wolfssl/certs/renewcerts/wolfssl.cnf
2014-12-29 11:53:25 -07:00

171 lines
6.2 KiB
INI

#
# wolfssl configuration file
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
####################################################################
# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY #
# #
dir = $HOME./.. #
####################################################################
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/certs/crl # Where the issued crl are kept
database = $dir/certs/crl/demoCA/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/certs/ca-cert.pem # The CA certificate
serial = $dir/certs/serial # The current serial number
crlnumber = $dir/certs/crl/crlnumber # the current crl number
crl = $dir/certs/crl/crl.pem # The current CRL
private_key = $dir/certs/ca-key.pem # The private key
RANDFILE = $dir/certs/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 1000 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# default req
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
#default req_dist_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Montana
localityName = Locality Name (eg, city)
localityName_default = Bozeman
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Sawtooth
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Consulting
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = www.wolfssl.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = info@wolfssl.com
emailAddress_max = 64
#default req_attr
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
# These extensions are added when 'ca' signs a request.
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "wolfSSL Generated Certificate using openSSL command line utility."
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#wolfssl extensions
[wolfssl_opts]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
# Extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
# CRL extensions.
[ crl_ext ]
authorityKeyIdentifier=keyid:always
# These extensions should be added when creating a proxy certificate
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "wolfSSL Generated Certificate using openSSL command line utility"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
#tsa default
[ tsa ]
default_tsa = tsa_config1
# These are used by the TSA reply generation only.
[ tsa_config1 ]
dir = ./demoCA # directory
serial = $dir/tsaserial # (mandatory)
crypto_device = builtin # engine
signer_cert = $dir/tsacert.pem # certificate
certs = $dir/cacert.pem # chain
signer_key = $dir/private/tsakey.pem # (optional)
default_policy = tsa_policy1 # Policy
other_policies = tsa_policy2, tsa_policy3 # (optional)
digests = md5, sha1 # (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # (optional)
ordering = yes # timestamps?
tsa_name = yes # include?
ess_cert_id_chain = no # include chain?