diff options
Diffstat (limited to '')
| -rwxr-xr-x | easy-rsa/2.0/openssl-1.0.0.cnf (renamed from easy-rsa/2.0/openssl.cnf) | 30 |
1 files changed, 12 insertions, 18 deletions
diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf index 3e4d3b3..fa258a5 100755 --- a/easy-rsa/2.0/openssl.cnf +++ b/easy-rsa/2.0/openssl-1.0.0.cnf @@ -1,9 +1,4 @@ -# For use with easy-rsa version 2.0 - -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# +# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* # This definition stops the following lines choking if HOME isn't # defined. @@ -15,12 +10,12 @@ openssl_conf = openssl_init # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids -engines = engine_section +engines = engine_section # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: -# extensions = +# extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -48,7 +43,7 @@ new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key +private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert @@ -59,7 +54,7 @@ x509_extensions = usr_cert # The extentions to add to the cert default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. +default_md = md5 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -102,14 +97,12 @@ x509_extensions = v3_ca # The extentions to add to the self signed cert # input_password = secret # output_password = secret -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. +# pkix : PrintableString, BMPString (PKIX recommendation after 2004). +# utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request @@ -151,6 +144,7 @@ organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN name_default = $ENV::KEY_NAME + # SET-ex3 = SET extension number 3 [ req_attributes ] @@ -196,6 +190,7 @@ authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature + # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy @@ -214,8 +209,8 @@ keyUsage = digitalSignature # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE -nsCertType = server -nsComment = "Easy-RSA Generated Server Certificate" +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth @@ -288,4 +283,3 @@ dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 - |