openssl.cnf
The content of the openssl.cnf file includes three parts: default file configuration, certificate request configuration and certificate issuance configuration. In addition, you can also configure the extensions of the X.509 certificate, and you can also use the configuration mechanism when using the OpenSSL function library
Default configuration
The first section is the default section. Generally, there is no section_name, but not necessarily. You can customize the one with a name.
Some common attributes are defined in the default segment. When searching for a segment with a given name, the segment with the name will be searched first, and the default segment will be searched when no matching segment is found.
Following are the contents of the default section.
HOME = . #Current directory variable RANDFILE = $ENV::HOME/.rnd #Random file path variable oid_section = new_oids #Point to [new_oids] section [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7
Certificate Request Configuration Fields
Certificate request main configuration field [ req ]
- Example:
[ req ] default_bits = 2048 # The key length of the private key used when generating the certificate request default_md = sha1 # one-way encryption algorithm when signing certificate requests default_keyfile = privkey.pem # Default newly created private key storage location, if -new option does not specify -key, the private key will be automatically created -newkey option will also automatically create the private key distinguished_name = req_distinguished_name # The identifiable field name (often referred to as DN) refers to the setting of the req_distinguished_name section x509_extensions = v3_ca #Extensions added to the self-signed certificate # req_extensions = v3_req /* extensions added to the certificate request */ attributes = req_attributes # The attributes of the certificate request, refer to the setting of the req_attributes section, it is not necessary to set it # encrypt_key = yes | no # Whether the automatically generated private key file should be encrypted or not is generally set to no, which is equivalent to the -nodes option to input and output the password of the private key file. If the private key file has a password, if you do not write this setting, you will be prompted enter # prompt = yes | no /* If set to no, the DN field will not be prompted, but will be read directly from the configuration file. You need to set the default value of DN at the same time, otherwise an error will occur when creating a certificate request. */ string_mask = utf8only #The character type only uses UTF8
- Other parameters:
input_password #Read the password of the private key file output_password #Read the password of the private key file oid_file #Extended object file name oid_section #extended object field name RANDFILE #random number seed file
Characteristic name field [ req_distinguished_name ]
It is specified by distinguished_name in the req field, and contains the main information of the user, including country, province, city, organization, and name. The sum of all information in this field is called “feature name”.
Example:
[ req_distinguished_name ] # The following items can be specified or not, but match and supplied must be specified in the policy of the ca section #The following options can be customized, such as countryName = C, commonName = CN countryName = Country Name (2 letter code) # country name (C) countryName_default = XX # default country name countryName_min = 2 # The minimum character length of the filled country name countryName_max = 2 # The maximum character length of the filled country name stateOrProvinceName = State or Province Name (full name) # Province (S) #stateOrProvinceName_default = Default Province localityName = Locality Name (eg, city) #City (LT) localityName_default = Default City 0.organizationName = Organization Name (eg, company) #Company (ON) 0.organizationName_default = Default Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) # Department (OU) #organizationalUnitName_default = #The following commonName (CN) generally must be given, if it is used as a CA, then it is necessary to define CN = supplied in the policy of the ca #CN defines the domain name or subdomain name or host name that will apply for the SSL certificate. #For example, if you want to apply for an ssl certificate for zhonghua.com, fill in zhonghua.com instead of www.zhonghua.com #To apply for SSL for www.zhonghua.com, fill in www.zhonghua.com #CN must be the same as the address of the website to be visited, otherwise a warning will be given when visiting #This item must be filled in correctly, otherwise the CN in the certificate after the request is signed does not correspond to the CN in the actual environment, and the certificate service will not be provided commonName = Common Name (eg, your name or your server's hostname) # host name (CN) commonName_max = 64 emailAddress = Email Address # Email address, this item is not needed in many cases emailAddress_max = 64
Certificate request attribute field [ req_attributes ]
Specified by the attributes in the req field, it defines the attributes that may be used when the CA issues.
