diff options
Diffstat (limited to 'crypto/heimdal/lib/hx509/data/openssl.cnf')
-rw-r--r-- | crypto/heimdal/lib/hx509/data/openssl.cnf | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/hx509/data/openssl.cnf b/crypto/heimdal/lib/hx509/data/openssl.cnf new file mode 100644 index 0000000..7fe3b64 --- /dev/null +++ b/crypto/heimdal/lib/hx509/data/openssl.cnf @@ -0,0 +1,182 @@ +oid_section = new_oids + +[ new_oids ] +pkkdcekuoid = 1.3.6.1.5.2.3.5 + +[ca] + +default_ca = user + +[usr] +database = index.txt +serial = serial +x509_extensions = usr_cert +default_md=sha1 +policy = policy_match +certs = . + +[ocsp] +database = index.txt +serial = serial +x509_extensions = ocsp_cert +default_md=sha1 +policy = policy_match +certs = . + +[usr_ke] +database = index.txt +serial = serial +x509_extensions = usr_cert_ke +default_md=sha1 +policy = policy_match +certs = . + +[usr_ds] +database = index.txt +serial = serial +x509_extensions = usr_cert_ds +default_md=sha1 +policy = policy_match +certs = . + +[pkinit_client] +database = index.txt +serial = serial +x509_extensions = pkinit_client_cert +default_md=sha1 +policy = policy_match +certs = . + +[pkinit_kdc] +database = index.txt +serial = serial +x509_extensions = pkinit_kdc_cert +default_md=sha1 +policy = policy_match +certs = . + +[https] +database = index.txt +serial = serial +x509_extensions = https_cert +default_md=sha1 +policy = policy_match +certs = . + +[subca] +database = index.txt +serial = serial +x509_extensions = v3_ca +default_md=sha1 +policy = policy_match +certs = . + + +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extentions to add to the self signed cert + +string_mask = utf8only + +[ v3_ca ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature + +[ usr_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash + +[ usr_cert_ke ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, keyEncipherment +subjectKeyIdentifier = hash + +[ proxy_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo + +[pkinitc_princ_name] +realm = EXP:0, GeneralString:TEST.H5L.SE +principal_name = EXP:1, SEQUENCE:pkinitc_principal_seq + +[ pkinit_client_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name + +[pkinitc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:pkinitc_principals + +[pkinitc_principals] +princ1 = GeneralString:bar + +[ https_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +#extendedKeyUsage = https-server XXX +subjectKeyIdentifier = hash + +[ pkinit_kdc_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = pkkdcekuoid +subjectKeyIdentifier = hash +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name + +[pkinitkdc_princ_name] +realm = EXP:0, GeneralString:TEST.H5L.SE +principal_name = EXP:1, SEQUENCE:pkinitkdc_principal_seq + +[pkinitkdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:pkinitkdc_principals + +[pkinitkdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:TEST.H5L.SE + +[ proxy10_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo + +[ usr_cert_ds ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature +subjectKeyIdentifier = hash + +[ ocsp_cert ] +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +# ocsp-nocheck and kp-OCSPSigning +extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9 +subjectKeyIdentifier = hash + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = SE +countryName_min = 2 +countryName_max = 2 + +organizationalName = Organizational Unit Name (eg, section) + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +#[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 + +[ policy_match ] +countryName = match +commonName = supplied |