fakhrulhilal/openssl.cnf

## openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
SAN                     = CN:copy

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1             = 1.2.3.4.1
tsa_policy2             = 1.2.3.4.5.6

[ tsa ]
default_tsa             = tsa_config1

[ tsa_config1 ]

# These are used by the TSA reply generation only.
crypto_device           = builtin        # OpenSSL engine to use for signing
signer_digest           = sha256            # Signing digest to use. (Optional)
default_policy          = tsa_policy1
other_policies          = tsa_policy2, tsa_policy3    # acceptable policies (optional)
digests                 = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy                = secs:1, millisecs:500, microsecs:100    # (optional)
clock_precision_digits  = 0    # number of digits after dot. (optional)
# Is ordering defined for timestamps?
# (optional, default: no)
ordering                = yes
# Must the TSA name be included in the reply?
# (optional, default: no)
tsa_name                = yes
# Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_chain       = no
# algorithm to compute certificate
# identifier (optional, default: sha1)
ess_cert_id_alg         = sha256

[ ca ]
default_ca              = CA_default

[ CA_default ]
x509_extensions         = web_cert
default_days            = 365
policy                  = default_policy

[ default_policy ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ ca_policy ]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ optional_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ smime_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = match

[ req ]
default_bits            = 2048
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = web_cert    # The extensions to add to the self signed cert
# req_extensions        = v3_req

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix     : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min   = 4
challengePassword_max   = 20

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = ID
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default    = Jakarta

localityName            = Locality Name (eg, city)

0.organizationName      = Organization Name (eg, company)
0.organizationName_default = Personal Company

# we can do this but it is not needed normally :-)
#1.organizationName     = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName  = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName              = Common Name (e.g. server FQDN or YOUR name)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_max        = 64

#######################################################################
# Signing cert: certificate for non CA
#######################################################################
[ web_cert ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints        = critical, CA:FALSE
# This is typical in keyUsage for a client certificate.
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

# optional: create separate config file, execute with -extfile file.cnf
# signing multiple domains/IPs
#subjectAltName = DNS:*.dev.lab, DNS:dev.lab, IP:127.0.0.1
subjectAltName          = $ENV::SAN
# Special certificate for ASP.NET development
# TODO: find exact value for version in byte, not in BER format
1.3.6.1.4.1.311.84.1.1  = ASN1:INT:2

#######################################################################
# Signing cert: certificate for intermedia CA
#######################################################################
[ ica_cert ]
basicConstraints        = critical, CA:TRUE, pathlen:0
keyUsage                = cRLSign, keyCertSign, digitalSignature
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

#######################################################################
# Signing cert: self signed for CA's cert
#######################################################################
[ ca_cert ]
basicConstraints        = critical, CA:TRUE
keyUsage                = cRLSign, keyCertSign, digitalSignature
extendedKeyUsage        = critical, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

#######################################################################
# Signing cert: code signing
#######################################################################
[ codesign_cert ]
basicConstraints        = critical, CA:FALSE
keyUsage                = critical, nonRepudiation, digitalSignature
extendedKeyUsage        = critical, codeSigning, msCodeInd, msCodeCom, msCTLSign, timeStamping
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

#######################################################################
# Signing cert: for S/MIME certificate
#######################################################################
[ smime_cert ]
# https://tools.ietf.org/html/rfc3850
# digitalSignature is required, used for signing email
keyUsage                = digitalSignature, nonRepudiation, keyEncipherment
# emailProtection is used for encrpyting message
extendedKeyUsage        = emailProtection
subjectAltName          = email:copy
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

#######################################################################
# Read config from environment variable with shorten of key name
#######################################################################
[ env ]
subjectAltName          = $ENV::SAN
	#
	# OpenSSL example configuration file.
	# This is mostly being used for generation of certificate requests.
	#

	# Note that you can include other files from the main configuration
	# file using the .include directive.
	#.include filename

	# This definition stops the following lines choking if HOME isn't
	# defined.
	HOME = .
	SAN = CN:copy

	# Extra OBJECT IDENTIFIER info:
	#oid_file = $ENV::HOME/.oid
	oid_section = new_oids

	# To use this configuration file with the "-extfile" option of the
	# "openssl x509" utility, name here the section containing the
	# X.509v3 extensions to use:
	# extensions =
	# (Alternatively, use a configuration file that has only
	# X.509v3 extensions in its main [= default] section.)

