Revision 6251d517
Added by Renato Botelho about 9 years ago
| src/etc/ssl/openssl.cnf | ||
|---|---|---|
| 1 |
# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $
|
|
| 1 |
# $FreeBSD$ |
|
| 2 | 2 |
# |
| 3 | 3 |
# OpenSSL example configuration file. |
| 4 | 4 |
# This is mostly being used for generation of certificate requests. |
| 5 | 5 |
# |
| 6 |
# |
|
| 6 |
|
|
| 7 | 7 |
# This definition stops the following lines choking if HOME isn't |
| 8 | 8 |
# defined. |
| 9 |
HOME = .
|
|
| 10 |
RANDFILE = $ENV::HOME/.rnd
|
|
| 9 |
HOME = .
|
|
| 10 |
RANDFILE = $ENV::HOME/.rnd
|
|
| 11 | 11 |
|
| 12 |
# default SAN value if $ENV::SAN is not defined |
|
| 12 |
# pfSense: default SAN value if $ENV::SAN is not defined
|
|
| 13 | 13 |
# |
| 14 |
SAN =
|
|
| 14 |
SAN =
|
|
| 15 | 15 |
|
| 16 | 16 |
# Extra OBJECT IDENTIFIER info: |
| 17 |
#oid_file = $ENV::HOME/.oid
|
|
| 18 |
oid_section = new_oids
|
|
| 17 |
#oid_file = $ENV::HOME/.oid
|
|
| 18 |
oid_section = new_oids
|
|
| 19 | 19 |
|
| 20 | 20 |
# To use this configuration file with the "-extfile" option of the |
| 21 | 21 |
# "openssl x509" utility, name here the section containing the |
| 22 | 22 |
# X.509v3 extensions to use: |
| 23 |
# extensions =
|
|
| 23 |
# extensions =
|
|
| 24 | 24 |
# (Alternatively, use a configuration file that has only |
| 25 | 25 |
# X.509v3 extensions in its main [= default] section.) |
| 26 | 26 |
|
| 27 | 27 |
[ new_oids ] |
| 28 | 28 |
|
| 29 |
# We can add new OIDs in here for use by 'ca' and 'req'.
|
|
| 29 |
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
|
| 30 | 30 |
# Add a simple OID like this: |
| 31 | 31 |
# testoid1=1.2.3.4 |
| 32 | 32 |
# Or use config file substitution like this: |
| 33 | 33 |
# testoid2=${testoid1}.5.6
|
| 34 | 34 |
|
| 35 |
# Policies used by the TSA examples. |
|
| 36 |
tsa_policy1 = 1.2.3.4.1 |
|
| 37 |
tsa_policy2 = 1.2.3.4.5.6 |
|
| 38 |
tsa_policy3 = 1.2.3.4.5.7 |
|
| 39 |
|
|
| 35 | 40 |
#################################################################### |
| 36 | 41 |
[ ca ] |
| 37 |
default_ca = CA_default # The default ca section
|
|
| 42 |
default_ca = CA_default # The default ca section
|
|
| 38 | 43 |
|
| 39 | 44 |
#################################################################### |
| 40 | 45 |
[ CA_default ] |
| 41 | 46 |
|
| 42 |
dir = ./demoCA # Where everything is kept
|
|
| 43 |
certs = $dir/certs # Where the issued certs are kept
|
|
| 44 |
crl_dir = $dir/crl # Where the issued crl are kept
|
|
| 45 |
database = $dir/index.txt # database index file.
|
|
| 46 |
#unique_subject = no # Set to 'no' to allow creation of
|
|
| 47 |
# several certificates with same subject.
|
|
| 48 |
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
| 47 |
dir = ./demoCA # Where everything is kept
|
|
| 48 |
certs = $dir/certs # Where the issued certs are kept
|
|
| 49 |
crl_dir = $dir/crl # Where the issued crl are kept
|
|
| 50 |
database = $dir/index.txt # database index file.
