--- openssl/apps/openssl.cnf

+++ openssl/apps/openssl.cnf

@@ -44,7 +44,7 @@ certs		= $dir/certs		# Where the issued certs are kept

 crl_dir		= $dir/crl		# Where the issued crl are kept

 database	= $dir/index.txt	# database index file.

 #unique_subject	= no			# Set to 'no' to allow creation of

-					# several certs with same subject.

+					# several ctificates with same subject.

 new_certs_dir	= $dir/newcerts		# default place for new certs.

 certificate	= $dir/cacert.pem 	# The CA certificate

@@ -55,7 +55,7 @@ crl		= $dir/crl.pem 		# The current CRL

 private_key	= $dir/private/cakey.pem# The private key

 RANDFILE	= $dir/private/.rand	# private random number file

-x509_extensions	= usr_cert		# The extensions to add to the cert

+x509_extensions	= usr_cert		# The extentions to add to the cert

 # Comment out the following two lines for the "traditional"

 # (and highly broken) format.

@@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate field options

 default_days	= 365			# how long to certify for

 default_crl_days= 30			# how long before next CRL

-default_md	= default		# use public key default MD

+default_md	= sha256		# which md to use.

 preserve	= no			# keep passed DN ordering

 # A few difference way of specifying how similar the request should look

@@ -104,16 +104,17 @@ emailAddress		= optional

 ####################################################################

 [ req ]

 default_bits		= 2048

+default_md		= sha256

 default_keyfile 	= privkey.pem

 distinguished_name	= req_distinguished_name

 attributes		= req_attributes

-x509_extensions	= v3_ca	# The extensions to add to the self signed cert

+x509_extensions	= v3_ca	# The extentions to add to the self signed cert

 # Passwords for private keys if not present they will be prompted for

 # input_password = secret

 # output_password = secret

-# This sets a mask for permitted string types. There are several options. 

+# This sets a mask for permitted string types. There are several options.

 # default: PrintableString, T61String, BMPString.

 # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)

 # utf8only: only UTF8Strings (PKIX recommendation after 2004).

@@ -126,17 +127,18 @@ string_mask = utf8only

 [ req_distinguished_name ]

 countryName			= Country Name (2 letter code)

-countryName_default		= AU

+countryName_default		= RU

 countryName_min			= 2

 countryName_max			= 2

 stateOrProvinceName		= State or Province Name (full name)

-stateOrProvinceName_default	= Some-State

+#stateOrProvinceName_default	= Default Province

 localityName			= Locality Name (eg, city)

+#localityName_default		= Default City

 0.organizationName		= Organization Name (eg, company)

-0.organizationName_default	= Internet Widgits Pty Ltd

+#0.organizationName_default	= Default Company Ltd

 # we can do this but it is not needed normally :-)

 #1.organizationName		= Second Organization Name (eg, company)

@@ -145,7 +147,7 @@ localityName			= Locality Name (eg, city)

 organizationalUnitName		= Organizational Unit Name (eg, section)

 #organizationalUnitName_default	=

-commonName			= Common Name (e.g. server FQDN or YOUR name)

+commonName			= Common Name (e.g., your name or your server\'s hostname)

 commonName_max			= 64

 emailAddress			= Email Address

@@ -233,7 +235,11 @@ subjectKeyIdentifier=hash

 authorityKeyIdentifier=keyid:always,issuer

-basicConstraints = critical,CA:true

+# This is what PKIX recommends but some broken software chokes on critical

+# extensions.

+#basicConstraints = critical,CA:true

+# So we do this instead.

+basicConstraints = CA:true

 # Key usage: this is typical for a CA certificate. However since it will

 # prevent it being used as an test self-signed certificate it is best

@@ -331,11 +337,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

 certs		= $dir/cacert.pem	# Certificate chain to include in reply

 					# (optional)

 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)

-signer_digest  = sha256			# Signing digest to use. (Optional)

+

 default_policy	= tsa_policy1		# Policy if request did not specify it

 					# (optional)

 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)

-digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)

+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)

 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)

 clock_precision_digits  = 0	# number of digits after dot. (optional)

 ordering		= yes	# Is ordering defined for timestamps?