summaryrefslogtreecommitdiff
path: root/src/lib/libssl/doc/openssl.cnf
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/doc/openssl.cnf')
-rw-r--r--src/lib/libssl/doc/openssl.cnf57
1 files changed, 47 insertions, 10 deletions
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 9e59020c17..9d2cd5bfa5 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -21,12 +21,17 @@ oid_section = new_oids
21 21
22[ new_oids ] 22[ new_oids ]
23 23
24# We can add new OIDs in here for use by 'ca' and 'req'. 24# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
25# Add a simple OID like this: 25# Add a simple OID like this:
26# testoid1=1.2.3.4 26# testoid1=1.2.3.4
27# Or use config file substitution like this: 27# Or use config file substitution like this:
28# testoid2=${testoid1}.5.6 28# testoid2=${testoid1}.5.6
29 29
30# Policies used by the TSA examples.
31tsa_policy1 = 1.2.3.4.1
32tsa_policy2 = 1.2.3.4.5.6
33tsa_policy3 = 1.2.3.4.5.7
34
30#################################################################### 35####################################################################
31[ ca ] 36[ ca ]
32default_ca = CA_default # The default ca section 37default_ca = CA_default # The default ca section
@@ -67,7 +72,7 @@ cert_opt = ca_default # Certificate field options
67 72
68default_days = 365 # how long to certify for 73default_days = 365 # how long to certify for
69default_crl_days= 30 # how long before next CRL 74default_crl_days= 30 # how long before next CRL
70default_md = sha1 # which md to use. 75default_md = default # use public key default MD
71preserve = no # keep passed DN ordering 76preserve = no # keep passed DN ordering
72 77
73# A few difference way of specifying how similar the request should look 78# A few difference way of specifying how similar the request should look
@@ -110,13 +115,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert
110 115
111# This sets a mask for permitted string types. There are several options. 116# This sets a mask for permitted string types. There are several options.
112# default: PrintableString, T61String, BMPString. 117# default: PrintableString, T61String, BMPString.
113# pkix : PrintableString, BMPString. 118# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
114# utf8only: only UTF8Strings. 119# utf8only: only UTF8Strings (PKIX recommendation after 2004).
115# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 120# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116# MASK:XXXX a literal mask value. 121# MASK:XXXX a literal mask value.
117# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 122# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
118# so use this option with caution! 123string_mask = utf8only
119string_mask = nombstr
120 124
121# req_extensions = v3_req # The extensions to add to a certificate request 125# req_extensions = v3_req # The extensions to add to a certificate request
122 126
@@ -207,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer
207#nsCaPolicyUrl 211#nsCaPolicyUrl
208#nsSslServerName 212#nsSslServerName
209 213
214# This is required for TSA certificates.
215# extendedKeyUsage = critical,timeStamping
216
210[ v3_req ] 217[ v3_req ]
211 218
212# Extensions to add to a certificate request 219# Extensions to add to a certificate request
@@ -224,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
224 231
225subjectKeyIdentifier=hash 232subjectKeyIdentifier=hash
226 233
227authorityKeyIdentifier=keyid:always,issuer:always 234authorityKeyIdentifier=keyid:always,issuer
228 235
229# This is what PKIX recommends but some broken software chokes on critical 236# This is what PKIX recommends but some broken software chokes on critical
230# extensions. 237# extensions.
@@ -257,7 +264,7 @@ basicConstraints = CA:true
257# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 264# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
258 265
259# issuerAltName=issuer:copy 266# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always 267authorityKeyIdentifier=keyid:always
261 268
262[ proxy_cert_ext ] 269[ proxy_cert_ext ]
263# These extensions should be added when creating a proxy certificate 270# These extensions should be added when creating a proxy certificate
@@ -290,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate"
290 297
291# PKIX recommendations harmless if included in all certificates. 298# PKIX recommendations harmless if included in all certificates.
292subjectKeyIdentifier=hash 299subjectKeyIdentifier=hash
293authorityKeyIdentifier=keyid,issuer:always 300authorityKeyIdentifier=keyid,issuer
294 301
295# This stuff is for subjectAltName and issuerAltname. 302# This stuff is for subjectAltName and issuerAltname.
296# Import the email address. 303# Import the email address.
@@ -311,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always
311 318
312# This really needs to be in place for it to be a proxy certificate. 319# This really needs to be in place for it to be a proxy certificate.
313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 320proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
321
322####################################################################
323[ tsa ]
324
325default_tsa = tsa_config1 # the default TSA section
326
327[ tsa_config1 ]
328
329# These are used by the TSA reply generation only.
330dir = ./demoCA # TSA root directory
331serial = $dir/tsaserial # The current serial number (mandatory)
332crypto_device = builtin # OpenSSL engine to use for signing
333signer_cert = $dir/tsacert.pem # The TSA signing certificate
334 # (optional)
335certs = $dir/cacert.pem # Certificate chain to include in reply
336 # (optional)
337signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
338
339default_policy = tsa_policy1 # Policy if request did not specify it
340 # (optional)
341other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
342digests = md5, sha1 # Acceptable message digests (mandatory)
343accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
344clock_precision_digits = 0 # number of digits after dot. (optional)
345ordering = yes # Is ordering defined for timestamps?
346 # (optional, default: no)
347tsa_name = yes # Must the TSA name be included in the reply?
348 # (optional, default: no)
349ess_cert_id_chain = no # Must the ESS cert id chain be included?
350 # (optional, default: no)