diff options
Diffstat (limited to 'src/lib/libssl/doc/openssl.cnf')
-rw-r--r-- | src/lib/libssl/doc/openssl.cnf | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf index 9e59020c17..9d2cd5bfa5 100644 --- a/src/lib/libssl/doc/openssl.cnf +++ b/src/lib/libssl/doc/openssl.cnf | |||
@@ -21,12 +21,17 @@ oid_section = new_oids | |||
21 | 21 | ||
22 | [ new_oids ] | 22 | [ new_oids ] |
23 | 23 | ||
24 | # We can add new OIDs in here for use by 'ca' and 'req'. | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. |
25 | # Add a simple OID like this: | 25 | # Add a simple OID like this: |
26 | # testoid1=1.2.3.4 | 26 | # testoid1=1.2.3.4 |
27 | # Or use config file substitution like this: | 27 | # Or use config file substitution like this: |
28 | # testoid2=${testoid1}.5.6 | 28 | # testoid2=${testoid1}.5.6 |
29 | 29 | ||
30 | # Policies used by the TSA examples. | ||
31 | tsa_policy1 = 1.2.3.4.1 | ||
32 | tsa_policy2 = 1.2.3.4.5.6 | ||
33 | tsa_policy3 = 1.2.3.4.5.7 | ||
34 | |||
30 | #################################################################### | 35 | #################################################################### |
31 | [ ca ] | 36 | [ ca ] |
32 | default_ca = CA_default # The default ca section | 37 | default_ca = CA_default # The default ca section |
@@ -67,7 +72,7 @@ cert_opt = ca_default # Certificate field options | |||
67 | 72 | ||
68 | default_days = 365 # how long to certify for | 73 | default_days = 365 # how long to certify for |
69 | default_crl_days= 30 # how long before next CRL | 74 | default_crl_days= 30 # how long before next CRL |
70 | default_md = sha1 # which md to use. | 75 | default_md = default # use public key default MD |
71 | preserve = no # keep passed DN ordering | 76 | preserve = no # keep passed DN ordering |
72 | 77 | ||
73 | # A few difference way of specifying how similar the request should look | 78 | # A few difference way of specifying how similar the request should look |
@@ -110,13 +115,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert | |||
110 | 115 | ||
111 | # This sets a mask for permitted string types. There are several options. | 116 | # This sets a mask for permitted string types. There are several options. |
112 | # default: PrintableString, T61String, BMPString. | 117 | # default: PrintableString, T61String, BMPString. |
113 | # pkix : PrintableString, BMPString. | 118 | # pkix : PrintableString, BMPString (PKIX recommendation before 2004) |
114 | # utf8only: only UTF8Strings. | 119 | # utf8only: only UTF8Strings (PKIX recommendation after 2004). |
115 | # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). | 120 | # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). |
116 | # MASK:XXXX a literal mask value. | 121 | # MASK:XXXX a literal mask value. |
117 | # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings | 122 | # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. |
118 | # so use this option with caution! | 123 | string_mask = utf8only |
119 | string_mask = nombstr | ||
120 | 124 | ||
121 | # req_extensions = v3_req # The extensions to add to a certificate request | 125 | # req_extensions = v3_req # The extensions to add to a certificate request |
122 | 126 | ||
@@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer | |||
207 | #nsCaPolicyUrl | 211 | #nsCaPolicyUrl |
208 | #nsSslServerName | 212 | #nsSslServerName |
209 | 213 | ||
214 | # This is required for TSA certificates. | ||
215 | # extendedKeyUsage = critical,timeStamping | ||
216 | |||
210 | [ v3_req ] | 217 | [ v3_req ] |
211 | 218 | ||
212 | # Extensions to add to a certificate request | 219 | # Extensions to add to a certificate request |
@@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
224 | 231 | ||
225 | subjectKeyIdentifier=hash | 232 | subjectKeyIdentifier=hash |
226 | 233 | ||
227 | authorityKeyIdentifier=keyid:always,issuer:always | 234 | authorityKeyIdentifier=keyid:always,issuer |
228 | 235 | ||
229 | # This is what PKIX recommends but some broken software chokes on critical | 236 | # This is what PKIX recommends but some broken software chokes on critical |
230 | # extensions. | 237 | # extensions. |
@@ -257,7 +264,7 @@ basicConstraints = CA:true | |||
257 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. | 264 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. |
258 | 265 | ||
259 | # issuerAltName=issuer:copy | 266 | # issuerAltName=issuer:copy |
260 | authorityKeyIdentifier=keyid:always,issuer:always | 267 | authorityKeyIdentifier=keyid:always |
261 | 268 | ||
262 | [ proxy_cert_ext ] | 269 | [ proxy_cert_ext ] |
263 | # These extensions should be added when creating a proxy certificate | 270 | # These extensions should be added when creating a proxy certificate |
@@ -290,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate" | |||
290 | 297 | ||
291 | # PKIX recommendations harmless if included in all certificates. | 298 | # PKIX recommendations harmless if included in all certificates. |
292 | subjectKeyIdentifier=hash | 299 | subjectKeyIdentifier=hash |
293 | authorityKeyIdentifier=keyid,issuer:always | 300 | authorityKeyIdentifier=keyid,issuer |
294 | 301 | ||
295 | # This stuff is for subjectAltName and issuerAltname. | 302 | # This stuff is for subjectAltName and issuerAltname. |
296 | # Import the email address. | 303 | # Import the email address. |
@@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always | |||
311 | 318 | ||
312 | # This really needs to be in place for it to be a proxy certificate. | 319 | # This really needs to be in place for it to be a proxy certificate. |
313 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo | 320 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
321 | |||
322 | #################################################################### | ||
323 | [ tsa ] | ||
324 | |||
325 | default_tsa = tsa_config1 # the default TSA section | ||
326 | |||
327 | [ tsa_config1 ] | ||
328 | |||
329 | # These are used by the TSA reply generation only. | ||
330 | dir = ./demoCA # TSA root directory | ||
331 | serial = $dir/tsaserial # The current serial number (mandatory) | ||
332 | crypto_device = builtin # OpenSSL engine to use for signing | ||
333 | signer_cert = $dir/tsacert.pem # The TSA signing certificate | ||
334 | # (optional) | ||
335 | certs = $dir/cacert.pem # Certificate chain to include in reply | ||
336 | # (optional) | ||
337 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) | ||
338 | |||
339 | default_policy = tsa_policy1 # Policy if request did not specify it | ||
340 | # (optional) | ||
341 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | ||
342 | digests = md5, sha1 # Acceptable message digests (mandatory) | ||
343 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) | ||
344 | clock_precision_digits = 0 # number of digits after dot. (optional) | ||
345 | ordering = yes # Is ordering defined for timestamps? | ||
346 | # (optional, default: no) | ||
347 | tsa_name = yes # Must the TSA name be included in the reply? | ||
348 | # (optional, default: no) | ||
349 | ess_cert_id_chain = no # Must the ESS cert id chain be included? | ||
350 | # (optional, default: no) | ||