mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
92c03668c0
The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171)
83 lines
2.0 KiB
INI
83 lines
2.0 KiB
INI
#
|
|
# OpenSSL example configuration file for automated certificate creation.
|
|
#
|
|
|
|
# This definition stops the following lines choking if HOME or CN
|
|
# is undefined.
|
|
HOME = .
|
|
CN = "Not Defined"
|
|
default_ca = ca
|
|
|
|
# Comment out the next line to ignore configuration errors
|
|
config_diagnostics = 1
|
|
|
|
####################################################################
|
|
[ req ]
|
|
default_bits = 1024
|
|
default_keyfile = privkey.pem
|
|
# Don't prompt for fields: use those in section directly
|
|
prompt = no
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = utf8only
|
|
|
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
|
|
[ req_distinguished_name ]
|
|
countryName = UK
|
|
|
|
organizationName = OpenSSL Group
|
|
# Take CN from environment so it can come from a script.
|
|
commonName = $ENV::CN
|
|
|
|
[ usr_cert ]
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
# certificate
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid
|
|
# OCSP responder certificate
|
|
[ ocsp_cert ]
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid
|
|
extendedKeyUsage=OCSPSigning
|
|
|
|
[ dh_cert ]
|
|
|
|
# These extensions are added when 'ca' signs a request for an end entity
|
|
# DH certificate
|
|
|
|
basicConstraints=critical, CA:FALSE
|
|
keyUsage=critical, keyAgreement
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid
|
|
|
|
[ v3_ca ]
|
|
|
|
|
|
# Extensions for a typical CA
|
|
|
|
# PKIX recommendation.
|
|
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always
|
|
basicConstraints = critical,CA:true
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
|
|
# Minimal CA entry to allow generation of CRLs.
|
|
[ca]
|
|
database=index.txt
|
|
crlnumber=crlnum.txt
|