|
|
| 51 |
#unique_subject = no # Set to 'no' to allow creation of
|
|
| 52 |
# several ctificates with same subject.
|
|
| 53 |
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
| 49 | 54 |
|
| 50 |
certificate = $dir/cacert.pem # The CA certificate
|
|
| 51 |
serial = $dir/serial # The current serial number
|
|
| 52 |
#crlnumber = $dir/crlnumber # the current crl number
|
|
| 53 |
# must be commented out to leave a V1 CRL
|
|
| 54 |
crl = $dir/crl.pem # The current CRL
|
|
| 55 |
private_key = $dir/private/cakey.pem# The private key
|
|
| 56 |
RANDFILE = $dir/private/.rand # private random number file
|
|
| 55 |
certificate = $dir/cacert.pem # The CA certificate
|
|
| 56 |
serial = $dir/serial # The current serial number
|
|
| 57 |
crlnumber = $dir/crlnumber # the current crl number
|
|
| 58 |
# must be commented out to leave a V1 CRL
|
|
| 59 |
crl = $dir/crl.pem # The current CRL
|
|
| 60 |
private_key = $dir/private/cakey.pem# The private key
|
|
| 61 |
RANDFILE = $dir/private/.rand # private random number file
|
|
| 57 | 62 |
|
| 58 |
x509_extensions = usr_cert # The extensions to add to the cert
|
|
| 63 |
x509_extensions = usr_cert # The extentions to add to the cert
|
|
| 59 | 64 |
|
| 60 | 65 |
# Comment out the following two lines for the "traditional" |
| 61 | 66 |
# (and highly broken) format. |
| 62 |
name_opt = ca_default # Subject Name options
|
|
| 63 |
cert_opt = ca_default # Certificate field options
|
|
| 67 |
name_opt = ca_default # Subject Name options
|
|
| 68 |
cert_opt = ca_default # Certificate field options
|
|
| 64 | 69 |
|
| 65 | 70 |
# Extension copying option: use with caution. |
| 66 | 71 |
# copy_extensions = copy |
| ... | ... | |
| 68 | 73 |
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs |
| 69 | 74 |
# so this is commented out by default to leave a V1 CRL. |
| 70 | 75 |
# crlnumber must also be commented out to leave a V1 CRL. |
| 71 |
crl_extensions = crl_ext
|
|
| 76 |
crl_extensions = crl_ext
|
|
| 72 | 77 |
|
| 73 |
default_days = 365 # how long to certify for
|
|
| 74 |
default_crl_days= 30 # how long before next CRL
|
|
| 75 |
default_md = md5 # which md to use.
|
|
| 76 |
preserve = no # keep passed DN ordering
|
|
| 78 |
default_days = 365 # how long to certify for
|
|
| 79 |
default_crl_days= 30 # how long before next CRL
|
|
| 80 |
default_md = default # use public key default MD
|
|
| 81 |
preserve = no # keep passed DN ordering
|
|
| 77 | 82 |
|
| 78 | 83 |
# A few difference way of specifying how similar the request should look |
| 79 | 84 |
# For type CA, the listed attributes must be the same, and the optional |
| 80 | 85 |
# and supplied fields are just that :-) |
| 81 |
policy = policy_match
|
|
| 86 |
policy = policy_match
|
|
| 82 | 87 |
|
| 83 | 88 |
# For the CA policy |
| 84 | 89 |
[ policy_match ] |
| 85 |
countryName = match
|
|
| 86 |
stateOrProvinceName = match
|
|
| 87 |
organizationName = match
|
|
| 88 |
organizationalUnitName = optional
|
|
| 89 |
commonName = supplied
|
|
| 90 |
emailAddress = optional
|
|
| 90 |
countryName = match
|
|
| 91 |
stateOrProvinceName = match
|
|
| 92 |
organizationName = match
|
|
| 93 |
organizationalUnitName = optional
|
|
| 94 |
commonName = supplied
|
|
| 95 |
emailAddress = optional
|
|
| 91 | 96 |
|
| 92 | 97 |
# For the 'anything' policy |
| 93 | 98 |
# At this point in time, you must list all acceptable 'object' |
| 94 | 99 |
