#
# OpenSSL configuration file for use with OpenSCEP
#
# for details about the syntax please consult doc/openssl.txt in the 
# OpenSSL distribution
#
# (c) 2001 Dr. Andreas Mueller, Beratung und Entwicklung
#
# $Id: openscep.cnf.in,v 1.9 2002/02/19 23:40:07 afm Exp $
#
HOME		= OPENSCEPDIR
RANDFILE	= $ENV::HOME/.rnd
DIR		= OPENSCEPDIR		# where everything is kept

oid_section	= scep_oids

[ ca ]
default_ca	= OpenSCEP

[ OpenSCEP ]
dir		= OPENSCEPDIR		# where everything is kept
certs		= $dir/certs		# where the issued certs are kept
crl_dir		= $dir/crl		# where the issued crl are kept
database	= $dir/index.txt	# index of issued certs
new_certs_dir	= $dir/newcerts		# default place for new certs

certificate	= $dir/cacert.pem	# CA certificate
private_key	= $dir/cakey.pem	# CA private key
serial		= $dir/serial		# current serial number
crl		= $dir/crl.pem		# current CRL
RANDFILE	= $dir/.rnd

x509_extensions	= scep_cert
default_md	= md5

default_days	= 1827
default_crl_days	= 10

[ policy_unstructured ]
unstructuredName	= optional
#commonName		= optional
#organizationalUnitName	= optional
#organizationName	= optional
#countryName		= optional

[ policy_user ]
countryName		= match
#stateOrProvinceName	= optional
#localityName		= optional
organizationName	= match
#organizationalUnitName	= optional
commonName		= supplied
#emailAddress		= optional

[ scep_oids ]
messageType=2.16.840.1.113733.1.9.2
pkiStatus=2.16.840.1.113733.1.9.3
failInfo=2.16.840.1.113733.1.9.4
senderNonce=2.16.840.1.113733.1.9.5
recipientNonce=2.16.840.1.113733.1.9.6
transId=2.16.840.1.113733.1.9.7
extensionReq=2.16.840.1.113733.1.9.8
proxyAuthenticator=1.3.6.1.4.1.4263.5.5	# from othello enterprise number range

[ scep_cert ]
basicConstraints	= CA:FALSE
nsComment		= "OpenSCEP certificate"
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints	= @crldp

# Certificate Revocation List distribution points
[ crldp ]
URI = ldap://bosco.othello.ch/CN=OpenSCEP,O=othello,C=CH?certificateRevocationList

[ req ]
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions		= v3_ca

[ req_distinguished_name ]
countryName			= Country Name
countryName_default		= CH
countryName_min			= 2
countryName_max			= 2

#stateOrProvinceName		= State or Province Name (full name)
#stateOrProvinceName_default	= Ticino

#localityName			= Locality Name (eg, city)
#localityName_default		= Bosco/Gurin

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Othello

commonName			= Common Name (eg, your name)
commonName_max			= 64

#emailAddress			= Email Address
#emailAddress_max		= 40

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= optional company name (unstructured)

[ scepd ]
name = OpenSCEP
cacert = $DIR/cacert.pem
cakey = $DIR/cakey.pem
crl =  $DIR/crl.pem
grantcmd = /usr/local/sbin/scepgrant
automatic = true
debug = 0
logfile = /var/log/sceplog
openssl = OPENSSLCMD
crlusers = carmen afm
crlpublic = true
transidcheck = yes
proxycommunity = cvurg3nfnbvbt75

[ ldap ]
ldaphost = bosco.othello.ch
ldapport = 389
ldapbase = "O=othello,C=CH"
binddn = "cn=root,O=othello,C=CH"
bindpw = "secret"
ldapmodify = LDAPMODIFYCMD
ldapsearch = LDAPSEARCHCMD