Group :: Sistema/Base
RPM: openssl1.1
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: openssl-alt-config.patch
Download
Download
--- openssl/apps/openssl.cnf
+++ openssl/apps/openssl.cnf
@@ -47,7 +47,7 @@ certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
- # several certs with same subject.
+ # several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
@@ -57,7 +57,7 @@ crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
-x509_extensions = usr_cert # The extensions to add to the cert
+x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
+default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -106,10 +106,11 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
+default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
+x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
@@ -128,17 +129,18 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = RU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
+#localityName_default = Default City
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+#0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName = Common Name (e.g., your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
@@ -235,7 +237,11 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical,CA:true
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
@@ -333,11 +339,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest = sha256 # Signing digest to use. (Optional)
+
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?