openssl/test/ca-and-certs.cnf


# Comment out the next line to ignore configuration errors
config_diagnostics = 1

CN2 = Brother 2

####################################################################
[ req ]
distinguished_name	= req_distinguished_name
encrypt_rsa_key		= no
default_md		= sha1

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_value		= AU
organizationName		= Organization Name (eg, company)
organizationName_value		= Dodgy Brothers
commonName			= Common Name (eg, YOUR name)
commonName_value		= Dodgy CA

####################################################################
[ userreq ]
distinguished_name	= user_dn
encrypt_rsa_key		= no
default_md		= sha256
prompt			= no

[ user_dn ]
countryName		= AU
organizationName	= Dodgy Brothers
0.commonName		= Brother 1
1.commonName		= $ENV::CN2

[ empty ]

[ v3_ee ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid,issuer:always
basicConstraints 	= CA:false
keyUsage		= nonRepudiation, digitalSignature, keyEncipherment

[ v3_ee_dsa ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always
basicConstraints	= CA:false
keyUsage		= nonRepudiation, digitalSignature

[ v3_ee_ec ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always
basicConstraints	= CA:false
keyUsage		= nonRepudiation, digitalSignature, keyAgreement

####################################################################
[ ca ]
default_ca	= CA_default

[ CA_default ]
dir		= ./demoCA
certs		= $dir/certs
crl_dir		= $dir/crl
database	= $dir/index.txt
new_certs_dir	= $dir/newcerts
certificate	= $dir/cacert.pem
serial		= $dir/serial
crl		= $dir/crl.pem
private_key	= $dir/private/cakey.pem
x509_extensions	= v3_ca
name_opt 	= ca_default
cert_opt 	= ca_default
default_days	= 365
default_crl_days= 30
default_md	= sha1
preserve	= no
policy		= policy_anything

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ v3_ca ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints 	= critical,CA:true,pathlen:1
keyUsage		= cRLSign, keyCertSign
issuerAltName		= issuer:copy
Cleanup cert config files for tests Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347) 2020-03-05 03:08:31 +08:00
Add config_diagnostics to our configuration files. The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171) 2021-07-29 07:55:09 +08:00			`# Comment out the next line to ignore configuration errors`
			`config_diagnostics = 1`

Cleanup cert config files for tests Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347) 2020-03-05 03:08:31 +08:00			`CN2 = Brother 2`

			`####################################################################`
			`[ req ]`
			`distinguished_name = req_distinguished_name`
			`encrypt_rsa_key = no`
			`default_md = sha1`

			`[ req_distinguished_name ]`
			`countryName = Country Name (2 letter code)`
			`countryName_value = AU`
			`organizationName = Organization Name (eg, company)`
			`organizationName_value = Dodgy Brothers`
			`commonName = Common Name (eg, YOUR name)`
			`commonName_value = Dodgy CA`

			`####################################################################`
			`[ userreq ]`
			`distinguished_name = user_dn`
			`encrypt_rsa_key = no`
			`default_md = sha256`
			`prompt = no`

			`[ user_dn ]`
			`countryName = AU`
			`organizationName = Dodgy Brothers`
			`0.commonName = Brother 1`
			`1.commonName = $ENV::CN2`

APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19271) 2022-09-25 05:59:12 +08:00			`[ empty ]`

Cleanup cert config files for tests Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347) 2020-03-05 03:08:31 +08:00			`[ v3_ee ]`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer:always`
			`basicConstraints = CA:false`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`

			`[ v3_ee_dsa ]`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = CA:false`
			`keyUsage = nonRepudiation, digitalSignature`

			`[ v3_ee_ec ]`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = CA:false`
			`keyUsage = nonRepudiation, digitalSignature, keyAgreement`

			`####################################################################`
			`[ ca ]`
			`default_ca = CA_default`

			`[ CA_default ]`
			`dir = ./demoCA`
			`certs = $dir/certs`
			`crl_dir = $dir/crl`
			`database = $dir/index.txt`
			`new_certs_dir = $dir/newcerts`
			`certificate = $dir/cacert.pem`
			`serial = $dir/serial`
			`crl = $dir/crl.pem`
			`private_key = $dir/private/cakey.pem`
			`x509_extensions = v3_ca`
			`name_opt = ca_default`
			`cert_opt = ca_default`
			`default_days = 365`
			`default_crl_days= 30`
			`default_md = sha1`
			`preserve = no`
			`policy = policy_anything`

			`[ policy_anything ]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[ v3_ca ]`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always,issuer:always`
			`basicConstraints = critical,CA:true,pathlen:1`
			`keyUsage = cRLSign, keyCertSign`
			`issuerAltName = issuer:copy`