[default] batch = 1 # do not use stdin total_timeout = 20 # is used to prevent, e.g., infinite polling due to error; # should hopefully be enough to cover delays caused by the underlying system trusted = trusted.crt newkey = new.key newkeypass = cmd = ir out_trusted = root.crt #certout = test.cert.pem policies = certificatePolicies #policy_oids = 1.2.3.4 #policy_oids_critical = 1 #verbosity = 7 ############################# server-dependent configurations [Mock] # the built-in OpenSSL CMP mock server # no_check_time = 1 server_host = * # to be determined by server: 127.0.0.1 or ::1 (localhost) server_port = 0 # 0 means that the port is determined by the server server_tls = $server_port server_cert = server.crt # server = $server_host:$server_port server_path = pkix/ path = $server_path ca_dn = /CN=Root CA recipient = $ca_dn server_dn = /CN=server.example expect_sender = $server_dn subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf" newkey = signer.key out_trusted = signer_root.crt kur_port = $server_port pbm_port = $server_port pbm_ref = pbm_secret = pass:test cert = signer.crt key = signer.p12 keypass = pass:12345 ignore_keyusage = 0 column = 0 sleep = 0 ############################# aspects [connection] total_timeout = # reset any TLS options to default: tls_used = tls_cert = tls_key = tls_keypass = tls_trusted = tls_host = [tls] server = tls_used = tls_cert = tls_key = tls_keypass = tls_trusted = tls_host = [credentials] ref = secret = cert = key = keypass = extracerts = digest = unprotected_requests = [verification] #expect_sender = srvcert = trusted = untrusted = #unprotected_errors = extracertsout = [commands] cmd = certout = cacertsout = infotype = oldcert = revreason = geninfo = [enrollment] cmd = newkey = newkeypass = #subject = issuer = days = reqexts = sans = san_nodefault = 0 #popo = implicit_confirm = 0 disable_confirm = 0 certout = out_trusted = oldcert = csr = ############################# extra cert template contents [certificatePolicies] certificatePolicies = "critical, @pkiPolicy" [pkiPolicy] policyIdentifier = 1.2.3.4 [reqexts] basicConstraints = CA:FALSE #basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning #crlDistributionPoints = URI:http: #authorityInfoAccess = URI:http: subjectAltName = @alt_names [alt_names] DNS.0 = localhost IP.0 = 127.0.0.1 IP.1 = 192.168.1.1 URI.0 = http://192.168.0.2 [reqexts_invalidkey] subjectAltName = @alt_names_3 [alt_names_3] DNS.0 = localhost DNS.1 = xn--rksmrgs-5wao1o.example.com DNS.2 = xn--rkmacka-5wa.example.com DNS__3 = xn--rksallad-0za.example.com