6. openssl.cnf - Beispiel-Datei

Die folgende Beispiel-Konfigurationsdatei enthält drei Abschnitte für verschiedene CA-Konfigurationen. Der erste Abschnitt [ Root_CA ] enthält eine Konfiguration zur Herausgabe von CA-Zertifikaten, entsprechend [ Server_CA ] zur Herausgabe von SSL-Server-Zertifikaten und [ User_CA ] für die Herausgabe von Benutzer-Zertifikaten. Die Abschnitte unterscheiden sich vor allem in der Angabe zum Extension-Abschnitt, der beim Schlüsselwort x509_extensions im jeweiligen CA-Abschnitt festgelegt ist. Über den Extension-Abschnitt wird bestimmt, welche Extensions die herausgegebenen Zertifikate enthalten.

Für die drei CA-Abschnitte gemeinsame Werte können auch am Anfang der Konfigurationsdatei vor dem ersten Abschnitt (hier [ new_oids ] festgelegt werden.

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# RANDFILE          = $ENV::HOME/.rnd
# oid_file          = $ENV::HOME/.oid
# oid_section           = new_oids
pfad                = /usr/local/openssl


[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1          = 1.2.3.4
# Or use config file substitution like this:
# testoid2          = ${testoid1}.5.6

####################################################################

[ ca ]

default_ca          = Server_CA              # The default ca section

####################################################################


[ Root_CA ]         # Abschnitt fuer eine Root CA

dir                 = $pfad/PCA               # Where everything is kept
certs               = $dir/certs              # Where the issued certs are kept
crl_dir             = $dir/crl                # Where the issued crl are kept
database            = $dir/index.txt          # database index file.
new_certs_dir       = $dir/newcerts           # default place for new certs.

certificate         = $dir/PCAcert.pem        # The CA certificate
serial              = $dir/serial             # The current serial number
crl                 = $dir/crl.pem            # The current CRL
private_key         = $dir/private/PCAkey.pem # The private key
RANDFILE            = $dir/private/.rand      # private random number file

x509_extensions     = PCA_ext                 # The extentions to add to the cert
#crl_extensions     = crl_ext                 # Extensions to add to CRL
default_days        = 730                     # how long to certify for
default_crl_days    = 30                      # how long before next CRL
default_md          = md5                     # which md to use.
preserve            = no                      # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy              = policy_match


[ Server_CA ]         # Abschnitt fuer eine Server CA

dir                   = $pfad/SCA             # Where everything is kept
certs                 = $dir/certs            # Where the issued certs are kept
crl_dir               = $dir/crl              # Where the issued crl are kept
database              = $dir/index.txt        # database index file.
new_certs_dir         = $dir/newcerts         # default place for new certs.

certificate           = $dir/SCAcert.pem      # The CA certificate
serial                = $dir/serial           # The current serial number
crl                   = $dir/crl.pem          # The current CRL
private_key           = $dir/private/SCAkey.pem # The private key
RANDFILE              = $dir/private/.rand    # private random number file

x509_extensions       = SCA_ext               # The extentions to add to the cert
#crl_extensions       = crl_ext               # Extensions to add to CRL
default_days          = 365                   # how long to certify for
default_crl_days      = 30                    # how long before next CRL
default_md            = md5                   # which md to use.
preserve              = no                    # keep passed DN ordering

policy                = policy_anything


[ User_CA ]           # Abschnitt fuer eine User CA

dir                   = $pfad/UCA             # Where everything is kept
certs                 = $dir/certs            # Where the issued certs are kept
crl_dir               = $dir/crl              # Where the issued crl are kept
database              = $dir/index.txt        # database index file.
new_certs_dir         = $dir/newcerts         # default place for new certs.

certificate           = $dir/UCAcert.pem      # The CA certificate
serial                = $dir/serial           # The current serial number
crl                   = $dir/crl.pem          # The current CRL
private_key           = $dir/private/UCAkey.pem # The private key
RANDFILE              = $dir/private/.rand    # private random number file

x509_extensions       = UCA_ext               # The extentions to add to the cert
#crl_extensions       = crl_ext               # Extensions to add to CRL
default_days          = 365                   # how long to certify for
default_crl_days      = 30                    # how long before next CRL
default_md            = md5                   # which md to use.
preserve              = no                    # keep passed DN ordering

policy                = policy_anything


# For the CA policy
# Auch hier gilt:
# ... you must list all acceptable 'object' types.

[ policy_match ]

countryName             = match
stateOrProvinceName     = supplied
localityName            = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.

