source: npl/internetserver/openvpn_conf/root/etc/openvpn/openssl-1.0.cnf

Last change on this file was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago

initial commit, transferred from cleaned syn3 svn tree
  • Property mode set to 100644
File size: 4.5 KB
RevLine 
[c5c522c]1# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
2
3RANDFILE                = $ENV::EASYRSA_PKI/.rnd
4
5####################################################################
6[ ca ]
7default_ca      = CA_default            # The default ca section
8
9####################################################################
10[ CA_default ]
11
12dir             = $ENV::EASYRSA_PKI     # Where everything is kept
13certs           = $dir                  # Where the issued certs are kept
14crl_dir         = $dir                  # Where the issued crl are kept
15database        = $dir/index.txt        # database index file.
16new_certs_dir   = $dir/certs_by_serial  # default place for new certs.
17
18certificate     = $dir/ca.crt           # The CA certificate
19serial          = $dir/serial           # The current serial number
20crl             = $dir/crl.pem          # The current CRL
21private_key     = $dir/private/ca.key   # The private key
22RANDFILE        = $dir/.rand            # private random number file
23
24x509_extensions = basic_exts            # The extentions to add to the cert
25
26# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
27# is designed for will. In return, we get the Issuer attached to CRLs.
28crl_extensions  = crl_ext
29
30default_days    = $ENV::EASYRSA_CERT_EXPIRE     # how long to certify for
31default_crl_days= $ENV::EASYRSA_CRL_DAYS        # how long before next CRL
32default_md      = $ENV::EASYRSA_DIGEST          # use public key default MD
33preserve        = no                    # keep passed DN ordering
34
35# A few difference way of specifying how similar the request should look
36# For type CA, the listed attributes must be the same, and the optional
37# and supplied fields are just that :-)
38policy          = policy_anything
39
40# For the 'anything' policy, which defines allowed DN fields
41[ policy_anything ]
42countryName             = optional
43stateOrProvinceName     = optional
44localityName            = optional
45organizationName        = optional
46organizationalUnitName  = optional
47commonName              = supplied
48name                    = optional
49emailAddress            = optional
50
51####################################################################
52# Easy-RSA request handling
53# We key off $DN_MODE to determine how to format the DN
54[ req ]
55default_bits            = $ENV::EASYRSA_KEY_SIZE
56default_keyfile         = privkey.pem
57default_md              = $ENV::EASYRSA_DIGEST
58distinguished_name      = $ENV::EASYRSA_DN
59x509_extensions         = easyrsa_ca    # The extentions to add to the self signed cert
60
61# A placeholder to handle the $EXTRA_EXTS feature:
62#%EXTRA_EXTS%   # Do NOT remove or change this line as $EXTRA_EXTS support requires it
63
64####################################################################
65# Easy-RSA DN (Subject) handling
66
67# Easy-RSA DN for cn_only support:
68[ cn_only ]
69commonName              = Common Name (eg: your user, host, or server name)
70commonName_max          = 64
71commonName_default      = $ENV::EASYRSA_REQ_CN
72
73# Easy-RSA DN for org support:
74[ org ]
75countryName                     = Country Name (2 letter code)
76countryName_default             = $ENV::EASYRSA_REQ_COUNTRY
77countryName_min                 = 2
78countryName_max                 = 2
79
80stateOrProvinceName             = State or Province Name (full name)
81stateOrProvinceName_default     = $ENV::EASYRSA_REQ_PROVINCE
82
83localityName                    = Locality Name (eg, city)
84localityName_default            = $ENV::EASYRSA_REQ_CITY
85
860.organizationName              = Organization Name (eg, company)
870.organizationName_default      = $ENV::EASYRSA_REQ_ORG
88
89organizationalUnitName          = Organizational Unit Name (eg, section)
90organizationalUnitName_default  = $ENV::EASYRSA_REQ_OU
91
92commonName                      = Common Name (eg: your user, host, or server name)
93commonName_max                  = 64
94commonName_default              = $ENV::EASYRSA_REQ_CN
95
96emailAddress                    = Email Address
97emailAddress_default            = $ENV::EASYRSA_REQ_EMAIL
98emailAddress_max                = 64
99
100####################################################################
101# Easy-RSA cert extension handling
102
103# This section is effectively unused as the main script sets extensions
104# dynamically. This core section is left to support the odd usecase where
105# a user calls openssl directly.
106[ basic_exts ]
107basicConstraints        = CA:FALSE
108subjectKeyIdentifier    = hash
109authorityKeyIdentifier  = keyid,issuer:always
110
111# The Easy-RSA CA extensions
112[ easyrsa_ca ]
113
114# PKIX recommendations:
115
116subjectKeyIdentifier=hash
117authorityKeyIdentifier=keyid:always,issuer:always
118
119# This could be marked critical, but it's nice to support reading by any
120# broken clients who attempt to do so.
121basicConstraints = CA:true
122
123# Limit key usage to CA tasks. If you really want to use the generated pair as
124# a self-signed cert, comment this out.
125keyUsage = cRLSign, keyCertSign
126
127# nsCertType omitted by default. Let's try to let the deprecated stuff die.
128# nsCertType = sslCA
129
130# CRL extensions.
131[ crl_ext ]
132
133# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
134
135# issuerAltName=issuer:copy
136authorityKeyIdentifier=keyid:always,issuer:always
137
Note: See TracBrowser for help on using the repository browser.