oid_section = new_oids [ new_oids ] pkkdcekuoid = 1.3.6.1.5.2.3.5 [ca] default_ca = user [usr] database = index.txt serial = serial x509_extensions = usr_cert default_md=sha1 policy = policy_match certs = . [ocsp] database = index.txt serial = serial x509_extensions = ocsp_cert default_md=sha1 policy = policy_match certs = . [usr_ke] database = index.txt serial = serial x509_extensions = usr_cert_ke default_md=sha1 policy = policy_match certs = . [usr_ds] database = index.txt serial = serial x509_extensions = usr_cert_ds default_md=sha1 policy = policy_match certs = . [pkinit_client] database = index.txt serial = serial x509_extensions = pkinit_client_cert default_md=sha1 policy = policy_match certs = . [pkinit_kdc] database = index.txt serial = serial x509_extensions = pkinit_kdc_cert default_md=sha1 policy = policy_match certs = . [https] database = index.txt serial = serial x509_extensions = https_cert default_md=sha1 policy = policy_match certs = . [subca] database = index.txt serial = serial x509_extensions = v3_ca default_md=sha1 policy = policy_match certs = . [ req ] distinguished_name = req_distinguished_name x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature [ usr_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash [ usr_cert_ke ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, keyEncipherment subjectKeyIdentifier = hash [ proxy_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo [pkinitc_princ_name] realm = EXP:0, GeneralString:TEST.H5L.SE principal_name = EXP:1, SEQUENCE:pkinitc_principal_seq [ pkinit_client_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name [pkinitc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:pkinitc_principals [pkinitc_principals] princ1 = GeneralString:bar [ https_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #extendedKeyUsage = https-server XXX subjectKeyIdentifier = hash [ pkinit_kdc_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = pkkdcekuoid subjectKeyIdentifier = hash subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name [pkinitkdc_princ_name] realm = EXP:0, GeneralString:TEST.H5L.SE principal_name = EXP:1, SEQUENCE:pkinitkdc_principal_seq [pkinitkdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:pkinitkdc_principals [pkinitkdc_principals] princ1 = GeneralString:krbtgt princ2 = GeneralString:TEST.H5L.SE [ proxy10_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier = hash proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo [ usr_cert_ds ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature subjectKeyIdentifier = hash [ ocsp_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # ocsp-nocheck and kp-OCSPSigning extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9 subjectKeyIdentifier = hash [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = SE countryName_min = 2 countryName_max = 2 organizationalName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 #[ req_attributes ] #challengePassword = A challenge password #challengePassword_min = 4 #challengePassword_max = 20 [ policy_match ] countryName = match commonName = supplied