# types. |
| 95 | 100 |
[ policy_anything ] |
| 96 |
countryName = optional
|
|
| 97 |
stateOrProvinceName = optional
|
|
| 98 |
localityName = optional
|
|
| 99 |
organizationName = optional
|
|
| 100 |
organizationalUnitName = optional
|
|
| 101 |
commonName = supplied
|
|
| 102 |
emailAddress = optional
|
|
| 101 |
countryName = optional
|
|
| 102 |
stateOrProvinceName = optional
|
|
| 103 |
localityName = optional
|
|
| 104 |
organizationName = optional
|
|
| 105 |
organizationalUnitName = optional
|
|
| 106 |
commonName = supplied
|
|
| 107 |
emailAddress = optional
|
|
| 103 | 108 |
|
| 104 | 109 |
#################################################################### |
| 105 | 110 |
[ req ] |
| 106 |
distinguished_name=req_distinguished_name |
|
| 107 |
req_extensions = v3_req |
|
| 108 |
prompt=no |
|
| 109 |
|
|
| 110 |
default_bits = 2048 |
|
| 111 |
default_keyfile = privkey.pem |
|
| 112 |
distinguished_name = req_distinguished_name |
|
| 113 |
attributes = req_attributes |
|
| 114 |
x509_extensions = v3_ca # The extensions to add to the self signed cert |
|
| 111 |
prompt = no |
|
| 112 |
default_bits = 2048 |
|
| 113 |
default_keyfile = privkey.pem |
|
| 114 |
distinguished_name = req_distinguished_name |
|
| 115 |
attributes = req_attributes |
|
| 116 |
x509_extensions = v3_ca # The extentions to add to the self signed cert |
|
| 115 | 117 |
|
| 116 | 118 |
# Passwords for private keys if not present they will be prompted for |
| 117 |
#input_password=""
|
|
| 118 |
#output_password=""
|
|
| 119 |
# input_password = secret
|
|
| 120 |
# output_password = secret
|
|
| 119 | 121 |
|
| 120 |
# This sets a mask for permitted string types. There are several options. |
|
| 122 |
# This sets a mask for permitted string types. There are several options.
|
|
| 121 | 123 |
# default: PrintableString, T61String, BMPString. |
| 122 |
# pkix : PrintableString, BMPString.
|
|
| 123 |
# utf8only: only UTF8Strings. |
|
| 124 |
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
|
|
| 125 |
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
|
| 124 | 126 |
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). |
| 125 | 127 |
# MASK:XXXX a literal mask value. |
| 126 |
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings |
|
| 127 |
# so use this option with caution! |
|
| 128 |
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. |
|
| 128 | 129 |
string_mask = nombstr |
| 129 | 130 |
|
| 130 |
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
| 131 |
req_extensions = v3_req # The extensions to add to a certificate request |
|
| 131 | 132 |
|
| 132 | 133 |
[ req_distinguished_name ] |
| 133 |
countryName = US
|
|
| 134 |
#countryName_default = AU
|
|
| 135 |
#countryName_min = 2
|
|
| 136 |
#countryName_max = 2
|
|
| 134 |
countryName = Country Name (2 letter code)
|
|
| 135 |
countryName_default = AU
|
|
| 136 |
countryName_min = 2
|
|
| 137 |
countryName_max = 2
|
|
| 137 | 138 |
|
| 138 |
stateOrProvinceName = Somewhere
|
|
| 139 |
#stateOrProvinceName_default = Somestate
|
|
| 139 |
stateOrProvinceName = State or Province Name (full name)
|
|
| 140 |
stateOrProvinceName_default = Some-State
|
|
| 140 | 141 |
|
| 141 |
localityName = Somecity
|
|
| 142 |
localityName = Locality Name (eg, city)
|
|
| 142 | 143 |
|
| 143 |
0.organizationName = CompanyName
|
|
| 144 |
