDistributionPoints = URI:http://certificate.nikhef.nl/niktest1/cacrl.pem subjectAltName = email:ca@nikhef.nl subjectKeyIdentifier = hash nsCaPolicyUrl = "http://certificate.nikhef.nl/niktest1/policy/" [ ext_subord_ca ] nsCaRevocationUrl = http://oops.nikhef.nl/subord/cacrl.pem nsComment = "This CA is for testing only (subord BELOW niktest1)" basicConstraints = critical, CA:true nsCertType = objCA,emailCA,sslCA crlDistributionPoints = URI:http://oops.nikhef.nl/subord/cacrl.pem subjectAltName = email:griduser@nikhef.nl subjectKeyIdentifier = hash nsCaPolicyUrl = "http://oops.nikhef.nl/subord/policy/" [ ext_user ] nsComment = For Grid use only; request tag $ENV::TAG nsCertType = server,client,email crlDistributionPoints = URI:http://certificate.nikhef.nl/purposeca/crl.shtml nsCaPolicyUrl = http://certificate.nikhef.nl/purposeca/nikhefca.html subjectAltName = email:$ENV::EMAIL subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment basicConstraints = CA:false