[ policy_anything ]

countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


####################################################################


[ req ]

default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extentions to add to the self signed cert


[ req_distinguished_name ]

countryName             = Country Name (2 letter code)
countryName_default     = DE
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
#stateOrProvinceName_default = Schleswig-Holstein

localityName            = Locality Name (eg, city)
#localityName_default   = Kiel

0.organizationName      = Organization Name (eg, company)
#0.organizationName_default     = Universitaet Kiel

# we can do this but it is not needed normally :-)
#1.organizationName     = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName  = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Studis

commonName              = Common Name (eg, YOUR name)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_max        = 60

# SET-ex3               = SET extension number 3


[ req_attributes ]

# Das Challenge Password dient dazu, sich bei Verlust des geheimen Schluessels
# gegenueber der Herausgeber-CA fuer einen Zertifikatwiderruf auszuweisen. 
# Wird bei Erstellung der Zertifikat-Anforderung erfragt. 

challengePassword       = A challenge password
challengePassword_min   = 4
challengePassword_max   = 20

unstructuredName        = An optional company name


[ PCA_ext ]

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints        = critical, CA:TRUE

# Moeglich: digitalSignature, nonRepudiation, keyEncipherment,
#           dataEncipherment, keyAgreement, keyCertSign, 
#           cRLSign, encipherOnly, decipherOnly
keyUsage                = cRLSign, keyCertSign

# PKIX recommendations
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always

# Import the email address.
subjectAltName          = email:copy

# Copy subject details
issuerAltName           = issuer:copy

# Moeglich: client, server, email, objsign, reserved, sslCA, emailCA, objCA
nsCertType              = sslCA, emailCA, objCA

# Hier kann der den folgenden Url's gemeinsame Url-Stamm angegeben werden.
nsBaseUrl               = https://mystic.pca.dfn.de:1443/

# Die Seite mit der CA-Policy
nsCaPolicyUrl           = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html

nsComment               = This certificate was issued by a PCA

# Hier kann eine Online-Zertifikatspruefung stattfinden, indem auf die
# Url in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist dabei 
# die ASCII-kodierte Seriennummer des Zertifikats. Dann kann das Zertifikat
# per OpenSSL geprueft werden.
# Zurueckgegeben wird dann eine dezimale 0 oder 1
nsRevocationUrl         = cgi/non-CA-rev.cgi?

# Nur gueltig in CA-Zertifikaten. Bedeutung nicht ganz klar.
# nsCaRevocationUrl     = cgi/CA-rev.cgi?

# Wird verwendet, um einem Benutzer die Erneuerung seines Zertifikats zu
# erleichtern. Ueblicherweise steckt dahinter ein CGI-Script, auf das per
# HTTP GET in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist wieder
# Seriennummer. Zurueckgegeben werden kann ein Antrags-Formular zur Erneuerung
# des Zertifikats.
# nsRenewalUrl          = cgi/check-renw.cgi?


[ SCA_ext ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
nsCertType              = server
nsBaseUrl               = https://mystic.pca.dfn.de:1443/
nsCaPolicyUrl           = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment               = This certificate was issued by a Server CA
nsRevocationUrl         = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl     = cgi/CA-rev.cgi?
# nsRenewalUrl          = cgi/check-renw.cgi?


[ UCA_ext ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEnciphermen, keyAgreement
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
nsCertType              = client, email
nsBaseUrl               = https://mystic.pca.dfn.de:1443/
nsCaPolicyUrl           = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment               = This certificate was issued by a User CA
nsRevocationUrl         = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl     = cgi/CA-rev.cgi?
# nsRenewalUrl          = cgi/check-renw.cgi?


[ v3_ca ]

basicConstraints        = critical, CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage                = cRLSign, keyCertSign
nsCertType              = sslCA, emailCA, objCA
subjectAltName          = email:copy
issuerAltName           = issuer:copy
nsBaseUrl               = https://mystic.pca.dfn.de:443/
nsCaPolicyUrl           = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment               = This certificate is a Root CA Certificate
nsRevocationUrl         = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl     = cgi/CA-rev.cgi?
# nsRenewalUrl          = cgi/check-renw.cgi?

# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5               = RAW:02:03
# You can even override a supported extension:
# basicConstraints      = critical, RAW:30:03:01:01:FF


[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always
        

Copyright © 1996 - 2000 by DFN-PCA / certify@pca.dfn.de