mirror of
https://github.com/openssl/openssl.git
synced 2025-02-05 14:10:53 +08:00
23f3993127
OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10436)
69 lines
1.7 KiB
INI
69 lines
1.7 KiB
INI
#
|
|
# OpenSSL configuration file to create apps directory certificates
|
|
#
|
|
|
|
# This definition stops the following lines choking if HOME or CN
|
|
# is undefined.
|
|
HOME = .
|
|
CN = "Not Defined"
|
|
|
|
####################################################################
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
# Don't prompt for fields: use those in section directly
|
|
prompt = no
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = utf8only
|
|
|
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
|
|
[ req_distinguished_name ]
|
|
countryName = UK
|
|
|
|
organizationName = OpenSSL Group
|
|
organizationalUnitName = FOR TESTING PURPOSES ONLY
|
|
# Take CN from environment so it can come from a script.
|
|
commonName = $ENV::CN
|
|
|
|
[ usr_cert ]
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
# certificate
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
|
|
[ ec_cert ]
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
# certificate
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid
|
|
|
|
[ v3_ca ]
|
|
|
|
|
|
# Extensions for a typical CA
|
|
|
|
# PKIX recommendation.
|
|
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always
|
|
basicConstraints = critical,CA:true
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
|
|
|