() OpenSSL master configuration file openssl.cnf

1.man Config

This help document describes the specifications, format, and read methods of OPENSSL.CNF and some other auxiliary profiles. All explanations in the following article will take OPENSSL.CNF as an example unless otherwise specified.

[Email protected] ~]# Whatis configconfig (3pm)-Access Perl configuration Informationconfig (5SSL)-OpenSSL CONF Libra RY Configuration filesconfig::extensions (3pm)-hash lookup of which core Extensions were Builtconfig.guess [config] (1) -Guess the build system tripletconfig [OpenSSL] (5SSL)-OpenSSL CONF library configuration filesconfig.sub [con Fig] (1)-Validate and canonicalize a configuration tripletconfig-util (5)-Common PAM configuration file for Configurat Ion Utilities

The configuration file openssl.cnf is divided into paragraphs, each of which is identified by means "[section_name]" surrounded by brackets. The section_name can contain letters, numbers, and underscores .

The first section is interpreted as the default paragraph, and the default paragraph (which is generally not necessarily) is not identified by the [Section_name]. when a section is searched, the named section is searched first, and then the default section is searched, and if no matching named section is found, the default section is read directly.

The #开头来书写注释信息 is used in the configuration file . Each section contains some name and their values, leading or trailing spaces in the format Name=value,name and value are ignored, and if you want to include spaces, enclose them in quotation marks .

The name section can contain letters, numbers, and some punctuation marks, such as "." "," ";" or "_".

You can use variable extensions in the Value section. Variables can be defined in each section, and the variables in each section are only used by default for current sections, and there are two types of "$var" or "${var}" in the format of a variable reference. If you want to refer to a variable or name in another section, you can use "$section _name::name" or "${section::name}".

A pointer to another section can be specified in the value part.

You can use the backslash "\" escape , including the escape quote character and the backslash itself, or you can use "\" to enter multi-line writing mode . In addition, \ r, \b, \ t are capable of being identified.

The following is an example of writing, which takes note of the features:

@section_three

$section _one::message 2./etc/pki/tls/openssl.cnf

This file mainly sets the certificate request, signature, CRL-related configuration, and the main related pseudo-commands are CAs and req. This configuration file is not used for x509.

The file is divided into 4 sections from a functional structure: the default segment, CA-related segments, req related segments, and TSA-related segments . Each segment is defined in the Name=value format.

Segments that are not referenced in the file are treated as ignoring segments and do not play any role.

Each paragraph can write which name and their meaning, can be man-related commands, such as the man CA can see the CA related segments can write Name,man req can see req related paragraph can write name.

(1). Default segment

The first paragraph is the default segment, generally no section_name, but not necessarily, can be customized with a name.

The default segment defines a number of public properties that, when searching for a segment of a given name, first search for a segment with a name, and the default segment is searched when no matching segment is searched .

The following is the contents of the default segment.

HOME =. Randfile = $ENV:: home/.rndoid_section = New_oids

Only the current directory variable and the file path variable of the random number are defined .

The oid_section=new_oids of the last line indicates a point to the [New_oids] segment. The following is the New_oids segment. OID is an object identifier, what do I do not know, anyway did not mend it.

[New_oids]tsa_policy1 = 1.2.3.4.1tsa_policy2 = 1.2.3.4.5.6tsa_policy3 = 1.2.3.4.5.7

(2). CA-related segments

These segments define CA-related control options. The following are the contents of the CA related sections. Where the yellow bottom plus thick black word for must, yellow bottom bold red words for the proposed setting or suggested modified items.