#0.organizationName_default = SampleNameDefault
|
|
| 144 |
0.organizationName = Organization Name (eg, company)
|
|
| 145 |
0.organizationName_default = Internet Widgits Pty Ltd
|
|
| 145 | 146 |
|
| 146 | 147 |
# we can do this but it is not needed normally :-) |
| 147 |
#1.organizationName = Second Organization Name (eg, company)
|
|
| 148 |
#1.organizationName_default = World Wide Web Pty Ltd
|
|
| 148 |
#1.organizationName = Second Organization Name (eg, company)
|
|
| 149 |
#1.organizationName_default = World Wide Web Pty Ltd
|
|
| 149 | 150 |
|
| 150 |
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
| 151 |
#organizationalUnitName_default =
|
|
| 151 |
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
| 152 |
#organizationalUnitName_default =
|
|
| 152 | 153 |
|
| 153 |
commonName = Common Name (eg, YOUR name)
|
|
| 154 |
#commonName_max = 64
|
|
| 154 |
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
| 155 |
commonName_max = 64
|
|
| 155 | 156 |
|
| 156 |
emailAddress = Email Address
|
|
| 157 |
#emailAddress_max = 64
|
|
| 157 |
emailAddress = Email Address
|
|
| 158 |
emailAddress_max = 64
|
|
| 158 | 159 |
|
| 159 |
# SET-ex3 = SET extension number 3
|
|
| 160 |
# SET-ex3 = SET extension number 3
|
|
| 160 | 161 |
|
| 161 | 162 |
[ req_attributes ] |
| 162 |
challengePassword = A challenge password
|
|
| 163 |
#challengePassword_min = 4
|
|
| 164 |
#challengePassword_max = 20
|
|
| 163 |
challengePassword = A challenge password
|
|
| 164 |
challengePassword_min = 4
|
|
| 165 |
challengePassword_max = 20
|
|
| 165 | 166 |
|
| 166 |
unstructuredName = An optional company name
|
|
| 167 |
unstructuredName = An optional company name
|
|
| 167 | 168 |
|
| 168 | 169 |
[ usr_cert ] |
| 169 | 170 |
|
| ... | ... | |
| 178 | 179 |
# the certificate can be used for anything *except* object signing. |
| 179 | 180 |
|
| 180 | 181 |
# This is OK for an SSL server. |
| 181 |
# nsCertType = server
|
|
| 182 |
# nsCertType = server
|
|
| 182 | 183 |
|
| 183 | 184 |
# For an object signing certificate this would be used. |
| 184 | 185 |
# nsCertType = objsign |
| ... | ... | |
| 193 | 194 |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| 194 | 195 |
|
| 195 | 196 |
# This will be displayed in Netscape's comment listbox. |
| 196 |
nsComment = "OpenSSL Generated User Certificate"
|
|
| 197 |
nsComment = "OpenSSL Generated User Certificate"
|
|
| 197 | 198 |
|
| 198 | 199 |
# PKIX recommendations harmless if included in all certificates. |
| 199 | 200 |
subjectKeyIdentifier=hash |
| ... | ... | |
| 210 | 211 |
# Copy subject details |
| 211 | 212 |
# issuerAltName=issuer:copy |
| 212 | 213 |
|
| 213 |
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
|
| 214 |
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
|
| 214 | 215 |
#nsBaseUrl |
| 215 | 216 |
#nsRevocationUrl |
| 216 | 217 |
#nsRenewalUrl |
| 217 | 218 |
#nsCaPolicyUrl |
| 218 | 219 |
#nsSslServerName |
| 219 | 220 |
|
| 221 |
# This is required for TSA certificates. |
|
| 222 |
# extendedKeyUsage = critical,timeStamping |
|
| 223 |
|
|
| 220 | 224 |
[ usr_cert_san ] |
| 221 | 225 |
|
| 222 | 226 |
# copy of [ usr_cert ] plus nonempty Subject Alternative Names |
| 223 |
basicConstraints=CA:FALSE
|
|
| 224 |
nsComment = "OpenSSL Generated User Certificate"
|
|
| 225 |
subjectKeyIdentifier=hash
|
|
| 226 |
authorityKeyIdentifier=keyid,issuer:always
