kris
/
optee_eng
镜像来自 https://github.com/henrydcase/optee_eng.git
1
0
複製 0
程式碼 問題管理 0 版本發佈 1 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commit
2 分支
252 KiB
 
 
 
 
 
 
目錄樹: 71733d10fb
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '71733d10fb'
${ noResults }
optee_eng/cfg/openssl.cnf

138 line
4.6 KiB
原始文件 Blame 文件歷史 

  1. [ ca ]

  2. # `man ca`

  3. default_ca = CA_default

  4. 

  5. [ CA_default ]

  6. # Directory and file locations.

  7. dir               = .

  8. certs             = $dir/certs

  9. crl_dir           = $dir/crl

  10. new_certs_dir     = $dir/newcerts

  11. database          = $dir/index.txt

  12. serial            = $dir/serial

  13. RANDFILE          = $dir/private/.rand

  14. 

  15. # The root key and root certificate.

  16. private_key       = $dir/root.key

  17. certificate       = $dir/root.pem

  18. 

  19. # For certificate revocation lists.

  20. crlnumber         = $dir/crlnumber

  21. crl               = $dir/crl/intermediate.crl.pem

  22. crl_extensions    = crl_ext

  23. default_crl_days  = 30

  24. 

  25. # SHA-1 is deprecated, so use SHA-2 instead.

  26. default_md        = sha256

  27. 

  28. name_opt          = ca_default

  29. cert_opt          = ca_default

  30. default_days      = 9999

  31. preserve          = no

  32. policy            = policy_loose

  33. 

  34. [ policy_strict ]

  35. # The root CA should only sign intermediate certificates that match.

  36. # See the POLICY FORMAT section of `man ca`.

  37. countryName             = match

  38. stateOrProvinceName     = match

  39. organizationName        = match

  40. organizationalUnitName  = optional

  41. commonName              = supplied

  42. emailAddress            = optional

  43. 

  44. [ policy_loose ]

  45. # Allow the intermediate CA to sign a more diverse range of certificates.

  46. # See the POLICY FORMAT section of the `ca` man page.

  47. countryName             = optional

  48. stateOrProvinceName     = optional

  49. localityName            = optional

  50. organizationName        = optional

  51. organizationalUnitName  = optional

  52. commonName              = supplied

  53. emailAddress            = optional

  54. 

  55. [ req ]

  56. # Options for the `req` tool (`man req`).

  57. default_bits        = 4096

  58. distinguished_name  = req_distinguished_name

  59. string_mask         = utf8only

  60. 

  61. [ req_distinguished_name ]

  62. countryName                     = Country Name (2 letter code)

  63. stateOrProvinceName             = State or Province Name (full name)

  64. localityName                    = Locality Name (eg, city)

  65. organizationalUnitName          = Organizational Unit Name (eg, section)

  66. commonName                      = Common Name

  67. 

  68. stateOrProvinceName_default     = City of London

  69. countryName_default             = UK

  70. localityName_default            = London

  71. organizationalUnitName_default  = Among Bytes, Lab Testng

  72. commonName_default              = www.pqsdk.com

  73. commonName_max                  = 64

  74. 

  75. [ v3_ca ]

  76. # Extensions for a typical CA (`man x509v3_config`).

  77. subjectKeyIdentifier        = hash

  78. authorityKeyIdentifier      = keyid:always,issuer

  79. basicConstraints            = critical, CA:true

  80. keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign

  81. 

  82. [ v3_intermediate_ca ]

  83. # Extensions for a typical intermediate CA (`man x509v3_config`).

  84. subjectKeyIdentifier        = hash

  85. authorityKeyIdentifier      = keyid:always,issuer

  86. basicConstraints            = critical, CA:true

  87. keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign

  88. extendedKeyUsage            = serverAuth, clientAuth

  89. 

  90. [ usr_cert ]

  91. # Extensions for client certificates (`man x509v3_config`).

  92. basicConstraints        = CA:FALSE

  93. nsCertType              = client, email

  94. nsComment               = 'Among Bytes, Lab Testng, Intermediate Cert'

  95. subjectKeyIdentifier    = hash

  96. authorityKeyIdentifier  = keyid,issuer

  97. keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment

  98. extendedKeyUsage        = clientAuth, emailProtection

  99. 

  100. [ server_cert ]

  101. # Extensions for server certificates (`man x509v3_config`).

  102. basicConstraints        = CA:FALSE

  103. nsCertType              = server

  104. nsComment               = 'Among Bytes, Lab Testng, TLS Server'

  105. subjectKeyIdentifier    = hash

  106. authorityKeyIdentifier  = keyid,issuer:always

  107. keyUsage                = critical, digitalSignature, keyEncipherment

  108. extendedKeyUsage        = serverAuth

  109. subjectAltName          = @alt_names

  110. 

  111. [ client_cert ]

  112. # Extensions for server certificates (`man x509v3_config`).

  113. basicConstraints        = CA:FALSE

  114. nsCertType              = client, email

  115. nsComment               = 'Among Bytes, Lab Testng, TLS Client'

  116. subjectKeyIdentifier    = hash

  117. authorityKeyIdentifier  = keyid,issuer

  118. keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment

  119. extendedKeyUsage        = clientAuth, emailProtection

  120. 

  121. [ crl_ext ]

  122. # Extension for CRLs (`man x509v3_config`).

  123. authorityKeyIdentifier  = keyid:always

  124. 

  125. [ ocsp ]

  126. # Extension for OCSP signing certificates (`man ocsp`).

  127. basicConstraints        = CA:FALSE

  128. subjectKeyIdentifier    = hash

  129. authorityKeyIdentifier  = keyid,issuer

  130. keyUsage                = critical, digitalSignature

  131. extendedKeyUsage        = critical, OCSPSigning

  132. 

  133. [alt_names]

  134. DNS.1   = www.pqsdk.com

  135. DNS.2   = iot.pqsdk.com

  136. DNS.3   = vpn.pqsdk.com

  137. DNS.4   = *.pqsdk.com