From 15b5d84f9da2ce4bfae8580e56e34a859f74ad71 Mon Sep 17 00:00:00 2001 From: markus <> Date: Thu, 5 Sep 2002 12:51:50 +0000 Subject: import openssl-0.9.7-beta1 --- src/lib/libssl/doc/openssl.cnf | 51 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 5 deletions(-) (limited to 'src/lib/libssl/doc/openssl.cnf') diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf index d70dd25622..eca51c3322 100644 --- a/src/lib/libssl/doc/openssl.cnf +++ b/src/lib/libssl/doc/openssl.cnf @@ -3,8 +3,13 @@ # This is mostly being used for generation of certificate requests. # +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . RANDFILE = $ENV::HOME/.rnd -oid_file = $ENV::HOME/.oid + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the @@ -43,6 +48,14 @@ RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext @@ -86,6 +99,22 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU @@ -111,7 +140,7 @@ commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address -emailAddress_max = 40 +emailAddress_max = 64 # SET-ex3 = SET extension number 3 @@ -159,6 +188,9 @@ authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy @@ -170,8 +202,16 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + [ v3_ca ] + # Extensions for a typical CA @@ -200,10 +240,11 @@ basicConstraints = CA:true # Copy issuer details # issuerAltName=issuer:copy -# RAW DER hex encoding of an extension: beware experts only! -# 1.2.3.5=RAW:02:03 +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object # You can even override a supported extension: -# basicConstraints= critical, RAW:30:03:01:01:FF +# basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] -- cgit v1.2.3-55-g6feb