--- openssl/apps/openssl.cnf +++ openssl/apps/openssl.cnf @@ -47,7 +47,7 @@ certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several certs with same subject. + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate @@ -57,7 +57,7 @@ crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -x509_extensions = usr_cert # The extensions to add to the cert +x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. @@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD +default_md = sha256 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -106,10 +106,11 @@ emailAddress = optional #################################################################### [ req ] default_bits = 2048 +default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert +x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret @@ -128,17 +129,18 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = AU +countryName_default = RU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +#stateOrProvinceName_default = Default Province localityName = Locality Name (eg, city) +#localityName_default = Default City 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd +#0.organizationName_default = Default Company Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) @@ -147,7 +149,7 @@ localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = -commonName = Common Name (e.g. server FQDN or YOUR name) +commonName = Common Name (e.g., your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address @@ -235,7 +237,11 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -basicConstraints = critical,CA:true +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best @@ -333,11 +339,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -signer_digest = sha256 # Signing digest to use. (Optional) + default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps?