# This is based on the default OpenSSL configuration file which is
# licensed with the following license:

# Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in
#    the documentation and/or other materials provided with the
#    distribution.
#
# 3. All advertising materials mentioning features or use of this
#    software must display the following acknowledgment:
#    "This product includes software developed by the OpenSSL Project
#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
#
# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
#    endorse or promote products derived from this software without
#    prior written permission. For written permission, please contact
#    openssl-core@openssl.org.
#
# 5. Products derived from this software may not be called "OpenSSL"
#    nor may "OpenSSL" appear in their names without prior written
#    permission of the OpenSSL Project.
#
# 6. Redistributions of any form whatsoever must retain the following
#    acknowledgment:
#    "This product includes software developed by the OpenSSL Project
#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
#
# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.
# ====================================================================
#
# This product includes cryptographic software written by Eric Young
# (eay@cryptsoft.com).  This product includes software written by Tim
# Hudson (tjh@cryptsoft.com).
#

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file        = $ENV::HOME/.oid
oid_section        = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = /tmp/ca        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $dir/cacert.pem     # The CA certificate
serial        = $dir/serial         # The current serial number
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = sha1            # which md to use.
preserve    = no            # keep passed DN ordering

policy        = policy_anything

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 1024
default_keyfile     = /tmp/privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = US
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = California

localityName            = Locality Name (eg, city)
localityName_default        = San Mateo

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Genius.com Inc

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = NetOps

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20
unstructuredName        = An optional company name

[ unsupported_cert ]
# Just a made-up OID
1.2.3.4.99999.1.2.3.4 = critical,ASN1:FORMAT:BITLIST,BITSTRING:0,1,2

[ keyUsage_critical_cert ]
basicConstraints=CA:FALSE
keyUsage = critical, decipherOnly, keyAgreement

[ keyUsage_extraLong_cert ]
keyUsage=ASN1:FORMAT:BITLIST,BITSTRING:0,1,2,3,4,5,6,7,8,9,10

[ keyUsage_cert ]
basicConstraints=CA:FALSE
keyUsage = encipherOnly, keyEncipherment, dataEncipherment, keyCertSign, cRLSign, cRLSign, keyEncipherment, dataEncipherment, keyCertSign, cRLSign

[ extendedKeyUsage_cert ]
extendedKeyUsage=1.2.3.4

[ userWithPathLen_cert ]
basicConstraints=CA:false,pathlen:10

[ ca_cert ]
basicConstraints=CA:true

[ caWithPathLen_cert ]
basicConstraints=CA:true,pathlen:10

[ invalid_ip_cert ]
subjectAltName = ASN1:SEQUENCE:invalid_ip_SEQ
issuerAltName = ASN1:SEQUENCE:invalid_ip_SEQ

[ invalid_ip_SEQ ]
IP.1 = IMPLICIT:7,FORMAT:HEX,OCTETSTRING:0A

[ ipv6_cert ]
subjectAltName = ASN1:SEQUENCE:ipv6_SEQ
issuerAltName = ASN1:SEQUENCE:ipv6_SEQ

[ ipv6_SEQ ]
IP.1 = IMPLICIT:7,FORMAT:HEX,OCTETSTRING:20010DB8000000000000FF0000428329

[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsComment            = "X.509 Unit Test"

subjectAltName = @alt_names
issuerAltName = @alt_names
#subjectAltName = ASN1:SEQUENCE:raw_alt_names

[ alt_none_cert ]

[ alt_names ]
otherName.0 = 1.2.3.4;UTF8:test1
email.0 = x509@example.com
DNS.0 = x509.example.com
dirName.0 = dir_example
URI.0 = http://www.example.com/?q=awesomeness
IP.0 = 192.168.0.1
RID.0 = 1.2.3.4

[ alt_other_cert ]
subjectAltName = otherName:1.2.3.4;UTF8:test1

[ alt_email_cert ]
subjectAltName = email:x509@example.com

[ alt_dns_cert ]
subjectAltName = DNS:x509.example.com

[ alt_dirname_cert ]
subjectAltName = dirName:dir_example

[ alt_uri_cert ]
subjectAltName = URI:http://www.example.com/?q=awesomeness

[ alt_rid_cert ]
subjectAltName = RID:1.2.3.4

[ raw_alt_names ]
ediPartyName = IMPLICIT:5,SEQUENCE:ediPartyName_SEQ
x400 = IMPLICIT:3,SEQUENCE:x400_SEQ

[ x400_SEQ ]
BuiltInStandardAttributes = SEQUENCE:x400_BuiltInStandardAddtributes_SEQ

[ x400_BuiltInStandardAddtributes_SEQ ]
PersonalName=IMPLICIT:5,SET:x400_PersonalName_SET

[ x400_PersonalName_SET ]
Surname=IMPLICIT:0,PRINTABLESTRING:Root
GivenName=IMPLICIT:1,PRINTABLESTRING:Kenny

[ ediPartyName_SEQ ]
partyName = IMPLICIT:1,PRINTABLESTRING:Joe

[ dir_example ]
C=US
O=Awesome Dudes
OU=Über Frîends
CN=example X.509
CN=∆ƒ

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
issuerAltName = @alt_names
basicConstraints=CA:FALSE
nsComment            = "X.509 Unit Test"

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always