|
|
| 227 |
extendedKeyUsage=clientAuth
|
|
| 228 |
subjectAltName=$ENV::SAN
|
|
| 227 |
basicConstraints = CA:FALSE
|
|
| 228 |
nsComment = "OpenSSL Generated User Certificate"
|
|
| 229 |
subjectKeyIdentifier = hash
|
|
| 230 |
authorityKeyIdentifier = keyid,issuer:always
|
|
| 231 |
extendedKeyUsage = clientAuth
|
|
| 232 |
subjectAltName = $ENV::SAN
|
|
| 229 | 233 |
|
| 230 | 234 |
[ server ] |
| 231 | 235 |
|
| 232 | 236 |
# Make a cert with nsCertType=server |
| 233 |
basicConstraints=CA:FALSE
|
|
| 237 |
basicConstraints = CA:FALSE
|
|
| 234 | 238 |
nsCertType = server |
| 235 | 239 |
nsComment = "OpenSSL Generated Server Certificate" |
| 236 |
subjectKeyIdentifier=hash
|
|
| 237 |
authorityKeyIdentifier=keyid,issuer:always
|
|
| 238 |
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
|
|
| 239 |
keyUsage = digitalSignature, keyEncipherment
|
|
| 240 |
subjectKeyIdentifier = hash
|
|
| 241 |
authorityKeyIdentifier = keyid,issuer:always
|
|
| 242 |
extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2
|
|
| 243 |
keyUsage = digitalSignature, keyEncipherment
|
|
| 240 | 244 |
|
| 241 | 245 |
[ server_san ] |
| 242 | 246 |
|
| 243 | 247 |
# copy of [ server ] plus nonempty Subject Alternative Names |
| 244 |
basicConstraints=CA:FALSE
|
|
| 248 |
basicConstraints = CA:FALSE
|
|
| 245 | 249 |
nsCertType = server |
| 246 | 250 |
nsComment = "OpenSSL Generated Server Certificate" |
| 247 |
subjectKeyIdentifier=hash
|
|
| 248 |
authorityKeyIdentifier=keyid,issuer:always
|
|
| 249 |
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
|
|
| 250 |
keyUsage = digitalSignature, keyEncipherment
|
|
| 251 |
subjectAltName=$ENV::SAN
|
|
| 251 |
subjectKeyIdentifier = hash
|
|
| 252 |
authorityKeyIdentifier = keyid,issuer:always
|
|
| 253 |
extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2
|
|
| 254 |
keyUsage = digitalSignature, keyEncipherment
|
|
| 255 |
subjectAltName = $ENV::SAN
|
|
| 252 | 256 |
|
| 253 | 257 |
[ v3_req ] |
| 254 | 258 |
|
| ... | ... | |
| 275 | 279 |
# So we do this instead. |
| 276 | 280 |
basicConstraints = CA:true |
| 277 | 281 |
|
| 278 |
# Key usage: this is typical for a CA certificate. |
|
| 282 |
# Key usage: this is typical for a CA certificate. However since it will |
|
| 283 |
# prevent it being used as an test self-signed certificate it is best |
|
| 284 |
# left out by default. |
|
| 279 | 285 |
keyUsage = cRLSign, keyCertSign |
| 280 | 286 |
|
| 281 | 287 |
# Some might want this also |
| ... | ... | |
| 297 | 303 |
# copy of [ v3_ca ] plus nonempty Subject Alternative Names |
| 298 | 304 |
subjectKeyIdentifier=hash |
| 299 | 305 |
authorityKeyIdentifier=keyid:always,issuer:always |
| 300 |
basicConstraints = CA:true
|
|
| 306 |
basicConstraints=CA:true
|
|
| 301 | 307 |
subjectAltName=$ENV::SAN |
| 302 | 308 |
|
| 303 | 309 |
[ crl_ext ] |
| ... | ... | |
| 307 | 313 |
|
| 308 | 314 |
# issuerAltName=issuer:copy |
| 309 | 315 |
authorityKeyIdentifier=keyid:always,issuer:always |
| 316 |
|
|
| 317 |
[ proxy_cert_ext ] |
|
| 318 |
# These extensions should be added when creating a proxy certificate |
|
| 319 |
|
|
| 320 |
# This goes against PKIX guidelines but some CAs do it and some software |
|
| 321 |
# requires this to avoid interpreting an end user certificate as a CA. |
|
| 322 |
|
|
| 323 |
basicConstraints=CA:FALSE |
|
| 324 |
|
|
| 325 |
