Last active
July 22, 2021 12:38
-
-
Save fakhrulhilal/70c80aa5331a92e0138f7c280b43fe11 to your computer and use it in GitHub Desktop.
OpenSSL config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# OpenSSL example configuration file. | |
# This is mostly being used for generation of certificate requests. | |
# | |
# Note that you can include other files from the main configuration | |
# file using the .include directive. | |
#.include filename | |
# This definition stops the following lines choking if HOME isn't | |
# defined. | |
HOME = . | |
SAN = CN:copy | |
# Extra OBJECT IDENTIFIER info: | |
#oid_file = $ENV::HOME/.oid | |
oid_section = new_oids | |
# To use this configuration file with the "-extfile" option of the | |
# "openssl x509" utility, name here the section containing the | |
# X.509v3 extensions to use: | |
# extensions = | |
# (Alternatively, use a configuration file that has only | |
# X.509v3 extensions in its main [= default] section.) | |
[ new_oids ] | |
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. | |
# Add a simple OID like this: | |
# testoid1=1.2.3.4 | |
# Or use config file substitution like this: | |
# testoid2=${testoid1}.5.6 | |
# Policies used by the TSA examples. | |
tsa_policy1 = 1.2.3.4.1 | |
tsa_policy2 = 1.2.3.4.5.6 | |
[ tsa ] | |
default_tsa = tsa_config1 | |
[ tsa_config1 ] | |
# These are used by the TSA reply generation only. | |
crypto_device = builtin # OpenSSL engine to use for signing | |
signer_digest = sha256 # Signing digest to use. (Optional) | |
default_policy = tsa_policy1 | |
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) | |
accuracy = secs:1, millisecs:500, microsecs:100 # (optional) | |
clock_precision_digits = 0 # number of digits after dot. (optional) | |
# Is ordering defined for timestamps? | |
# (optional, default: no) | |
ordering = yes | |
# Must the TSA name be included in the reply? | |
# (optional, default: no) | |
tsa_name = yes | |
# Must the ESS cert id chain be included? | |
# (optional, default: no) | |
ess_cert_id_chain = no | |
# algorithm to compute certificate | |
# identifier (optional, default: sha1) | |
ess_cert_id_alg = sha256 | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
x509_extensions = web_cert | |
default_days = 365 | |
policy = default_policy | |
[ default_policy ] | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ ca_policy ] | |
countryName = match | |
stateOrProvinceName = optional | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ optional_policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ smime_policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = optional | |
emailAddress = match | |
[ req ] | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
attributes = req_attributes | |
x509_extensions = web_cert # The extensions to add to the self signed cert | |
# req_extensions = v3_req | |
# Passwords for private keys if not present they will be prompted for | |
# input_password = secret | |
# output_password = secret | |
# This sets a mask for permitted string types. There are several options. | |
# default: PrintableString, T61String, BMPString. | |
# pkix : PrintableString, BMPString (PKIX recommendation before 2004) | |
# utf8only: only UTF8Strings (PKIX recommendation after 2004). | |
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). | |
# MASK:XXXX a literal mask value. | |
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. | |
string_mask = utf8only | |
[ req_attributes ] | |
challengePassword = A challenge password | |
challengePassword_min = 4 | |
challengePassword_max = 20 | |
[ req_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
countryName_default = ID | |
countryName_min = 2 | |
countryName_max = 2 | |
stateOrProvinceName = State or Province Name (full name) | |
stateOrProvinceName_default = Jakarta | |
localityName = Locality Name (eg, city) | |
0.organizationName = Organization Name (eg, company) | |
0.organizationName_default = Personal Company | |
# we can do this but it is not needed normally :-) | |
#1.organizationName = Second Organization Name (eg, company) | |
#1.organizationName_default = World Wide Web Pty Ltd | |
organizationalUnitName = Organizational Unit Name (eg, section) | |
#organizationalUnitName_default = | |
commonName = Common Name (e.g. server FQDN or YOUR name) | |
commonName_max = 64 | |
emailAddress = Email Address | |
emailAddress_max = 64 | |
####################################################################### | |
# Signing cert: certificate for non CA | |
####################################################################### | |
[ web_cert ] | |
# This goes against PKIX guidelines but some CAs do it and some software | |
# requires this to avoid interpreting an end user certificate as a CA. | |
basicConstraints = critical, CA:FALSE | |
# This is typical in keyUsage for a client certificate. | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth, clientAuth | |
# PKIX recommendations harmless if included in all certificates. | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer:always | |
# optional: create separate config file, execute with -extfile file.cnf | |
# signing multiple domains/IPs | |
#subjectAltName = DNS:*.dev.lab, DNS:dev.lab, IP:127.0.0.1 | |
subjectAltName = $ENV::SAN | |
# Special certificate for ASP.NET development | |
# TODO: find exact value for version in byte, not in BER format | |
1.3.6.1.4.1.311.84.1.1 = ASN1:INT:2 | |
####################################################################### | |
# Signing cert: certificate for intermedia CA | |
####################################################################### | |
[ ica_cert ] | |
basicConstraints = critical, CA:TRUE, pathlen:0 | |
keyUsage = cRLSign, keyCertSign, digitalSignature | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer:always | |
####################################################################### | |
# Signing cert: self signed for CA's cert | |
####################################################################### | |
[ ca_cert ] | |
basicConstraints = critical, CA:TRUE | |
keyUsage = cRLSign, keyCertSign, digitalSignature | |
extendedKeyUsage = critical, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer:always | |
####################################################################### | |
# Signing cert: code signing | |
####################################################################### | |
[ codesign_cert ] | |
basicConstraints = critical, CA:FALSE | |
keyUsage = critical, nonRepudiation, digitalSignature | |
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, msCTLSign, timeStamping | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer:always | |
####################################################################### | |
# Signing cert: for S/MIME certificate | |
####################################################################### | |
[ smime_cert ] | |
# https://tools.ietf.org/html/rfc3850 | |
# digitalSignature is required, used for signing email | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment | |
# emailProtection is used for encrpyting message | |
extendedKeyUsage = emailProtection | |
subjectAltName = email:copy | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always, issuer:always | |
####################################################################### | |
# Read config from environment variable with shorten of key name | |
####################################################################### | |
[ env ] | |
subjectAltName = $ENV::SAN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment