2 # Based on the OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
6 # This definition stops the following lines choking if HOME isn't
9 RANDFILE = $ENV::HOME/.rnd
11 #CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
12 CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
14 # Extra OBJECT IDENTIFIER info:
15 oid_section = new_oids
17 # To use this configuration file with the "-extfile" option of the
18 # "openssl x509" utility, name here the section containing the
19 # X.509v3 extensions to use:
21 # (Alternatively, use a configuration file that has only
22 # X.509v3 extensions in its main [= default] section.)
25 # Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
26 scardLogin=1.3.6.1.4.1.311.20.2.2
27 # Used in a smart card login certificate's subject alternative name
28 msUPN=1.3.6.1.4.1.311.20.2.3
29 # Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
31 # Identifies the AD GUID
32 msADGUID=1.3.6.1.4.1.311.25.1
34 ####################################################################
36 default_ca = CA_default # The default ca section
38 ####################################################################
41 dir = CA-samba.example.com # Where everything is kept
42 certs = $dir/_none_certs # Where the issued certs are kept
43 crl_dir = $dir/_none_crl # Where the issued crl are kept
44 database = $dir/Private/CA-samba.example.com-index.txt # database index file.
45 unique_subject = yes # Set to 'no' to allow creation of
46 # several certificates with same subject.
47 new_certs_dir = $dir/NewCerts # default place for new certs.
49 certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
50 serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
51 crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
52 # must be commented out to leave a V1 CRL
54 #crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
55 crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
56 private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
57 RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
59 #x509_extensions = # The extensions to add to the cert
60 x509_extensions = template_x509_extensions
62 # Comment out the following two lines for the "traditional"
63 # (and highly broken) format.
64 name_opt = ca_default # Subject Name options
65 cert_opt = ca_default # Certificate field options
67 # Extension copying option: use with caution.
68 # copy_extensions = copy
70 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
71 # so this is commented out by default to leave a V1 CRL.
72 # crlnumber must also be commented out to leave a V1 CRL.
73 crl_extensions = crl_ext
75 default_days = 7300 # how long to certify for
76 default_crl_days= 7300 # how long before next CRL
77 default_md = sha256 # use public key default MD
78 preserve = no # keep passed DN ordering
80 # A few difference way of specifying how similar the request should look
81 # For type CA, the listed attributes must be the same, and the optional
82 # and supplied fields are just that :-)
88 stateOrProvinceName = match
89 organizationName = match
90 organizationalUnitName = optional
92 emailAddress = optional
94 # For the 'anything' policy
95 # At this point in time, you must list all acceptable 'object'
99 stateOrProvinceName = match
101 organizationName = match
102 organizationalUnitName = match
103 commonName = supplied
104 emailAddress = supplied
106 ####################################################################
109 distinguished_name = req_distinguished_name
110 attributes = req_attributes
111 x509_extensions = v3_ca # The extensions to add to the self signed cert
113 # Passwords for private keys if not present they will be prompted for
114 # input_password = secret
115 # output_password = secret
117 # This sets a mask for permitted string types. There are several options.
118 # default: PrintableString, T61String, BMPString.
119 # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
120 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
121 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
122 # MASK:XXXX a literal mask value.
123 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
124 string_mask = utf8only
126 # req_extensions = v3_req # The extensions to add to a certificate request
128 [ req_distinguished_name ]
129 countryName = Country Name (2 letter code)
130 countryName_default = US
134 stateOrProvinceName = State or Province Name (full name)
135 stateOrProvinceName_default = SambaState
137 localityName = Locality Name (eg, city)
138 localityName_default = SambaCity
140 organizationName = Organization Name (eg, company)
141 organizationName_default = SambaSelfTesting
143 organizationalUnitName = Organizational Unit Name (eg, section)
144 organizationalUnitName_default = Users
146 commonName = Common Name (eg, YOUR name)
147 commonName_default = administrator@addom2.samba.example.com
150 emailAddress = Email Address
151 emailAddress_default = administrator@addom2.samba.example.com
152 emailAddress_max = 64
154 # SET-ex3 = SET extension number 3
157 #challengePassword = A challenge password
158 #challengePassword_min = 4
159 #challengePassword_max = 20
161 #unstructuredName = An optional company name
165 # Extensions to add to a certificate request
167 basicConstraints = CA:FALSE
168 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
171 # Extensions for a typical CA
172 # PKIX recommendation.
173 subjectKeyIdentifier=hash
174 authorityKeyIdentifier=keyid:always,issuer
176 # This is what PKIX recommends but some broken software chokes on critical
178 #basicConstraints = critical,CA:true
179 # So we do this instead.
180 basicConstraints = CA:true
182 # Key usage: this is typical for a CA certificate.
183 keyUsage = cRLSign, keyCertSign
185 crlDistributionPoints=URI:$CRLDISTPT
187 # Some might want this also
188 nsCertType = sslCA, emailCA
190 # Include email address in subject alt name: another PKIX recommendation
191 subjectAltName=email:copy
192 # Copy issuer details
193 issuerAltName=issuer:copy
197 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
199 issuerAltName=issuer:copy
200 authorityKeyIdentifier=keyid:always
202 #[ usr_cert_scarduser ]
203 [ template_x509_extensions ]
205 # These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
207 # This goes against PKIX guidelines but some CAs do it and some software
208 # requires this to avoid interpreting an end user certificate as a CA.
210 basicConstraints=CA:FALSE
211 crlDistributionPoints=URI:$CRLDISTPT
213 # For normal client use this is typical
214 nsCertType = client, email
216 # This is typical in keyUsage for a client certificate.
217 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
219 # This will be displayed in Netscape's comment listbox.
220 nsComment = "Smart Card Login Certificate for administrator@addom2.samba.example.com"
222 # PKIX recommendations harmless if included in all certificates.
223 subjectKeyIdentifier=hash
224 authorityKeyIdentifier=keyid,issuer
226 # This stuff is for subjectAltName and issuerAltname.
228 subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom2.samba.example.com
230 # Copy subject details
231 issuerAltName=issuer:copy
233 nsCaRevocationUrl = $CRLDISTPT
240 #Extended Key requirements for client certs
241 extendedKeyUsage = clientAuth,scardLogin