1[ca] 2 3default_ca = user 4 5[usr] 6database = index.txt 7serial = serial 8x509_extensions = usr_cert 9default_md=sha1 10policy = policy_match 11email_in_dn = no 12certs = . 13 14[ocsp] 15database = index.txt 16serial = serial 17x509_extensions = ocsp_cert 18default_md=sha1 19policy = policy_match 20email_in_dn = no 21certs = . 22 23[usr_ke] 24database = index.txt 25serial = serial 26x509_extensions = usr_cert_ke 27default_md=sha1 28policy = policy_match 29email_in_dn = no 30certs = . 31 32[usr_ds] 33database = index.txt 34serial = serial 35x509_extensions = usr_cert_ds 36default_md=sha1 37policy = policy_match 38email_in_dn = no 39certs = . 40 41[pkinit_client] 42database = index.txt 43serial = serial 44x509_extensions = pkinit_client_cert 45default_md=sha1 46policy = policy_match 47email_in_dn = no 48certs = . 49 50[pkinit_kdc] 51database = index.txt 52serial = serial 53x509_extensions = pkinit_kdc_cert 54default_md=sha1 55policy = policy_match 56email_in_dn = no 57certs = . 58 59[https] 60database = index.txt 61serial = serial 62x509_extensions = https_cert 63default_md=sha1 64policy = policy_match 65email_in_dn = no 66certs = . 67 68[subca] 69database = index.txt 70serial = serial 71x509_extensions = v3_ca 72default_md=sha1 73policy = policy_match 74email_in_dn = no 75certs = . 76 77 78[req] 79distinguished_name = req_distinguished_name 80x509_extensions = v3_ca # The extensions to add to the self signed cert 81 82string_mask = utf8only 83 84[v3_ca] 85 86subjectKeyIdentifier=hash 87authorityKeyIdentifier=keyid:always,issuer:always 88basicConstraints = CA:true 89keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature 90 91[usr_cert] 92basicConstraints=CA:FALSE 93keyUsage = nonRepudiation, digitalSignature, keyEncipherment 94subjectKeyIdentifier = hash 95 96[usr_cert_ke] 97basicConstraints=CA:FALSE 98keyUsage = nonRepudiation, keyEncipherment 99subjectKeyIdentifier = hash 100 101[proxy_cert] 102basicConstraints=CA:FALSE 103keyUsage = nonRepudiation, digitalSignature, keyEncipherment 104subjectKeyIdentifier = hash 105proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo 106 107[pkinitc_principals] 108princ1 = GeneralString:bar 109 110[pkinitc_principal_seq] 111name_type = EXP:0,INTEGER:1 112name_string = EXP:1,SEQUENCE:pkinitc_principals 113 114[pkinitc_princ_name] 115realm = EXP:0,GeneralString:TEST.H5L.SE 116principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq 117 118[pkinit_client_cert] 119basicConstraints=CA:FALSE 120keyUsage = nonRepudiation, digitalSignature, keyEncipherment 121subjectKeyIdentifier = hash 122subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name 123 124[https_cert] 125basicConstraints=CA:FALSE 126keyUsage = nonRepudiation, digitalSignature, keyEncipherment 127#extendedKeyUsage = https-server XXX 128subjectKeyIdentifier = hash 129 130[pkinit_kdc_cert] 131basicConstraints=CA:FALSE 132keyUsage = nonRepudiation, digitalSignature, keyEncipherment 133extendedKeyUsage = 1.3.6.1.5.2.3.5 134subjectKeyIdentifier = hash 135subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 136 137[pkinitkdc_princ_name] 138realm = EXP:0,GeneralString:TEST.H5L.SE 139principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq 140 141[pkinitkdc_principal_seq] 142name_type = EXP:0,INTEGER:1 143name_string = EXP:1,SEQUENCE:pkinitkdc_principals 144 145[pkinitkdc_principals] 146princ1 = GeneralString:krbtgt 147princ2 = GeneralString:TEST.H5L.SE 148 149[proxy10_cert] 150basicConstraints=CA:FALSE 151keyUsage = nonRepudiation, digitalSignature, keyEncipherment 152subjectKeyIdentifier = hash 153proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo 154 155[usr_cert_ds] 156basicConstraints=CA:FALSE 157keyUsage = nonRepudiation, digitalSignature 158subjectKeyIdentifier = hash 159 160[ocsp_cert] 161basicConstraints=CA:FALSE 162keyUsage = nonRepudiation, digitalSignature, keyEncipherment 163# ocsp-nocheck and kp-OCSPSigning 164extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9 165subjectKeyIdentifier = hash 166 167[req_distinguished_name] 168countryName = Country Name (2 letter code) 169countryName_default = SE 170countryName_min = 2 171countryName_max = 2 172 173organizationalName = Organizational Unit Name (eg, section) 174 175commonName = Common Name (eg, YOUR name) 176commonName_max = 64 177 178#[req_attributes] 179#challengePassword = A challenge password 180#challengePassword_min = 4 181#challengePassword_max = 20 182 183[policy_match] 184countryName = match 185commonName = supplied 186