1HOME = . 2RANDFILE = $ENV::HOME/.rnd 3 4oid_section = new_oids 5 6[ new_oids ] 7tsa_policy1 = 1.2.3.4.1 8tsa_policy2 = 1.2.3.4.5.6 9tsa_policy3 = 1.2.3.4.5.7 10 11[ ca ] 12default_ca = CA_default # The default ca section 13 14[ CA_default ] 15 16dir = ./cruft # Where everything is kept 17certs = $dir/certs # Where the issued certs are kept 18crl_dir = $dir/crl # Where the issued crl are kept 19database = $dir/index.txt # database index file. 20new_certs_dir = $dir/certs # default place for new certs. 21certificate = $dir/cacert.pem # The CA certificate 22serial = $dir/serial # The current serial number 23crlnumber = $dir/crlnumber # the current crl number 24crl = $dir/crl.pem # The current CRL 25private_key = $dir/private/cakey.pem# The private key 26RANDFILE = $dir/private/.rand # private random number file 27x509_extensions = usr_cert # The extentions to add to the cert 28name_opt = ca_default # Subject Name options 29cert_opt = ca_default # Certificate field options 30default_days = 365 # how long to certify for 31default_crl_days= 30 # how long before next CRL 32default_md = default # use public key default MD 33preserve = no # keep passed DN ordering 34policy = policy_match 35 36[ policy_match ] 37countryName = match 38stateOrProvinceName = match 39organizationName = match 40organizationalUnitName = optional 41commonName = supplied 42emailAddress = optional 43 44[ policy_anything ] 45countryName = optional 46stateOrProvinceName = optional 47localityName = optional 48organizationName = optional 49organizationalUnitName = optional 50commonName = supplied 51emailAddress = optional 52 53[ req ] 54default_bits = @KEY_BITS@ 55default_keyfile = privkey.pem 56distinguished_name = req_distinguished_name 57attributes = req_attributes 58x509_extensions = v3_ca # The extentions to add to the self signed cert 59 60string_mask = utf8only 61 62[ req_distinguished_name ] 63basicConstraints=CA:FALSE 64 65[ req_attributes ] 66challengePassword = A challenge password 67challengePassword_min = 4 68challengePassword_max = 20 69 70unstructuredName = An optional company name 71 72[ usr_cert ] 73 74basicConstraints=CA:FALSE 75nsComment = "OpenSSL Generated Certificate" 76 77subjectKeyIdentifier=hash 78authorityKeyIdentifier=keyid,issuer 79 80[ v3_req ] 81 82basicConstraints = CA:FALSE 83keyUsage = nonRepudiation, digitalSignature, keyEncipherment 84subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1 85 86[ v3_ca ] 87subjectKeyIdentifier=hash 88authorityKeyIdentifier=keyid:always,issuer 89basicConstraints = CA:true 90 91[ crl_ext ] 92 93authorityKeyIdentifier=keyid:always 94 95[ proxy_cert_ext ] 96basicConstraints=CA:FALSE 97nsComment = "OpenSSL Generated Certificate" 98 99subjectKeyIdentifier=hash 100authorityKeyIdentifier=keyid,issuer 101proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 102 103[ tsa ] 104 105default_tsa = tsa_config1 # the default TSA section 106 107[ tsa_config1 ] 108 109dir = ./demoCA # TSA root directory 110serial = $dir/tsaserial # The current serial number (mandatory) 111crypto_device = builtin # OpenSSL engine to use for signing 112signer_cert = $dir/tsacert.pem # The TSA signing certificate 113 # (optional) 114certs = $dir/cacert.pem # Certificate chain to include in reply 115 # (optional) 116signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 117 118default_policy = tsa_policy1 # Policy if request did not specify it 119 # (optional) 120other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 121digests = md5, sha1 # Acceptable message digests (mandatory) 122accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 123clock_precision_digits = 0 # number of digits after dot. (optional) 124ordering = yes # Is ordering defined for timestamps? 125 # (optional, default: no) 126tsa_name = yes # Must the TSA name be included in the reply? 127 # (optional, default: no) 128ess_cert_id_chain = no # Must the ESS cert id chain be included? 129 # (optional, default: no) 130