####################################################################[CA]default_ca = CA_default/*The default CA section*/####################################################################[CA_default]dir =/etc/pki/CA */Wh Ere everything is kept */* # # # # This is the first directory in the OpenSSL directory structure */certs= $dir/certs/* Where The Issued certs is kept (issued certificate path, CA or self-signed) */* # # # # # This is the directory in the second OpenSSL directory structure, But not necessary.Crl_dir= $dir/CRL/* Where The Issued CRL is kept (issued CRL storage directory) */* # # # # # # This is the third directory in the OpenSSL directory structure */Database= $dir/index.txt/* Database index file */#unique_subject = no/* Set to Yes the subject column in the database file cannot have duplicate values */ /* That cannot be the same certificate or certificate request signature for Subject */////* recommended to No, but in order to maintain compatibility for older versions The default is yes */New_certs_dirCertificate= $dir/CACERT.PEM/* The A certificate (ca own certificate file) */Serial= $dir/serial/* The current serial number (the file that provides the serial numbers) */crlnumber = $dir/crlnumber/* The present CRL Column number) */CRL = $dir/CRL.PEM/* The current CRL (currently CRL) */Private_key= $dir/PRIVATE/CAKEY.PEM/* The private key (the secret key required for signing, that is, the CA's own private key) */randfile = $dir/private/.rand/* Private random Number file (files that provide random seed) */x509_extensions = usr_cert/* The extentions to add to the CERT (extensions added to the certificate) *//* the following two lines are about the certificate presentation format , although not mandatory, recommended settings. Generally the following format is not modified */name_opt= Ca_default/* Subject Name options*/cert_opt= Ca_default/* Certificate field options *//* The following are the Copy_extensions extensions, which should be used with caution when using */# copy_extensions = copy/* To generate the certificate when the extension Or not set, and is strongly recommended not to be set to Copyall */# crl_extensions = crl_extdefault_days = 365/* How long to certify for (default certificate validity period) */defau lt_crl_days=/* How long before next CRL (validity of CRL) */DEFAULT_MD = default/* Use public key default MD (default digest algorithm) */Preserve= no/* Keep passed DN ordering (distinguished Name order, general set to no */*/* Set to Yes only for compatibility with older versions of IE) */Policy      = policy_match/* Certificate matching policy, here represents a policy that references [Policy_match] *//* Certificate matching policy defines the DN field for a certificate request (field) is signed by the CA and the CA certificate matches the rules *//* for CA certificate requests, these matches The rule must be exactly the same as the parent CA */[Policy_match]countryname = match/* Match indicates that the field information to be filled in the request is matched to the CA certificate */stateorprovincename = Matchorgan Izationname = Matchorganizationalunitname = Optional/* Optional indicates that the field information can be provided without providing */commonname = supplied */SUP  The plied indicates that the field information must be provided */emailaddress = optional/* for the ' anything ' policy*//* at this point in time, and you must list all Acceptable ' object ' types.         *//* The following are unreferenced policy extensions, as long as they are not referenced are ignored */[policy_anything]countryname = Optionalstateorprovincename = Optionallocalityname        = Optionalorganizationname = Optionalorganizationalunitname = Optionalcommonname = suppliedemailaddress = Optional/* The following is the content of the added extension usr_cert */[usr_cert]basicconstraints=ca:false/* Basic constraint, ca:false means that the certificate cannot be used as a CA certificate, i.e. it cannot be issued to another person Book *//* keyusage = critical,keycertsign,crlsign # Specifies the purpose of the certificate, which is to limit the use of the certificate *//* in addition to the above two extensions may be modified under the rest of the extension forget, such as the following */nscomment ="OpenSSL Generated Certificate" Subjectkeyidentifier=hashauthoritykeyidentifier=keyid,issuer 

