`
fireflyjava
  • 浏览: 187918 次
  • 性别: Icon_minigender_1
  • 来自: 深圳
社区版块
存档分类
最新评论

openssl.cnf - OpenSSL configuration file directive

    博客分类:
  • SSL
阅读更多
openssl.cnf 下载
# =================================================
# OpenSSL configuration file
# =================================================

#RANDFILE         = $ENV::SSLDIR/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
#dir              = $ENV::SSLDIR
dir		=F:/IBM/ssl/ca/new
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/ca.key
certificate      = $dir/ca.crt
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = sha1
preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default


[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
#emailAddress            = optional



[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = HK
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name 
stateOrProvinceName_default     = HONG KONG
localityName            = Locality Name 
localityName_default    = HONG KONG
0.organizationName      = Organization Name 
0.organizationName_default       = IBM
0.organizationalUnitName          = Level 0 Organizational Unit
0.organizationalUnitName_default = IBM AS
1.organizationalUnitName          = Level 1 Organizational Unit
1.organizationalUnitName_default = IBM AS DBS
commonName              = Common Name (eg, YOUR name)
commonName_default	= IST.UAT.HK.DBS.COM
commonName_max          = 64
emailAddress            = likun35@163.com
emailAddress_max        = 64


[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:0
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
nsComment               = "OpenSSL generated CRL"




Note:
创建多少OU的时候, 可以顺序如下的方式进行增加
0.organizationalUnitName          = Level 0 Organizational Unit
1.organizationalUnitName          = Level 1 Organizational Unit
2.organizationalUnitName          = Level 2 Organizational Unit


********************************************************************

NAME
openssl.cnf - OpenSSL configuration file



--------------------------------------------------------------------------------

DESCRIPTION
The file openssl.cnf contains configuration information used by three openssl (sub-)commands: ca, req and x509. The file provides default values that are used when corresponding options are omitted from the three commands; it also provides default prompts and other values that affect the way the commands interact with the user.

openssl.cnf is divided into sections that begin with bracketed identifiers. Examples include [ ca ] and [ req ], which affect the behavior of openssl's ca and req commands. The first bracketed identifier in the file can be preceded by directives that affect the entire configuration file.

Within each section, directives consist of attributes (on the left-hand side), an equals sign (``=''), and value(s) for the attribute (on the right-hand side.



--------------------------------------------------------------------------------

CA CONFIGURATION DIRECTIVES
The directives below are used by the openssl ca (Certificate Authority) command. Many of them correspond to ca command options. In some cases, omitting the options when invoking the ca command will cause ca to use the values in the openssl.cnf file. In other cases, ca command options (-name [section], -clrexts [section], -extensions [section]) explicitly refer to sections of the openssl.cnf file that might otherwise be ignored.



--------------------------------------------------------------------------------

[ ca ] Section
default_ca
On startup, the default behavior of openssl's ca command is to check the [ ca ] section for the value of the default_ca attribute, which references another section of the openssl.cnf file.

Thus, the following directive (in the sample openssl.cnf file shipped with OpenSSL)

default_ca = CA_default

tells the ca command to look for a section named [ CA-default ], which has the actual attributes used by the ca command.

You can override the value of the default_ca attribute by using the ca command's -name [section] option.



--------------------------------------------------------------------------------

[ CA_default ] Section
In the default openssl.cnf file, directives for the ca command are in this section. You can change the name of this section by changing the value of the default_ca attribute in the [ ca ] section of the configuration file.

If you regularly need different sets of configuration options when issuing the ca command, you can create other sections whose contents parallel the contents of CA_default (but with different values specified). Then, when you issue the openssl ca command, specify a different section with the -name [section] option to the ca command.

oid_file
The name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID's short name, which sould be a single word composed of only upper- and lowercase letters. The third column is the OID's long name, which may be composed of multiple words and characters other than letters. (Source: Viega2002, p. 313)

oid_section
The name of a section (of the this configuration file) that contains object identifier definitions. Key names in the section should be the OID's short name, and the corresponding value should be the OID's numerical representation. Long names are the same as the short names for OIDs that are defined in this manner. (Source: Viega2002, p. 313)

dir
The default directory that ca reads from and writes to (unless told to do otherwise).

The sample openssl.cnf file has the line:

dir = ./demoCA

indicating that the demoCA directory (beneath whatever is the current working directory) contains files to be read. It is also the default directory to which new certs and keys are written.

You might want to change the value to something like ./ (the current directory).

certs
The directory where issued certs are kept.