[ req_attributes ] #This section is set for the running needs of some specific software, #No need to provide challengepassword now, so this section is almost useless and don't care about this section challengePassword = A challengepassword challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name
Certificate request extension fields
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA: true # keyUsage = cRLSign, keyCertSign Typical CA certificate usage settings, commented for test use #If you really need to apply for C, then this setting can be configured like this
Certificate Issuance Configuration
Certificate Issuance Master Configuration [ ca ]
Example:
[ CA_default ] dir = /etc/pki/CA # Where everything is kept #### This is the first directory in the openssl directory structure certs = $dir/certs # Where the issued certs are kept (issued certificate path, ie CA or self-signed) */ #### This is the directory in the second openssl directory structure, but not required crl_dir = $dir/crl # Where the issued crl are kept (issued crl storage directory) #### This is the directory in the third openssl directory structure database = $dir/index.txt #database index file #unique_subject = no /* If it is set to yes, the subject column in the database file cannot have duplicate values, that is, the same certificate or certificate request signature cannot be signed for the same subject. It is recommended to set it to no, but in order to maintain the compatibility of the old version, the default is yes new_certs_dir = $dir/newcerts # default place for new certs (storage path for certificates issued in the future) #### This is the fourth directory in the openssl directory structure certificate = $dir/cacert.pem # The A certificate (CA's own certificate file) serial = $dir/serial # The current serial number (the file that provides the serial number) crlnumber = $dir/crlnumber # the current crl number (current crl serial number) crl = $dir/crl.pem # The current CRL (current CRL) private_key = $dir/private/cakey.pem # The private key (the private key required for signing, that is, the CA's own private key) RANDFILE = $dir/private/.rand # private random number file (a file that provides random number seeds) x509_extensions = usr_cert #The extensions to add to the cert (extensions added to the certificate) #The following two lines are about the display format of the certificate. Although they are not required, they are recommended settings. Generally, the following format does not need to be modified name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # The following are the copy_extensions extensions, which should be used with caution # copy_extensions = copy #The copy behavior of extensions when generating certificates can be set to none/copy/copyall. If the name is not set, the default is none. It is recommended to set it to none or not to set it for simple use, and it is strongly recommended not to set it to copyall # crl_extensions = crl_ext default_days = 365 # how long to certify for (default certificate validity period) default_crl_days= 30 # how long before next CRL (validity period of CRL) default_md = default # use public key default MD (default digest algorithm) preserve = no # keep passed DN ordering (Distinguished Name order, generally set to no and set to yes only for compatibility with old versions of IE) policy = policy_match #Certificate matching strategy, here refers to the strategy of [policy_match] # The certificate matching policy defines the matching rules for the DN field (field) of the certificate request and the CA certificate when it is signed by the CA # For CA certificate requests, these matching rules must be exactly the same as the parent CA
Other parameters:
default_startdate #Certificate effective date default_enddate #Certificate expiration date default_crl_bours #The time interval between the current crl and the next crl release, in hours seriafile #Certificate issuance serial number reference file email_in_dn = yes|no # put email information in/remove DNS domain nameopt #Certificate DNS domain display mode The value is the same as x509 -nameopt certopt #Certificate domain display mode The value is the same as x509 -certopt, default no_sig_name no_sigdump copy_extensions #Whether the certificate request extension is added to the certificate extension value none copy copyall
UTCTime format:
Example:
YYMMDDHHNNSSZ #YY two-digit year eg: 1999 --- 99 MM month eg: August --- 08 DD date eg: 23rd --- 23 HH hour eg: 13 o'clock --- 13 NN minute eg: 50 minutes ---50 SS seconds eg:24 seconds ---24 Z character end symbol
Request information matching policy field [ policy_match ]
Specified by the policy parameter of the CA main configuration field, this field contains the name associated with the certificate Distinguished Name (DN) field. Variable values may be match, optional, supplied.
[ policy_match ] countryName = match # match means that the field information filled in the request should match the one in the CA certificate stateOrProvinceName = match organizationName = match organizationalUnitName = optional # optional means that the field information can be provided or not commonName = supplied # supplied means that the field information must be provided emailAddress = optional # For the 'anything' policy #At this point in time, you must list all acceptable 'object' types.
