Die folgende Beispiel-Konfigurationsdatei enthält drei
Abschnitte für verschiedene CA-Konfigurationen. Der erste
Abschnitt [ Root_CA ] enthält eine Konfiguration zur
Herausgabe von CA-Zertifikaten, entsprechend [ Server_CA ]
zur Herausgabe von SSL-Server-Zertifikaten und [ User_CA ]
für die Herausgabe von Benutzer-Zertifikaten. Die Abschnitte
unterscheiden sich vor allem in der Angabe zum Extension-Abschnitt, der
beim Schlüsselwort x509_extensions im jeweiligen
CA-Abschnitt festgelegt ist. Über den Extension-Abschnitt wird
bestimmt, welche Extensions die herausgegebenen Zertifikate
enthalten.
Für die drei CA-Abschnitte gemeinsame Werte können auch am
Anfang der Konfigurationsdatei vor dem ersten Abschnitt (hier [
new_oids ] festgelegt werden.
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# RANDFILE = $ENV::HOME/.rnd
# oid_file = $ENV::HOME/.oid
# oid_section = new_oids
pfad = /usr/local/openssl
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1 = 1.2.3.4
# Or use config file substitution like this:
# testoid2 = ${testoid1}.5.6
####################################################################
[ ca ]
default_ca = Server_CA # The default ca section
####################################################################
[ Root_CA ] # Abschnitt fuer eine Root CA
dir = $pfad/PCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/PCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/PCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = PCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 730 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
[ Server_CA ] # Abschnitt fuer eine Server CA
dir = $pfad/SCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/SCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/SCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = SCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ User_CA ] # Abschnitt fuer eine User CA
dir = $pfad/UCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/UCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/UCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = UCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
# For the CA policy
# Auch hier gilt:
# ... you must list all acceptable 'object' types.
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Schleswig-Holstein
localityName = Locality Name (eg, city)
#localityName_default = Kiel
0.organizationName = Organization Name (eg, company)
#0.organizationName_default = Universitaet Kiel
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Studis
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 60
# SET-ex3 = SET extension number 3
[ req_attributes ]
# Das Challenge Password dient dazu, sich bei Verlust des geheimen Schluessels
# gegenueber der Herausgeber-CA fuer einen Zertifikatwiderruf auszuweisen.
# Wird bei Erstellung der Zertifikat-Anforderung erfragt.
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ PCA_ext ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = critical, CA:TRUE
# Moeglich: digitalSignature, nonRepudiation, keyEncipherment,
# dataEncipherment, keyAgreement, keyCertSign,
# cRLSign, encipherOnly, decipherOnly
keyUsage = cRLSign, keyCertSign
# PKIX recommendations
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Import the email address.
subjectAltName = email:copy
# Copy subject details
issuerAltName = issuer:copy
# Moeglich: client, server, email, objsign, reserved, sslCA, emailCA, objCA
nsCertType = sslCA, emailCA, objCA
# Hier kann der den folgenden Url's gemeinsame Url-Stamm angegeben werden.
nsBaseUrl = https://mystic.pca.dfn.de:1443/
# Die Seite mit der CA-Policy
nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment = This certificate was issued by a PCA
# Hier kann eine Online-Zertifikatspruefung stattfinden, indem auf die
# Url in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist dabei
# die ASCII-kodierte Seriennummer des Zertifikats. Dann kann das Zertifikat
# per OpenSSL geprueft werden.
# Zurueckgegeben wird dann eine dezimale 0 oder 1
nsRevocationUrl = cgi/non-CA-rev.cgi?
# Nur gueltig in CA-Zertifikaten. Bedeutung nicht ganz klar.
# nsCaRevocationUrl = cgi/CA-rev.cgi?
# Wird verwendet, um einem Benutzer die Erneuerung seines Zertifikats zu
# erleichtern. Ueblicherweise steckt dahinter ein CGI-Script, auf das per
# HTTP GET in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist wieder
# Seriennummer. Zurueckgegeben werden kann ein Antrags-Formular zur Erneuerung
# des Zertifikats.
# nsRenewalUrl = cgi/check-renw.cgi?
[ SCA_ext ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
nsCertType = server
nsBaseUrl = https://mystic.pca.dfn.de:1443/
nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment = This certificate was issued by a Server CA
nsRevocationUrl = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl = cgi/CA-rev.cgi?
# nsRenewalUrl = cgi/check-renw.cgi?
[ UCA_ext ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEnciphermen, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
nsCertType = client, email
nsBaseUrl = https://mystic.pca.dfn.de:1443/
nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment = This certificate was issued by a User CA
nsRevocationUrl = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl = cgi/CA-rev.cgi?
# nsRenewalUrl = cgi/check-renw.cgi?
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectAltName = email:copy
issuerAltName = issuer:copy
nsBaseUrl = https://mystic.pca.dfn.de:443/
nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html
nsComment = This certificate is a Root CA Certificate
nsRevocationUrl = cgi/non-CA-rev.cgi?
# nsCaRevocationUrl = cgi/CA-rev.cgi?
# nsRenewalUrl = cgi/check-renw.cgi?
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5 = RAW:02:03
# You can even override a supported extension:
# basicConstraints = critical, RAW:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always