The sample openssl.cnf file has the line:

certs = $dir/certs

crl_dir
The directory where issued certificate revocation lists are kept.

The sample openssl.cnf file has the line:

crl_dir = $dir/crl

database
A ``database index file''--an ASCII file with a line for every certificate issued. The third field of each entry is an index to the certs themselves, which are stored in the new_certs_dir (see below).

The sample openssl.cnf file has the line:

database = $dir/index.txt

new_certs_dir
A directory where a copy of each issued certificate is stored, with a name of the form nn.pem (nn = 00, 01, ... nn). The file names of the certs are indexed by the database index file (above).

You can view individual certs in the new_certs_dir by issuing a command something like:

# openssl x509 -noout -text -in <cert_file>

where: cert_file is one of the files nn.pem

The sample openssl.cnf file has the line:

new_certs_dir = $dir/newcerts

certificate
The name of the file that contains the certificate authority's certificate (the ``CA cert'') to be used in signing (or revoking, etc.) a cert.

The sample openssl.cnf file has the line:

certificate = $dir/cacert.pem

You can override the value of the certificate attribute by using the ca command's -cert <filename> option.

serial
The serial number to use for the next certificate issued. (The serial number appears in the cert's entry in the database index file (see ``database'' above) and in the cert's file name in the new_certs_dir (see above).

The sample openssl.cnf file has the line:

serial = $dir/serial

serialfile
The name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option. (Source: Viega2002, p. 314) [Note: This option is apparently a synonym for the serial configuration option.]

crl
The file name of the current certificate revocation list.

The sample openssl.cnf file has the line:

crl = $dir/crl.pem

private_key
The private key of the certificate authority that corresponds to the CA certificate referenced by the ``certificate'' attribute (see above).

The sample openssl.cnf file has the line:

private_key = $dir/private/cakey.pem

RANDFILE
A private random number file.

The sample openssl.cnf file has the line:

RANDFILE = $dir/private/.rand

x509_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it signs a cert.

The sample openssl.cnf file has the line:

x509_extensions = usr_cert

See the section [ usr_cert ] below.

You can override the name of this value by using the ca command's -extension [section] option.

crl_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it revokes certificates.

The sample openssl.cnf file has the line (commented out):

crl_extensions = crl_ext

The sample notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''

default_days
The default number of days a signed cert will be valid.

The sample openssl.cnf file has the line:

default_days = 365

You can override this value with one of the following options to the ca command:

-enddate <YYMMDDHHMMSSZ> -days <num_days>

default_startdate
The default starting date for which issued certificates will be valid. This is the same as the startdate command-line option. (Source: Viega2002, p. 313)

The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.

default_enddate
The default ending date for which issued certificates will be valid. This is the same as the enddate command-line option. (Source: Viega2002, p. 313)

The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.

default_crl_days
The default number of days before the next certificate revocation list.

The sample openssl.cnf file has the line:

default_crl_days= 30

default_crl_hours
The default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option. (Source: Viega2002, p. 313)

default_md
The message digest algorithm to use. Possible values include md5, sha1 and mdc2.

The sample openssl.cnf file has the line:

default_md = md5

You can override this value by using the ca command's -md <algorithm> option.

preserve
Indicates whether to preserve the order of the Distinguished Name (DN) fields to match the order passed in.

The sample openssl.cnf file has the line:

preserve = no

You can override this value by using the ca command's -preserveDN option.

msie_hack
If set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control ``certenr3''. Avoid using this option unless you know that you absolutely need it. (Source: Viega2002, p. 314)

policy
The name of another section in the openssl.cnf file that defines which fields are mandatory or which must match the CA certificate.

The sample openssl.cnf file has the line:

policy = policy_match

You can override this value by using the ca command's -policy [section] option.

See [ policy_match ] and [ policy_anything ] below for examples of two policy sections that appear in the sample openssl.cnf file. (You may choose other names for your policy sections, and reference those names with the ca command's -policy [section] option or as the value of the policy attribute in the openssl.cnf file.



--------------------------------------------------------------------------------

[ policy_match ] and [ policy_anything ] Sections
The [ policy_match ] and [ policy_anything ] sections appear in the sample openssl.cnf file.

policy_match (in the sample) indicates OIDs (attributes) that must be the same (``match''), are optional, or as supplied:

match
The OID must be present in the certificate request and must match the same OID in the CA's distinguished name.

supplied
Must be present in the certificate request.

optional
May or may not be present in the certificate request.

