Warning, /libraries/qca/unittest/testcerts/openssl.cnf is written in an unsupported language. File is not indexed.
0001 # 0002 # OpenSSL example configuration file. 0003 # This is mostly being used for generation of certificate requests. 0004 # 0005 0006 # This definition stops the following lines choking if HOME isn't 0007 # defined. 0008 HOME = . 0009 RANDFILE = $ENV::HOME/.rnd 0010 0011 # Extra OBJECT IDENTIFIER info: 0012 #oid_file = $ENV::HOME/.oid 0013 oid_section = new_oids 0014 0015 # To use this configuration file with the "-extfile" option of the 0016 # "openssl x509" utility, name here the section containing the 0017 # X.509v3 extensions to use: 0018 # extensions = 0019 # (Alternatively, use a configuration file that has only 0020 # X.509v3 extensions in its main [= default] section.) 0021 0022 [ new_oids ] 0023 0024 # We can add new OIDs in here for use by 'ca' and 'req'. 0025 # Add a simple OID like this: 0026 # testoid1=1.2.3.4 0027 # Or use config file substitution like this: 0028 # testoid2=${testoid1}.5.6 0029 0030 #################################################################### 0031 [ ca ] 0032 default_ca = CA_default # The default ca section 0033 0034 #################################################################### 0035 [ CA_default ] 0036 0037 dir = ./CA # Where everything is kept 0038 certs = $dir/certs # Where the issued certs are kept 0039 crl_dir = $dir/crl # Where the issued crl are kept 0040 database = $dir/index.txt # database index file. 0041 #unique_subject = no # Set to 'no' to allow creation of 0042 # several ctificates with same subject. 0043 new_certs_dir = $dir/newcerts # default place for new certs. 0044 0045 certificate = $dir/cacert.pem # The CA certificate 0046 serial = $dir/serial # The current serial number 0047 crlnumber = $dir/crlnumber # the current crl number 0048 # must be commented out to leave a V1 CRL 0049 crl = $dir/crl.pem # The current CRL 0050 private_key = $dir/private/cakey.pem# The private key 0051 RANDFILE = $dir/private/.rand # private random number file 0052 0053 x509_extensions = usr_cert # The extentions to add to the cert 0054 0055 # Comment out the following two lines for the "traditional" 0056 # (and highly broken) format. 0057 name_opt = ca_default # Subject Name options 0058 cert_opt = ca_default # Certificate field options 0059 0060 # Extension copying option: use with caution. 0061 # copy_extensions = copy 0062 0063 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 0064 # so this is commented out by default to leave a V1 CRL. 0065 # crlnumber must also be commented out to leave a V1 CRL. 0066 # crl_extensions = crl_ext 0067 0068 default_days = 1825 # how long to certify for 0069 default_crl_days= 300 # how long before next CRL 0070 default_md = sha1 # which md to use. 0071 preserve = no # keep passed DN ordering 0072 0073 # A few difference way of specifying how similar the request should look 0074 # For type CA, the listed attributes must be the same, and the optional 0075 # and supplied fields are just that :-) 0076 policy = policy_match 0077 0078 # For the CA policy 0079 [ policy_match ] 0080 countryName = match 0081 stateOrProvinceName = match 0082 organizationName = match 0083 organizationalUnitName = optional 0084 commonName = supplied 0085 emailAddress = optional 0086 0087 # For the 'anything' policy 0088 # At this point in time, you must list all acceptable 'object' 0089 # types. 0090 [ policy_anything ] 0091 countryName = optional 0092 stateOrProvinceName = optional 0093 localityName = optional 0094 organizationName = optional 0095 organizationalUnitName = optional 0096 commonName = supplied 0097 emailAddress = optional 0098 0099 #################################################################### 0100 [ req ] 0101 default_bits = 1024 0102 default_md = sha1 0103 default_keyfile = privkey.pem 0104 distinguished_name = req_distinguished_name 0105 attributes = req_attributes 0106 x509_extensions = v3_ca # The extentions to add to the self signed cert 0107 0108 # Passwords for private keys if not present they will be prompted for 0109 # input_password = secret 0110 # output_password = secret 0111 0112 # This sets a mask for permitted string types. There are several options. 0113 # default: PrintableString, T61String, BMPString. 0114 # pkix : PrintableString, BMPString. 0115 # utf8only: only UTF8Strings. 0116 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 0117 # MASK:XXXX a literal mask value. 0118 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 0119 # so use this option with caution! 