(3). REQ Related Paragraphs

[Req]default_bits = 2048/* The key length of the private key used to generate the certificate request */DEFAULT_MD = SHA1/* Certificate request signature When the one-way encryption algorithm */default_keyfile =                               PRIVKEY.PEM/* The newly created private key is stored in the default location, */* The private key is automatically created when the-new option is not specified-key */                                             /*-newkey option also automatically creates a private key */distinguished_name = req_distinguished_name/* Recognizable field name (often referred to as DN) */     /* Reference Req_distinguished_name segment Settings */x509_extensions = V3_CA/* Add extension to self-visa book */# req_extensions = v3_req /* Add an extension to the certificate request */attributes = req_attributes/* The properties of the certificate request, reference the settings of the Req_attributes segment, you can not set it */# Encrypt_key = yes | No/* Auto-generated private key file to encrypt no? General settings No, and-nodes option equivalent *//* the password of the input and output private key file, if the private key file has a password, do not write this setting will prompt for input *//* Input_password = secret *//* Output_password = secret */ # prompt = yes | No/* Set to No will not prompt for DN field, but will be read directly from the configuration file, you need to set the DN default value, otherwise the creation of the certificate request error. */string_mask = utf8only[Req_distinguished_name]/* The following items can be specified without specifying, but the CA section of the policy is specified as match and supplied must be specified.            *//* The following options can be customized, such as CountryName = C,commonname = CN */countryname = Country name (2 letter code)/* Country name (C) */countryname_default = XX/* Default country name */countryname_min = 2 */* filled in country The minimum character length of the name */countryname_max = 2/* The maximum character length of the country name */stateorprovincename = State or province name (full name)/* Province ( S) *//* Stateorprovincename_default = Default Province */localityname = Locality Name (eg, city)/* Cities (LT) */localityname_ Default = Default City0.organizationname = Organization Name (eg, company)/* Corporation (ON) */0.organizationname_default = Defa Ult company Ltdorganizationalunitname = organizational unit Name (eg, section)/* Department (OU) *//* organizationalunitname_ The default = *//* CommonName (CN) must generally be given, if as a CA, you need to define CN = Supplied *//* CN defined in the CA's policy is the domain name or subdomain or hostname that will request an SSL certificate. *//* For example, to request an SSL certificate for zhonghua.com, fill in the zhonghua.com, but not the www.zhonghua.com *//* to request SSL for www.zhonghua.com fill in www.zhonghua.com  *//*  cn must be the same as the address of the Web site to be visited, otherwise it will be given a warning    *//* the item is to be filled out correctly, or the request is signed after the CN in the certificate does not correspond to the CN in the real environment, the certificate service will not be available */commonname = Common name (eg, your name or your server\ ' s hostname)        /* hostname (CN) */commonname_max = 64emailAddress = Email address/* Email addresses, many times you do not need the */emailaddress_max of this item = 64[Req_attributes]/* This paragraph is set for the operational needs of certain software, */* now generally do not need to provide challengepassword *// * So the paragraph almost does not use */* so do not tube this paragraph */challengepassword = A Challenge Passwordchallengepassword_min = 4cha  Llengepassword_max = 20unstructuredName = Optional company name[v3_req]/* Extensions to add to a certificate Request */basicconstraints = Ca:falsekeyusage = nonrepudiation, digitalsignature, keyencipherment[V3_ca]/* Extensions F Or a typical CA */subjectkeyidentifier=hashauthoritykeyidentifier=keyid:always,issuerbasicconstraints = CA:true# Keyusage = crlsign, keycertsign/* Typical CA certificate usage settings, due to test use so commented *//* if you really need to apply for ca/* This setting can be configured this way */

You can customize the field information in the DN (Distinguished Name) segment, noting that the policy in the CA segment specifies a matching rule that must be defined in the DN if match or this supplied is specified .

For example, the following example: Because only CountryName, OrganizationName, and CommonName are set to match and supplied, the rest is optional, so you can define only these 3 fields in the DN, and a custom name is defined in the DN .

[Policy_to_match] countryname = matchstateorprovincename = optionalOrganizationName = matchOrganizationalunitname = OptionalCommonName = suppliedEmailAddress = Optional[dn]countryname = "C" OrganizationName = "O" commonname = " Root CA "

(4). Sample configuration file

The following is an example of a configuration file. Assume that the profile path is/ssl/ssl.conf

[Default]name = ROOT-CA/* Variable */default_ca =Ca_defaultname_opt = Ca_defaultcert_opt = ca_default[Ca_default]home =. /* Variable */database = $home/db/indexserial = $home/db/serialcrlnumber = $home/db/crlnumbercertificate = $home/$ Name.crtprivate_key = $home/private/$name. keyrandfile = $home/private/randomnew_certs_dir = $home/certsunique_ Subject = Nocopy_extensions = Nonedefault_days = 3650default_crl_days = 365DEFAULT_MD = Sha256policy = Policy_to_match[pol Icy_to_match]countryname = MatchStateorprovincename = OptionalOrganizationName = MatchOrganizationalunitname = OptionalCommonName = suppliedEmailAddress = optional[ca_dn]countryname = "C"Contryname_default = "CN"OrganizationName = "O"Organizationname_default = "JMU"commonname = "CN"Commonname_default = "Longshuai.com" [req]default_bits = 4096encrypt_key = NODEFAULT_MD = Sha256utf8 = Yesstring_mask = UTF 8only# prompt = no/* This option causes an error when tested, so comment it out */distinguished_name = ca_dnreq_extensions = Ca_ext[ca_ext]basicconstraints = CRI Tical,ca:truekeyusage = Critical,keycertsign,crlsignsubjectkeyidentifier = Hash

() OpenSSL master configuration file openssl.cnf