[ca] default_ca = user [usr] database = index.txt serial = serial x509_extensions = usr_cert default_md=sha1 policy = policy_match email_in_dn = no certs = . [ocsp] database = index.txt serial = serial x509_extensions = ocsp_cert default_md=sha1 policy = policy_match email_in_dn = no certs = . [usr_ke] database = index.txt serial = serial x509_extensions = usr_cert_ke default_md=sha1 policy = policy_match email_in_dn = no certs = . [usr_ds] database = index.txt serial = serial x509_extensions = usr_cert_ds default_md=sha1 policy = policy_match email_in_dn = no certs = . [pkinit_client] database = index.txt serial = serial x509_extensions = pkinit_client_cert default_md=sha1 policy = policy_match email_in_dn = no certs = . [pkinit_kdc] database = index.txt serial = serial x509_extensions = pkinit_kdc_cert default_md=sha1 policy = policy_match email_in_dn = no certs = . [https] database = index.txt serial = serial x509_extensions = https_cert default_md=sha1 policy = policy_match email_in_dn = no certs = . [subca] database = index.txt serial = serial x509_extensions = v3_ca default_md=sha1 policy = policy_match email_in_dn = no certs = . [req] distinguished_name = req_distinguished_name x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = utf8only [v3_ca] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature [usr_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash [usr_cert_ke] basicConstraints=CA:FALSE keyUsage = nonRepudiation, keyEncipherment subjectKeyIdentifier = hash [proxy_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo [pkinitc_principals] princ1 = GeneralString:bar [pkinitc_principal_seq] name_type = EXP:0,INTEGER:1 name_string = EXP:1,SEQUENCE:pkinitc_principals [pkinitc_princ_name] realm = EXP:0,GeneralString:TEST.H5L.SE principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq [pkinit_client_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name [https_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #extendedKeyUsage = https-server XXX subjectKeyIdentifier = hash [pkinit_kdc_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = 1.3.6.1.5.2.3.5 subjectKeyIdentifier = hash subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name [pkinitkdc_princ_name] realm = EXP:0,GeneralString:TEST.H5L.SE principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq [pkinitkdc_principal_seq] name_type = EXP:0,INTEGER:1 name_string = EXP:1,SEQUENCE:pkinitkdc_principals [pkinitkdc_principals] princ1 = GeneralString:krbtgt princ2 = GeneralString:TEST.H5L.SE [proxy10_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo [usr_cert_ds] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature subjectKeyIdentifier = hash [ocsp_cert] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # ocsp-nocheck and kp-OCSPSigning extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9 subjectKeyIdentifier = hash [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = SE countryName_min = 2 countryName_max = 2 organizationalName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 #[req_attributes] #challengePassword = A challenge password #challengePassword_min = 4 #challengePassword_max = 20 [policy_match] countryName = match commonName = supplied