0120 # we use PrintableString+UTF8String mask so if pure ASCII texts are used 0121 # the resulting certificates are compatible with Netscape 0122 string_mask = MASK:0x2002 0123 0124 # req_extensions = v3_req # The extensions to add to a certificate request 0125 0126 [ req_distinguished_name ] 0127 countryName = Country Name (2 letter code) 0128 countryName_default = AU 0129 countryName_min = 2 0130 countryName_max = 2 0131 0132 stateOrProvinceName = State or Province Name (full name) 0133 stateOrProvinceName_default = Australian Capital Territory 0134 0135 localityName = Locality Name (eg, city) 0136 localityName_default = QcaLand 0137 0138 0.organizationName = Organization Name (eg, company) 0139 0.organizationName_default = Qca Development and Test 0140 0141 # we can do this but it is not needed normally :-) 0142 #1.organizationName = Second Organization Name (eg, company) 0143 #1.organizationName_default = World Wide Web Pty Ltd 0144 0145 organizationalUnitName = Organizational Unit Name (eg, section) 0146 organizationalUnitName_default = Certificate Generation Section 0147 0148 commonName = Common Name (eg, your name or your server\'s hostname) 0149 commonName_max = 64 0150 0151 emailAddress = Email Address 0152 emailAddress_max = 64 0153 emailAddress_default = testonly@test.example.com 0154 0155 # SET-ex3 = SET extension number 3 0156 0157 [ req_attributes ] 0158 # not used 0159 0160 [ usr_cert ] 0161 0162 # These extensions are added when 'ca' signs a request. 0163 0164 # This goes against PKIX guidelines but some CAs do it and some software 0165 # requires this to avoid interpreting an end user certificate as a CA. 0166 # basicConstraints=CA:FALSE 0167 0168 # For normal client use this is typical 0169 # nsCertType = client, email 0170 nsCertType = server 0171 # nsCertType = client, email, objsign 0172 0173 # This is typical in keyUsage for a client certificate. 0174 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 0175 keyUsage = digitalSignature, nonRepudiation, keyEncipherment 0176 #extendedKeyUsage = clientAuth, emailProtection 0177 extendedKeyUsage = serverAuth 0178 # This will be displayed in Netscape's comment listbox. 0179 # nsComment = "This certificate was issued for testing only!" 0180 nsComment = "This certificate was issued for qca server testing only!" 0181 0182 # PKIX recommendations harmless if included in all certificates. 0183 subjectKeyIdentifier=hash 0184 authorityKeyIdentifier=keyid,issuer:always 0185 0186 # This stuff is for subjectAltName and issuerAltname. 0187 # Import the email address. 0188 subjectAltName=email:copy 0189 # An alternative to produce certificates that aren't 0190 # deprecated according to PKIX. 0191 # subjectAltName=email:move 0192 0193 # Copy subject details 0194 issuerAltName=issuer:copy 0195 0196 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 0197 #nsBaseUrl 0198 #nsRevocationUrl 0199 #nsRenewalUrl 0200 #nsCaPolicyUrl 0201 #nsSslServerName 0202 0203 [ v3_req ] 0204 0205 # Extensions to add to a certificate request 0206 0207 basicConstraints = CA:FALSE 0208 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 0209 0210 [ v3_ca ] 0211 0212 basicConstraints = critical,CA:true 0213 # keyUsage = cRLSign, keyCertSign 0214 keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature 0215 subjectKeyIdentifier=hash 0216 authorityKeyIdentifier=keyid:always,issuer:always 0217 0218 # Include email address in subject alt name: another PKIX recommendation 0219 subjectAltName=email:copy 0220 # Copy issuer details 0221 issuerAltName=issuer:copy 0222 0223 # Some might want this also 0224 nsCertType = sslCA, emailCA, objCA 0225 nsComment = "This certificate was issued for testing only!" 0226 0227 # DER hex encoding of an extension: beware experts only! 0228 # obj=DER:02:03 0229 # Where 'obj' is a standard or added object 0230 # You can even override a supported extension: 0231 # basicConstraints= critical, DER:30:03:01:01:FF 0232 0233 [ crl_ext ] 0234 0235 # CRL extensions. 0236 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 0237 0238 issuerAltName=issuer:copy 0239 authorityKeyIdentifier=keyid:always,issuer:always 0240 0241 [ proxy_cert_ext ] 0242 # These extensions should be added when creating a proxy certificate 0243 0244 # This goes against PKIX guidelines but some CAs do it and some software 0245 # requires this to avoid interpreting an end user certificate as a CA. 0246 0247 basicConstraints=CA:FALSE 0248 0249 # Here are some examples of the usage of nsCertType. If it is omitted 0250 # the certificate can be used for anything *except* object signing. 0251 0252 # This is OK for an SSL server. 0253 # nsCertType = server 0254 0255 # For an object signing certificate this would be used. 0256 # nsCertType = objsign 0257 0258 # For normal client use this is typical 0259 # nsCertType = client, email 0260 0261 # and for everything including object signing: 0262 # nsCertType = client, email, objsign 0263 0264 # This is typical in keyUsage for a client certificate. 0265 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 0266 0267 # This will be displayed in Netscape's comment listbox. 0268 nsComment = "OpenSSL Generated Certificate" 0269 0270 # PKIX recommendations harmless if included in all certificates. 0271 subjectKeyIdentifier=hash 0272 authorityKeyIdentifier=keyid,issuer:always 0273 0274 # This stuff is for subjectAltName and issuerAltname. 0275 # Import the email address. 0276 # subjectAltName=email:copy 0277 # An alternative to produce certificates that aren't 0278 # deprecated according to PKIX. 0279 # subjectAltName=email:move 0280 0281 # Copy subject details 0282 # issuerAltName=issuer:copy 0283 0284 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 0285 #nsBaseUrl 0286 #nsRevocationUrl 0287 #nsRenewalUrl 0288 #nsCaPolicyUrl 0289 #nsSslServerName 0290 0291 # This really needs to be in place for it to be a proxy certificate. 0292 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo