#################################################################### [ ca ] default_ca = CA_default # デフォルトのCAセクションを指定 #################################################################### [ CA_default ] dir = /etc/CA # /etc/CAをCAのホームディレクトリに指定 certs = $dir/certs # 証明書を保管する場所 crl_dir = $dir/crl # 失効リスト(CRL)を置く場所 database = $dir/index.txt # シリアルと発行した証明書のインデックス new_certs_dir = $dir/newcerts # 新しく自分が発行した証明書を置く certificate = $dir/hosso.com-ca.crt # CAの証明書 serial = $dir/serial # 次に発行する証明書につけられるシリアル crl = $dir/crl.pem # 自分で失効した証明書のCRL private_key = $dir/private/hosso.com-ca.key # CAの秘密鍵 RANDFILE = $dir/private/.rand # デフォルトのランダムファイル x509_extensions = usr_cert # x509証明書の拡張分をuser_certに記述 # ここでCRLを拡張することができます # Netscape communicatorはV2のCRLを使っていますが、 # V1のCRLを残すためにコメントアウトしてます # crl_extensions = crl_ext default_days = 3650 # 証明書のデフォルトの有効期限 default_crl_days= 30 # CRLの収集間隔 default_md = md5 # メッセージダイジェストの選択 preserve = no # keep passed DN ordering(?) # 証明書の発行ポリシー policy = policy_anything # 発行ポリシーは[policy_match]を利用 # ポリシーの実体です # それぞれの属性がどのような場合に発行を許可するかを決めます # ポリシーに一致していれば発行を許可することができるというだけで、 # 最終的には発行者が発行の可否を決めることができます # matchはCAのものと発行要求が一致 # optionalは空欄可 # suppliedは空欄不可 # 厳しめのポリシー [ policy_match ] countryName = match # 国名(C)が一致 stateOrProvinceName = optional # 州名・県名(S)が一致 organizationName = match # 団体名(O)が一致 organizationalUnitName = optional # 部署名(OU)は空欄可 commonName = supplied # 一般名(CN)は空欄不可 emailAddress = optional # メールアドレスは空欄可 # ゆるめのポリシー # 一般名(CN)さえ埋まっていれば証明書の発行を許可します [ policy_anything ] countryName = supplied stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = supplied commonName = optional emailAddress = optional #################################################################### # 証明書発行要求(CSR)に関するデフォルト値設定 [ req ] default_bits = 1024 # 公開鍵の鍵長 default_keyfile = privkey.pem # -in を指定しないときの秘密鍵 distinguished_name = req_distinguished_name# req_distinguished_nameを参照 attributes = req_attributes # req_attributesを参照 x509_extensions = v3_ca # x509証明書の拡張はv3_caを参照 # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request # 証明書の内容のデフォルト値とreqを発行時の問いかけです。 [ req_distinguished_name ] # 国名(C) countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 # 州名・県名(S) stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Wakayama localityName = Locality Name (eg, city) # 団体名(O) 0.organizationName = Organization Name (eg, company) #0.organizationName_default = # 団体名の拡張 使わないのでコメントアウト #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd # 組織名(OU) organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = fieldhouse.co.jp # 一般名(CN) commonName = Common Name (eg, YOUR name) commonName_max = 64 # メールアドレス emailAddress = Email Address emailAddress_max = 40 # SET-ex3 = SET extension number 3 # 属性 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # CAで証明書発行をするときの拡張です # 特にそのままでも問題ないので以下は原文のままです # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always