A comment at the beginning of the [ policy_anything ] section indicates that for the [ policy_anything ] section, you must list all acceptable ``object'' types (i.e., countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName, emailAddress?)--even those that are optional. (Note that in the [ policy_match ] section, that restriction apparently doesn't apply, since the localityName attribute does not appear in the [ policy_match ] section ...)

countryName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

stateOrProvinceName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

localityName
This attribute does not appear in the [ policy_match ] section of the sample openssl.cnf file.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

organizationName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

organizationalUnitName
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.

commonName
This attribute has a ``supplied'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.

emailAddress
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.



--------------------------------------------------------------------------------

REQ CONFIGURATION DIRECTIVES
The directives below are used by the openssl req command, which creates and processes certificate requests in PKCS#10 (Public Key Cryptography Standard No. 10) format, creates self signed certificates for use as root CA certs, etc.



--------------------------------------------------------------------------------

[ req ]
On startup, the openssl req command reads the [ req ] section of openssl.cnf for default values that are not specified as arguments or options to the req command.

default_bits
The default key size in bits. This value is used when req is invoked with the -new option (for a new certificate request).

Default value: 512

The sample openssl.cnf file has the line:

default_bits = 1024

You can override this value by using the req command's -newkey option.

default_keyfile
The name of the file to which a newly generated private key will be written.

The sample openssl.cnf file has the line:

default_keyfile = privkey.pem

You can override this value by using the req command's -keyout <filename>

distinguished_name
The name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.

The sample openssl.cnf file has the line:

distinguished_name = req_distinguished_name

See the [ req_distinguished_name ] section (below) for a description of the abbributes and values that appear in the sample openssl.cnf file.

attributes
Like the distinguished_name attribute, attributes is the name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.

The sample openssl.cnf file has the line:

attributes = req_attributes

See the [ req_attributes ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

x509_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.

The sample openssl.cnf file has the line:

x509_extensions = v3_ca

See the [ v3_ca ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

You can override this value by using the req command's -extensions [section] option to specify the name of some other section of the file that lists extensions to add.

input_password
output_password
Passwords for private keys can be specified as values for the input_password and output_password attributes. If these lines are not present in openssl.cnf, the user will be prompted for the password.

The sample openssl.cnf file has the lines (commented out):

# input_password = secret # output_password = secret

(If you decide to uncomment the above, be sure to change the password from ``secret''!)

If the above lines are not present in openssl.cnf, the user will be prompted for a password unless the req command is invoked with the -passin <filename> and/or -passout <filename> options.

string_mask
A mask for permitted string types.

Possible values:

default PrintableString, T61String, BMPString

pkix PrintableString, BMPString

utf8only only UTF8Strings

nombstr PrintableString, T61String (no BMPStrings or UTF8Strings)

MASK XXXX a literal mask value

The sample openssl.cnf file has the line:

string_mask = nombstr

WARNING: Current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!

req_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to a certificate request.

The sample openssl.cnf file has the line (commented out):

# req_extensions = v3_req

See the [ v3_req ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

You can override this value by using the req command's -reqexts [section] option to specify the name of some other section of the file that lists extensions to add.



--------------------------------------------------------------------------------

[ req_distinguished_name ] Section
This section defines the prompts when asking the user for information needed to generate a cert. It also gives default values (if the user doesn't enter any) and constraints on allowed values.

Note: If a set of related attributes includes one with a ``_default'' suffix, then if the user enters no value for the attribute, the default value will be used. To specify that no value is desired, enter ``.''

countryName
The text to display when prompting the user for the country name (C=) component of the distinguished name. In the sample openssl.cnf file, countryName has the value ``Country Name (2 letter code)''

countryName_default
The default country name. In the sample openssl.cnf file, countryName_default has the value ``AU''

countryName_min
The minimum allowable country name length. In the sample openssl.cnf file, countryName_min has the value 2.

countryName_max
The maximum allowable country name length. In the sample openssl.cnf file, countryName_max has the value 2.

The country name should be ISO 3166 two-letter country code.