	[ new_oids ]

	# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
	# Add a simple OID like this:
	# testoid1=1.2.3.4
	# Or use config file substitution like this:
	# testoid2=${testoid1}.5.6

	# Policies used by the TSA examples.
	tsa_policy1 = 1.2.3.4.1
	tsa_policy2 = 1.2.3.4.5.6

	[ tsa ]
	default_tsa = tsa_config1

	[ tsa_config1 ]

	# These are used by the TSA reply generation only.
	crypto_device = builtin # OpenSSL engine to use for signing
	signer_digest = sha256 # Signing digest to use. (Optional)
	default_policy = tsa_policy1
	other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
	digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
	accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
	clock_precision_digits = 0 # number of digits after dot. (optional)
	# Is ordering defined for timestamps?
	# (optional, default: no)
	ordering = yes
	# Must the TSA name be included in the reply?
	# (optional, default: no)
	tsa_name = yes
	# Must the ESS cert id chain be included?
	# (optional, default: no)
	ess_cert_id_chain = no
	# algorithm to compute certificate
	# identifier (optional, default: sha1)
	ess_cert_id_alg = sha256

	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	x509_extensions = web_cert
	default_days = 365
	policy = default_policy

	[ default_policy ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ ca_policy ]
	countryName = match
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ optional_policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ smime_policy ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = match

	[ req ]
	default_bits = 2048
	distinguished_name = req_distinguished_name
	attributes = req_attributes
	x509_extensions = web_cert # The extensions to add to the self signed cert
	# req_extensions = v3_req

	# Passwords for private keys if not present they will be prompted for
	# input_password = secret
	# output_password = secret

	# This sets a mask for permitted string types. There are several options.
	# default: PrintableString, T61String, BMPString.
	# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
	# utf8only: only UTF8Strings (PKIX recommendation after 2004).
	# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
	# MASK:XXXX a literal mask value.
	# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
	string_mask = utf8only

	[ req_attributes ]
	challengePassword = A challenge password
	challengePassword_min = 4
	challengePassword_max = 20

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = ID
	countryName_min = 2
	countryName_max = 2

	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Jakarta

	localityName = Locality Name (eg, city)

	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = Personal Company

	# we can do this but it is not needed normally :-)
	#1.organizationName = Second Organization Name (eg, company)
	#1.organizationName_default = World Wide Web Pty Ltd

	organizationalUnitName = Organizational Unit Name (eg, section)
	#organizationalUnitName_default =

	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_max = 64

	emailAddress = Email Address
	emailAddress_max = 64

	#######################################################################
	# Signing cert: certificate for non CA
	#######################################################################
	[ web_cert ]
	# This goes against PKIX guidelines but some CAs do it and some software
	# requires this to avoid interpreting an end user certificate as a CA.
	basicConstraints = critical, CA:FALSE
	# This is typical in keyUsage for a client certificate.
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth, clientAuth

	# PKIX recommendations harmless if included in all certificates.
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer:always

	# optional: create separate config file, execute with -extfile file.cnf
	# signing multiple domains/IPs
	#subjectAltName = DNS:*.dev.lab, DNS:dev.lab, IP:127.0.0.1
	subjectAltName = $ENV::SAN
	# Special certificate for ASP.NET development
	# TODO: find exact value for version in byte, not in BER format
	1.3.6.1.4.1.311.84.1.1 = ASN1:INT:2

	#######################################################################
	# Signing cert: certificate for intermedia CA
	#######################################################################
	[ ica_cert ]
	basicConstraints = critical, CA:TRUE, pathlen:0
	keyUsage = cRLSign, keyCertSign, digitalSignature
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer:always

	#######################################################################
	# Signing cert: self signed for CA's cert
	#######################################################################
	[ ca_cert ]
	basicConstraints = critical, CA:TRUE
	keyUsage = cRLSign, keyCertSign, digitalSignature
	extendedKeyUsage = critical, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer:always

	#######################################################################
	# Signing cert: code signing
	#######################################################################
	[ codesign_cert ]
	basicConstraints = critical, CA:FALSE
	keyUsage = critical, nonRepudiation, digitalSignature
	extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, msCTLSign, timeStamping
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer:always

	#######################################################################
	# Signing cert: for S/MIME certificate
	#######################################################################
	[ smime_cert ]
	# https://tools.ietf.org/html/rfc3850
	# digitalSignature is required, used for signing email
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment
	# emailProtection is used for encrpyting message
	extendedKeyUsage = emailProtection
	subjectAltName = email:copy
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer:always

	#######################################################################
	# Read config from environment variable with shorten of key name
	#######################################################################
	[ env ]
	subjectAltName = $ENV::SAN