Extended field items
#The following are policy extensions that are not quoted, as long as they are not quoted, they will be ignored [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional # The following is the content of the added extension usr_cert [ usr_cert ] basicConstraints=CA:FALSE # Basic constraints, CA:FALSE means that the certificate cannot be used as a CA certificate, that is, it cannot issue certificates to others #keyUsage = critical,keyCertSign,cRLSign # Specify the purpose of the certificate, that is, limit the usage of the certificate #Except for the above two extensions that may be modified, leave the rest of the extensions alone, as shown below nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier = keyid, issuer
X.509 v3 extension
Description string extension
Parameter value field: URL string
nsBaseUrl #Netscape base URL nsRevoationUrl #Netscape revocation URL nsCaRevocationUrl # Netscape CA revocation URL nsRenewalUrl # Netscape update URL nsCaPolicyUrl #Netscape CA policy URL
nsCertType certificate type extension
Netscape Defines Certificate Usage Extensions
client #for client certificate server #for server certificate email #Certificate of user E-mail security protocol objsign #Certificate for signing sslCA #CA certificate used to issue SSL user certificates emailCA #CA certificate used to issue E-mail user certificates objCA #CA certificate used to issue user-signed certificates reserved #Reserved value
keyUsage key usage extension
PKIX custom extensions used to limit the use of keys in certificates
digitalSipnature #The key used for digital signature nonRepudiation #The key used to provide non-repudiation services, generally used by third-party impartial agencies keyEncipherment #Used to encrypt other keys or related security information, it can be used for secure key transmission dataEncipherment #The key used to encrypt user data keyAgreement #The key used to agree or establish the key needed for further operations keyCertSign #The key used to verify the signature of the certificate, that is, the public key of the CA, which is only valid in the CA certificate cRISign #The key used to verify the CA's signature on the CRL encipherOnly #The key is only used for encryption decipherOnly #The key is only used for decryption
basicConstraints basic constraints extension
Certificate extensions defined by PKIX, the value range includes CA parameters and pathlen
#basicConstraints=CA:FALSE means the issued user certificate #basicConstraints=critical,CA:TRUE indicates the certificate that issued the certificate, and the CA certificate #pathlen is only valid for CA (and when CA:TRUE), indicating how many levels of CA certificates can appear under CA #basicConstraints=CA:TRUE,pathlen:0 means that CA can only issue end-user certificates and cannot issue lower-level certificates
extendedKeyUsage extended key extension
Allow users to add additional key application information, users can add their own defined objects and corresponding information to the extendedKeyUsage list
serverAuth #for SSL/TLS web server authentication clientAuth #for SSL/TLS web client authentication codeSigning #for code signing emailProtection #for S/MIME protocol E-mail protection limeStamping #for S/MIME protocol E-mail protection msCodelnd #for Microsoft-specific code signature (verification code) msCodeCom #For Microsoft commercial code signing (verification code) msCTLSign #for Microsoft trust list signature mssGc #For Microsoft server login encryption msEFS #for Microsoft Encrypted File System nssGC #for Netsacpe server login encryption
subjectKeyIdentifier subject key identifier extension
Used to specify which key set the key belongs to when the certificate subject has multiple key sets.
subjectKeyIdentifier=hash
authorityKeyIdentifier authentication authority key identifier extension
It is used to identify the certificate and key of the issuing authority when constructing a certificate chain. The key identification of the verification authority in the certificate is divided into three parts: the key ID (keyID), the DN of the verification authority, and the serial number of the CA certificate.
subjectAltName subject alias extension
Provides a more flexible naming method for the certificate. In theory, it can include information such as IP address, URL, email, DNS domain name, RID (registered object identifier) and IP address as the subject alias.
subjectAltName=email:copy,email:[email protected],URL:http://www.OpenSSL.cn/
issuerAltName issuer alias extension
Different forms of naming methods are provided for the issuer. The form adopted is similar to subjectAltName. It supports all parameters of subjectAltName, but does not support the copy value of the email parameter.
issuerAltName=issure:copy #All aliases in the certificate issuer subject alias will be copied to the issuer alias extension of the newly issued certificate
authorityInfoAccess verification authority information processing extension
Gives details on how to handle CA-related information.
crlDistributionPoints CRL distribution point extension
Used to indicate the publishing site where users need to look up CRL (Certificate Revocation List) information in order to verify certificate revocation status.
certificatePolicies certificate policy extension
Define certificate application policies, such as certificate verification policies.
other:
nsSslServerName #Netscape SSL server name nsComment #Certificate comment description nsCertType #server/email/objsign/reserved/ssICA/emailCA/objCA defines the purpose of the certificate, and its value can be one or more parameters in the value field keyUsage #Define the usage of the secret code for the certificate application. Its value can be one or more of the parameters in the value field basicConstraints #The basic restriction extension of the fixed text certificate, so that the CA certificate can be correctly identified and its path length is limited. "n" in the parameter field is a non-negative integer, indicating the length of the certificate path extendedKeyUsage #User-defined key application information, currently PKIX, Microsolt and Netscpe have defined some subjectKeyldentifier #Subject key identifier, if the value is hash, the subject identifier will be automatically generated using the method specified by PKIX authorityKeyldentifier #Verification agency key identification, generally including issuing key-ID, issuing agency and CA certificate serial number subjcctAltName #subject alias. Certificates can be named in a more flexible manner issureAltName # issuer principal alias authorityInfoAccess #location is one of all values in subjectAltName except email/copy, and accessOID can theoretically identify all valid objects erlDistribution-Points #Verify the CRL publishing site of the certificate product sales status, where location is the URL certificatePolicies #Certificate policy extension, set certificate policy extension identifier and qualifier list
Description of some abbreviations
# MD : MD digest algorithm # DN : Distinguished Name (characteristic name) # CRL : Certificate Revocation List (Certificate Revocation List) # RID : Registered object identification