# Here are some examples of the usage of nsCertType. If it is omitted |
|
| 326 |
# the certificate can be used for anything *except* object signing. |
|
| 327 |
|
|
| 328 |
# This is OK for an SSL server. |
|
| 329 |
# nsCertType = server |
|
| 330 |
|
|
| 331 |
# For an object signing certificate this would be used. |
|
| 332 |
# nsCertType = objsign |
|
| 333 |
|
|
| 334 |
# For normal client use this is typical |
|
| 335 |
# nsCertType = client, email |
|
| 336 |
|
|
| 337 |
# and for everything including object signing: |
|
| 338 |
# nsCertType = client, email, objsign |
|
| 339 |
|
|
| 340 |
# This is typical in keyUsage for a client certificate. |
|
| 341 |
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
|
| 342 |
|
|
| 343 |
# This will be displayed in Netscape's comment listbox. |
|
| 344 |
nsComment = "OpenSSL Generated Certificate" |
|
| 345 |
|
|
| 346 |
# PKIX recommendations harmless if included in all certificates. |
|
| 347 |
subjectKeyIdentifier=hash |
|
| 348 |
authorityKeyIdentifier=keyid,issuer |
|
| 349 |
|
|
| 350 |
# This stuff is for subjectAltName and issuerAltname. |
|
| 351 |
# Import the email address. |
|
| 352 |
# subjectAltName=email:copy |
|
| 353 |
# An alternative to produce certificates that aren't |
|
| 354 |
# deprecated according to PKIX. |
|
| 355 |
# subjectAltName=email:move |
|
| 356 |
|
|
| 357 |
# Copy subject details |
|
| 358 |
# issuerAltName=issuer:copy |
|
| 359 |
|
|
| 360 |
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
|
| 361 |
#nsBaseUrl |
|
| 362 |
#nsRevocationUrl |
|
| 363 |
#nsRenewalUrl |
|
| 364 |
#nsCaPolicyUrl |
|
| 365 |
#nsSslServerName |
|
| 366 |
|
|
| 367 |
# This really needs to be in place for it to be a proxy certificate. |
|
| 368 |
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |
|
| 369 |
|
|
| 370 |
#################################################################### |
|
| 371 |
[ tsa ] |
|
| 372 |
|
|
| 373 |
default_tsa = tsa_config1 # the default TSA section |
|
| 374 |
|
|
| 375 |
[ tsa_config1 ] |
|
| 376 |
|
|
| 377 |
# These are used by the TSA reply generation only. |
|
| 378 |
dir = ./demoCA # TSA root directory |
|
| 379 |
serial = $dir/tsaserial # The current serial number (mandatory) |
|
| 380 |
crypto_device = builtin # OpenSSL engine to use for signing |
|
| 381 |
signer_cert = $dir/tsacert.pem # The TSA signing certificate |
|
| 382 |
# (optional) |
|
| 383 |
certs = $dir/cacert.pem # Certificate chain to include in reply |
|
| 384 |
# (optional) |
|
| 385 |
signer_key = $dir/private/tsakey.pem # The TSA private key (optional) |
|
| 386 |
|
|
| 387 |
default_policy = tsa_policy1 # Policy if request did not specify it |
|
| 388 |
# (optional) |
|
| 389 |
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
|
| 390 |
digests = md5, sha1 # Acceptable message digests (mandatory) |
|
| 391 |
accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
|
| 392 |
clock_precision_digits = 0 # number of digits after dot. (optional) |
|
| 393 |
ordering = yes # Is ordering defined for timestamps? |
|
| 394 |
# (optional, default: no) |
|
| 395 |
tsa_name = yes # Must the TSA name be included in the reply? |
|
| 396 |
# (optional, default: no) |
|
| 397 |
ess_cert_id_chain = no # Must the ESS cert id chain be included? |
|
| 398 |
# (optional, default: no) |
|
Also available in: Unified diff
Reduce differences from FreeBSD default openssl.cnf