FCL/sf/os/ossrv: ssl/tsrc/BC/libcrypto/topenssl/data/openssl.cnf@97b0fb8a2cc2 (annotated)

0 e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	1	#
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	2	# OpenSSL example configuration file.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	3	# This is mostly being used for generation of certificate requests.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	4	#
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	5
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	6	# This definition stops the following lines choking if HOME isn't
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	7	# defined.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	8	HOME = .
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	9	RANDFILE = $ENV::HOME/.rnd
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	10
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	11	# Extra OBJECT IDENTIFIER info:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	12	#oid_file = $ENV::HOME/.oid
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	13	oid_section = new_oids
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	14
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	15	# To use this configuration file with the "-extfile" option of the
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	16	# "openssl x509" utility, name here the section containing the
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	17	# X.509v3 extensions to use:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	18	# extensions =
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	19	# (Alternatively, use a configuration file that has only
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	20	# X.509v3 extensions in its main [= default] section.)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	21
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	22	[ new_oids ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	23
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	24	# We can add new OIDs in here for use by 'ca' and 'req'.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	25	# Add a simple OID like this:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	26	# testoid1=1.2.3.4
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	27	# Or use config file substitution like this:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	28	# testoid2=${testoid1}.5.6
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	29
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	30	####################################################################
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	31	[ ca ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	32	default_ca = CA_default # The default ca section
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	33
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	34	####################################################################
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	35	[ CA_default ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	36
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	37	dir = ./demoCA # Where everything is kept
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	38	certs = $dir/certs # Where the issued certs are kept
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	39	crl_dir = $dir/crl # Where the issued crl are kept
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	40	database = $dir/index.txt # database index file.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	41	#unique_subject = no # Set to 'no' to allow creation of
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	42	# several ctificates with same subject.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	43	new_certs_dir = $dir/newcerts # default place for new certs.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	44
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	45	certificate = $dir/cacert.pem # The CA certificate
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	46	serial = $dir/serial # The current serial number
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	47	crlnumber = $dir/crlnumber # the current crl number
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	48	# must be commented out to leave a V1 CRL
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	49	crl = $dir/crl.pem # The current CRL
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	50	private_key = $dir/private/cakey.pem# The private key
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	51	RANDFILE = $dir/private/.rand # private random number file
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	52
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	53	x509_extensions = usr_cert # The extentions to add to the cert
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	54
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	55	# Comment out the following two lines for the "traditional"
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	56	# (and highly broken) format.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	57	name_opt = ca_default # Subject Name options
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	58	cert_opt = ca_default # Certificate field options
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	59
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	60	# Extension copying option: use with caution.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	61	# copy_extensions = copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	62
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	63	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	64	# so this is commented out by default to leave a V1 CRL.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	65	# crlnumber must also be commented out to leave a V1 CRL.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	66	# crl_extensions = crl_ext
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	67
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	68	default_days = 365 # how long to certify for
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	69	default_crl_days= 30 # how long before next CRL
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	70	default_md = sha1 # which md to use.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	71	preserve = no # keep passed DN ordering
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	72
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	73	# A few difference way of specifying how similar the request should look
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	74	# For type CA, the listed attributes must be the same, and the optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	75	# and supplied fields are just that :-)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	76	policy = policy_match
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	77
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	78	# For the CA policy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	79	[ policy_match ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	80	countryName = match
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	81	stateOrProvinceName = match
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	82	organizationName = match
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	83	organizationalUnitName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	84	commonName = supplied
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	85	emailAddress = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	86
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	87	# For the 'anything' policy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	88	# At this point in time, you must list all acceptable 'object'
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	89	# types.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	90	[ policy_anything ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	91	countryName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	92	stateOrProvinceName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	93	localityName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	94	organizationName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	95	organizationalUnitName = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	96	commonName = supplied
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	97	emailAddress = optional
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	98
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	99	####################################################################
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	100	[ req ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	101	default_bits = 1024
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	102	default_keyfile = privkey.pem
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	103	distinguished_name = req_distinguished_name
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	104	attributes = req_attributes
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	105	x509_extensions = v3_ca # The extentions to add to the self signed cert
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	106
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	107	# Passwords for private keys if not present they will be prompted for
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	108	# input_password = secret
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	109	# output_password = secret
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	110
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	111	# This sets a mask for permitted string types. There are several options.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	112	# default: PrintableString, T61String, BMPString.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	113	# pkix : PrintableString, BMPString.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	114	# utf8only: only UTF8Strings.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	115	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	116	# MASK:XXXX a literal mask value.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	117	# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	118	# so use this option with caution!
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	119	string_mask = nombstr
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	120
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	121	# req_extensions = v3_req # The extensions to add to a certificate request
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	122
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	123	[ req_distinguished_name ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	124	countryName = Country Name (2 letter code)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	125	countryName_default = AU
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	126	countryName_min = 2
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	127	countryName_max = 2
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	128
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	129	stateOrProvinceName = State or Province Name (full name)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	130	stateOrProvinceName_default = Some-State
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	131
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	132	localityName = Locality Name (eg, city)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	133
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	134	0.organizationName = Organization Name (eg, company)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	135	0.organizationName_default = Internet Widgits Pty Ltd
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	136
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	137	# we can do this but it is not needed normally :-)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	138	#1.organizationName = Second Organization Name (eg, company)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	139	#1.organizationName_default = World Wide Web Pty Ltd
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	140
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	141	organizationalUnitName = Organizational Unit Name (eg, section)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	142	#organizationalUnitName_default =
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	143
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	144	commonName = Common Name (eg, YOUR name)
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	145	commonName_max = 64
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	146
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	147	emailAddress = Email Address
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	148	emailAddress_max = 64
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	149
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	150	# SET-ex3 = SET extension number 3
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	151
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	152	[ req_attributes ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	153	challengePassword = A challenge password
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	154	challengePassword_min = 4
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	155	challengePassword_max = 20
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	156
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	157	unstructuredName = An optional company name
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	158
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	159	[ usr_cert ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	160
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	161	# These extensions are added when 'ca' signs a request.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	162
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	163	# This goes against PKIX guidelines but some CAs do it and some software
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	164	# requires this to avoid interpreting an end user certificate as a CA.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	165
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	166	basicConstraints=CA:FALSE
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	167
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	168	# Here are some examples of the usage of nsCertType. If it is omitted
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	169	# the certificate can be used for anything except object signing.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	170
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	171	# This is OK for an SSL server.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	172	# nsCertType = server
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	173
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	174	# For an object signing certificate this would be used.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	175	# nsCertType = objsign
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	176
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	177	# For normal client use this is typical
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	178	# nsCertType = client, email
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	179
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	180	# and for everything including object signing:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	181	# nsCertType = client, email, objsign
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	182
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	183	# This is typical in keyUsage for a client certificate.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	184	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	185
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	186	# This will be displayed in Netscape's comment listbox.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	187	nsComment = "OpenSSL Generated Certificate"
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	188
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	189	# PKIX recommendations harmless if included in all certificates.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	190	subjectKeyIdentifier=hash
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	191	authorityKeyIdentifier=keyid,issuer
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	192
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	193	# This stuff is for subjectAltName and issuerAltname.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	194	# Import the email address.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	195	# subjectAltName=email:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	196	# An alternative to produce certificates that aren't
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	197	# deprecated according to PKIX.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	198	# subjectAltName=email:move
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	199
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	200	# Copy subject details
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	201	# issuerAltName=issuer:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	202
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	203	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	204	#nsBaseUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	205	#nsRevocationUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	206	#nsRenewalUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	207	#nsCaPolicyUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	208	#nsSslServerName
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	209
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	210	[ v3_req ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	211
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	212	# Extensions to add to a certificate request
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	213
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	214	basicConstraints = CA:FALSE
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	215	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	216
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	217	[ v3_ca ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	218
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	219
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	220	# Extensions for a typical CA
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	221
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	222
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	223	# PKIX recommendation.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	224
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	225	subjectKeyIdentifier=hash
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	226
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	227	authorityKeyIdentifier=keyid:always,issuer:always
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	228
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	229	# This is what PKIX recommends but some broken software chokes on critical
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	230	# extensions.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	231	#basicConstraints = critical,CA:true
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	232	# So we do this instead.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	233	basicConstraints = CA:true
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	234
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	235	# Key usage: this is typical for a CA certificate. However since it will
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	236	# prevent it being used as an test self-signed certificate it is best
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	237	# left out by default.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	238	# keyUsage = cRLSign, keyCertSign
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	239
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	240	# Some might want this also
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	241	# nsCertType = sslCA, emailCA
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	242
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	243	# Include email address in subject alt name: another PKIX recommendation
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	244	# subjectAltName=email:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	245	# Copy issuer details
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	246	# issuerAltName=issuer:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	247
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	248	# DER hex encoding of an extension: beware experts only!
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	249	# obj=DER:02:03
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	250	# Where 'obj' is a standard or added object
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	251	# You can even override a supported extension:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	252	# basicConstraints= critical, DER:30:03:01:01:FF
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	253
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	254	[ crl_ext ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	255
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	256	# CRL extensions.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	257	# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	258
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	259	# issuerAltName=issuer:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	260	authorityKeyIdentifier=keyid:always,issuer:always
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	261
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	262	[ proxy_cert_ext ]
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	263	# These extensions should be added when creating a proxy certificate
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	264
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	265	# This goes against PKIX guidelines but some CAs do it and some software
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	266	# requires this to avoid interpreting an end user certificate as a CA.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	267
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	268	basicConstraints=CA:FALSE
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	269
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	270	# Here are some examples of the usage of nsCertType. If it is omitted
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	271	# the certificate can be used for anything except object signing.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	272
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	273	# This is OK for an SSL server.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	274	# nsCertType = server
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	275
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	276	# For an object signing certificate this would be used.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	277	# nsCertType = objsign
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	278
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	279	# For normal client use this is typical
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	280	# nsCertType = client, email
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	281
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	282	# and for everything including object signing:
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	283	# nsCertType = client, email, objsign
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	284
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	285	# This is typical in keyUsage for a client certificate.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	286	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	287
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	288	# This will be displayed in Netscape's comment listbox.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	289	nsComment = "OpenSSL Generated Certificate"
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	290
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	291	# PKIX recommendations harmless if included in all certificates.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	292	subjectKeyIdentifier=hash
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	293	authorityKeyIdentifier=keyid,issuer:always
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	294
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	295	# This stuff is for subjectAltName and issuerAltname.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	296	# Import the email address.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	297	# subjectAltName=email:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	298	# An alternative to produce certificates that aren't
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	299	# deprecated according to PKIX.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	300	# subjectAltName=email:move
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	301
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	302	# Copy subject details
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	303	# issuerAltName=issuer:copy
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	304
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	305	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	306	#nsBaseUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	307	#nsRevocationUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	308	#nsRenewalUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	309	#nsCaPolicyUrl
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	310	#nsSslServerName
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	311
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	312	# This really needs to be in place for it to be a proxy certificate.
e4d67989cc36 Revision: 201002 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	313	proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

author	hgs
	Tue, 20 Jul 2010 16:35:53 +0530
changeset 44	97b0fb8a2cc2
parent 0	e4d67989cc36
permissions	-rw-r--r--