Note: For the country name, be sure to specify the ISO 3166 country code. In cases where the ISO country code is different from the Internet country domain name, use the ISO 3166 code. (Example: The United Kingdom (Internet country domain: uk; ISO 3166 country code: GB. Use GB.)

stateOrProvinceName
The text to display when prompting the user for the state or province name (ST=) component of the distinguished name. In the sample openssl.cnf file, stateOrProvinceName has the value ``State or Province Name (full name)''

stateOrProvinceName_default
The default state or province name. In the sample openssl.cnf file, countryName_default has the value ``State or Province Name (full name)''

localityName
The text to display when prompting the user for the locality name (L=) component of the distinguished name. In the sample openssl.cnf file, localityName has the value ``Locality Name (eg, city)''

organizationName
The text to display when prompting the user for the organization name (O=) component of the distinguished name. In the sample openssl.cnf file, 0.organizationName has the value ``Organization Name (eg, company)''

organizationName_default
The default organization name. In the sample openssl.cnf file, 0.organizationName has the value ``Internet Widgits Pty Ltd''

organizationName
The text to display when prompting the user for an additional organization name (O=) component of the distinguished name. In the sample openssl.cnf file, the commented out line for 1.organizationName has the value ``Second Organization Name (eg, company)''

organizationName_default
The default second organization name. In the sample openssl.cnf file, 1.organizationName is commented out and has the value ``World Wide Web Pty Ltd''

organizationalUnitName
The text to display when prompting the user for the optional (in the sample openssl.cnf, at least) organizational unit name (OU=) component of the distinguished name. In the sample openssl.cnf file, organizationalUnitName has the value ``Organizational Unit Name (eg, section)''

organizationalUnitName_default
The default organizational unit name. In the sample openssl.cnf file, organizationalUnitName_default is commented out and has no value.

commonName
The text to display when prompting the user for the common name (CN=) component of the distinguished name. In the sample openssl.cnf file, commonName has the value ``Common Name (eg, YOUR name)''

Note: Even though the prompt indicates ``YOUR name'' as a possibility, it *might* be more appropriate for it to read something like ``Common Name (e.g., fully qualified domain name of the server to be secured)'' since, the common name generally corresponds to the server's name when generating certificates.

commonName_max
The maximum allowable common name length. In the sample openssl.cnf file, commonName_max has the value 64.

emailAddress
The text to display when prompting the user for the email address of the distinguished name. In the sample openssl.cnf file, emailAddress has the value ``Email Address''



--------------------------------------------------------------------------------

[ req_attributes ] Section
This section defines the prompts when asking the user for certain information (in addition to the [ req_distinguished_name ] section above) needed to generate a cert. It also gives constraints on the allowed values.

challengePassword
The text to display when prompting the user for a challenge password. In the sample openssl.cnf file, challengePassword has the value ``A challenge password''

challengePassword_min
The minimum length of the challenge password. In the sample openssl.cnf file, challengePassword_min has a value of 4.

challengePassword_max
The maximum length of the challenge password. In the sample openssl.cnf file, challengePassword_max has a value of 20.

unstructuredName
The text to display when prompting the user for an unstructured name. In the sample openssl.cnf file, unstructuredName has the value ``An optional company name''



--------------------------------------------------------------------------------

X.509 EXTENSION DIRECTIVES
The directives below are used when requesting or signing certs. Many of the attributes can appear in any of the sections [ usr_cert ], [ v3_req ] and [ v3_ca ], with different values on the right-hand side, depending on whether the operation is signing of certs ([ usr_cert ]), adding a certificate request ([ v3_req ]) or creating a CA cert ([ v3_ca ] )



--------------------------------------------------------------------------------

[ usr_cert ] Section
This section is referenced by the x509_extensions attribute in the [ CA_default ] section (above) of the sample openssl.cnf file. It contains directives used by the ca command when it signs a request (cert).

In the sample openssl.cnf file, most of the directives in this section are commented out (because they are deprecated?). Only four directives actually appear uncommented: basicConstraints, nsComment, subjectKeyIdentifier and authorityKeyIdentifier.

basicConstraints
Is this certificate valid as a certificate authority cert? (Can this certificate be used to sign or revoke other certificates?)

Possible values are CA:FALSE and CA:TRUE.

The sample openssl.cnf file has the line:

basicConstraints= CA:FALSE

indicating that the certificate's purposes do not include signing/revoking other certificates.

subjectKeyIdentifier
Specifies how to identify the public key being certified (so that distinct keys used by the same subject can be differentiated--as key updating occurs, for example).

The sample openssl.cnf file has the line:

subjectKeyIdentifier=hash

The IETF Public Key Infrastructure (PKIX) working group recommends the above default.

authorityKeyIdentifier
Specifies how to identify the public key used to verify the signature on this certificate or certificate revocation list (CRL). Enables distinct keys used by the same CA to be distinguished (e.g. as keypair updating occurs).

The sample openssl.cnf file has the line:

authorityKeyIdentifier=keyid,issuer:always

The IETF Public Key Infrastructure (PKIX) working group recommends the above default.

nsComment
A comment to be displayed in Netscape's comment listbox for the certificate signer. Provide a suitable description for the certificate..

