Die folgende Beispiel-Konfigurationsdatei enthält drei
Abschnitte für verschiedene CA-Konfigurationen. Der erste
Abschnitt [ Root_CA ]
enthält eine Konfiguration zur
Herausgabe von CA-Zertifikaten, entsprechend [ Server_CA ]
zur Herausgabe von SSL-Server-Zertifikaten und [ User_CA ]
für die Herausgabe von Benutzer-Zertifikaten. Die Abschnitte
unterscheiden sich vor allem in der Angabe zum Extension-Abschnitt, der
beim Schlüsselwort x509_extensions
im jeweiligen
CA-Abschnitt festgelegt ist. Über den Extension-Abschnitt wird
bestimmt, welche Extensions die herausgegebenen Zertifikate
enthalten.
Für die drei CA-Abschnitte gemeinsame Werte können auch am
Anfang der Konfigurationsdatei vor dem ersten Abschnitt (hier [
new_oids ]
festgelegt werden.
# # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # RANDFILE = $ENV::HOME/.rnd # oid_file = $ENV::HOME/.oid # oid_section = new_oids pfad = /usr/local/openssl [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1 = 1.2.3.4 # Or use config file substitution like this: # testoid2 = ${testoid1}.5.6 #################################################################### [ ca ] default_ca = Server_CA # The default ca section #################################################################### [ Root_CA ] # Abschnitt fuer eine Root CA dir = $pfad/PCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/PCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/PCAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = PCA_ext # The extentions to add to the cert #crl_extensions = crl_ext # Extensions to add to CRL default_days = 730 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match [ Server_CA ] # Abschnitt fuer eine Server CA dir = $pfad/SCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/SCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/SCAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = SCA_ext # The extentions to add to the cert #crl_extensions = crl_ext # Extensions to add to CRL default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_anything [ User_CA ] # Abschnitt fuer eine User CA dir = $pfad/UCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/UCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/UCAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = UCA_ext # The extentions to add to the cert #crl_extensions = crl_ext # Extensions to add to CRL default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_anything # For the CA policy # Auch hier gilt: # ... you must list all acceptable 'object' types. [ policy_match ] countryName = match stateOrProvinceName = supplied localityName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = match stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Schleswig-Holstein localityName = Locality Name (eg, city) #localityName_default = Kiel 0.organizationName = Organization Name (eg, company) #0.organizationName_default = Universitaet Kiel # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = Studis commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 60 # SET-ex3 = SET extension number 3 [ req_attributes ] # Das Challenge Password dient dazu, sich bei Verlust des geheimen Schluessels # gegenueber der Herausgeber-CA fuer einen Zertifikatwiderruf auszuweisen. # Wird bei Erstellung der Zertifikat-Anforderung erfragt. challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ PCA_ext ] # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints = critical, CA:TRUE # Moeglich: digitalSignature, nonRepudiation, keyEncipherment, # dataEncipherment, keyAgreement, keyCertSign, # cRLSign, encipherOnly, decipherOnly keyUsage = cRLSign, keyCertSign # PKIX recommendations subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always # Import the email address. subjectAltName = email:copy # Copy subject details issuerAltName = issuer:copy # Moeglich: client, server, email, objsign, reserved, sslCA, emailCA, objCA nsCertType = sslCA, emailCA, objCA # Hier kann der den folgenden Url's gemeinsame Url-Stamm angegeben werden. nsBaseUrl = https://mystic.pca.dfn.de:1443/ # Die Seite mit der CA-Policy nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html nsComment = This certificate was issued by a PCA # Hier kann eine Online-Zertifikatspruefung stattfinden, indem auf die # Url in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist dabei # die ASCII-kodierte Seriennummer des Zertifikats. Dann kann das Zertifikat # per OpenSSL geprueft werden. # Zurueckgegeben wird dann eine dezimale 0 oder 1 nsRevocationUrl = cgi/non-CA-rev.cgi? # Nur gueltig in CA-Zertifikaten. Bedeutung nicht ganz klar. # nsCaRevocationUrl = cgi/CA-rev.cgi? # Wird verwendet, um einem Benutzer die Erneuerung seines Zertifikats zu # erleichtern. Ueblicherweise steckt dahinter ein CGI-Script, auf das per # HTTP GET in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist wieder # Seriennummer. Zurueckgegeben werden kann ein Antrags-Formular zur Erneuerung # des Zertifikats. # nsRenewalUrl = cgi/check-renw.cgi? [ SCA_ext ] # basicConstraints = critical, CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy nsCertType = server nsBaseUrl = https://mystic.pca.dfn.de:1443/ nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html nsComment = This certificate was issued by a Server CA nsRevocationUrl = cgi/non-CA-rev.cgi? # nsCaRevocationUrl = cgi/CA-rev.cgi? # nsRenewalUrl = cgi/check-renw.cgi? [ UCA_ext ] # basicConstraints = critical, CA:FALSE keyUsage = digitalSignature, keyEnciphermen, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy nsCertType = client, email nsBaseUrl = https://mystic.pca.dfn.de:1443/ nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html nsComment = This certificate was issued by a User CA nsRevocationUrl = cgi/non-CA-rev.cgi? # nsCaRevocationUrl = cgi/CA-rev.cgi? # nsRenewalUrl = cgi/check-renw.cgi? [ v3_ca ] basicConstraints = critical, CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA subjectAltName = email:copy issuerAltName = issuer:copy nsBaseUrl = https://mystic.pca.dfn.de:443/ nsCaPolicyUrl = http://www.pca.dfn.de/dfnpca/policy/wwwpolicy.html nsComment = This certificate is a Root CA Certificate nsRevocationUrl = cgi/non-CA-rev.cgi? # nsCaRevocationUrl = cgi/CA-rev.cgi? # nsRenewalUrl = cgi/check-renw.cgi? # RAW DER hex encoding of an extension: beware experts only! # 1.2.3.5 = RAW:02:03 # You can even override a supported extension: # basicConstraints = critical, RAW:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always