The sample openssl.cnf file has the line:

nsComment = ``OpenSSL Generated Certificate''

The following (mostly Netscape-specific) attributes are all commented out in the sample openssl.cnf file:

nsCertType
The nsCertType attribute can specify the cert's capabilities (purposes).

If nsCertType is omitted, the certificate can be used for anything except for object signing (CA use).

If nsCertType is included, one or more of the following (separated by commas) can appear as the value of this attribute: client, server, email, objsign, reserved, sslCA, emailCA, objCA.

Examples (commented out in sample openssl.cnf):

nsCertType = server for an SSL server

nsCertType = objsign for an object signing certificate

nsCertType = client, email for ``normal'' client use

nsCertType = client, email, objsign for ``everything including object signing''

subjectAltName
Relates to the alternate name for the certificate holder.

The format in the sample openssl.cnf:

subjectAltName=email:copy

causes OpenSSL to import the e-mail address.

issuerAltName
Relates to the alternate name for the certificate or CRL issuer (CA).

The format in the sample openssl.cnf:

issuerAltName=issuer:copy

causes OpenSSL to copy subject details.

nsCaRevocationUrl
The revocation URL for the Root CA Certificate The sample openssl.cnf file includes the following (commented out):

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl
Can give the general base URL. =item nsRevocationUrl

The revocation URL for other (non-Root CA) certificates. The URL is of the form ../foo.cgi?aaaa. ``aaaa'' is the ASCII-encoded serial number of the cert.

nsRenewalUrl
A URL to visit to renew SSL/TLS certificates.

nsCaPolicyUrl
Gives the URL of the CA's policy.

nsSslServerName
The name of the Netscape SSL Server. Be careful with this attribute--it can crash certain versions of Netscape.

keyUsage

Possible values: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly



--------------------------------------------------------------------------------

[ v3_req ] Section
This section is referenced by the req section's req_extensions attribute (commented out in the sample openssl.cnf file; see the [ req ] section above).

If not commented out--or if referenced by the -extensions [section] option of the req command--it contains directives used by the req command when it requests certs.

In the sample openssl.cnf file, the [ v3_req ] section has only two directives: basicConstraints and keyUsage.

basicConstraints
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

basicConstraints= CA:FALSE

keyUsage
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment



--------------------------------------------------------------------------------

[ v3_ca ] Section
This section of extensions for a typical CA is referenced by the [ req ] section's x509_extensions attribute. It is a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.

subjectKeyIdentifier
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

subjectKeyIdentifier=hash

as recommended by the IETF Public Key Infrastructure (PKIX) working group.

authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line: authorityKeyIdentifier=keyid:always,issuer:always

as recommended by the IETF Public Key Infrastructure (PKIX) working group.

basicConstraints
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

basicConstraints = CA:true

as well as a commented out:

basicConstraints = critical,CA:true

Although the PKIX recomments the commented out version, ``some broken software chokes on critical extensions,'' so the sample openssl.cnf omits ``critical.'' However, it *does* indicate that the purposes of this certificate should include Certificate Authority.

The sample openssl.cnf file also includes a commented out:

basicConstraints= critical, DER:30:03:01:01:FF

illustrating how to override a supported extension with a Distinguished Encoding Rules (DER) encoding of an extension.

keyUsage
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line (commented out):

keyUsage = cRLSign, keyCertSign

(The sample openssl.cnf omits the above even though it is typical for a CA certificate, ``since it will prevent it being used as an test self-signed certificate.'')

nsCertType
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line (commented out):

nsCertType = sslCA, emailCA

subjectAltName
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

subjectAltName=email:copy

even though it is a PKIX recommendation.

issuerAltName
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

issuerAltName=issuer:copy

even though it is a PKIX recommendation.

obj
Introduces an extension encoded in hex with DER.

The sample openssl.cnf file has the line (commented out):

obj=DER:02:03

where ``obj'' is a standard or added object. (``Beware experts only!''



--------------------------------------------------------------------------------

[ crl_ext ] Section
This section of extensions associated with certificate revocation lists (CRLs). ``Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.''

The [ crl_ext ] section is referenced by the CA_default section's crl_extensions attribute (commented out in the sample openssl.cnf file; see the [ CA_default ] section above).

If not commented out--or if referenced by the -crlexts [section] option of the ca command--it contains directives used by the ca command when it revokes certs.

The sample openssl.cnf notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''

issuerAltName
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

issuerAltName=issuer:copy

authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

authorityKeyIdentifier=keyid:always,issuer:always


分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics