1[default]
2batch = 1 # do not use stdin
3total_timeout = 20  # is used to prevent, e.g., infinite polling due to error;
4# should hopefully be enough to cover delays caused by the underlying system
5trusted = trusted.crt
6newkey = new.key
7newkeypass =
8cmd = ir
9out_trusted = root.crt
10#certout = test.cert.pem
11policies = certificatePolicies
12#policy_oids = 1.2.3.4
13#policy_oids_critical = 1
14#verbosity = 7
15
16############################# server-dependent configurations
17
18[Mock] # the built-in OpenSSL CMP mock server
19# no_check_time = 1
20server_host = * # to be determined by server: 127.0.0.1 or ::1 (localhost)
21server_port = 0 # 0 means that the port is determined by the server
22server_tls = $server_port
23server_cert = server.crt
24# server = $server_host:$server_port
25server_path = pkix/
26path = $server_path
27ca_dn = /CN=Root CA
28recipient = $ca_dn
29server_dn = /CN=server.example
30expect_sender = $server_dn
31subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf"
32newkey = signer.key
33out_trusted = signer_root.crt
34kur_port = $server_port
35pbm_port = $server_port
36pbm_ref =
37pbm_secret = pass:test
38cert = signer.crt
39key  = signer.p12
40keypass = pass:12345
41ignore_keyusage = 0
42column = 0
43sleep = 0
44
45############################# aspects
46
47[connection]
48total_timeout =
49# reset any TLS options to default:
50tls_used =
51tls_cert =
52tls_key =
53tls_keypass =
54tls_trusted =
55tls_host =
56
57[tls]
58server =
59tls_used =
60tls_cert =
61tls_key =
62tls_keypass =
63tls_trusted =
64tls_host =
65
66[credentials]
67ref =
68secret =
69cert =
70key =
71keypass =
72extracerts =
73digest =
74unprotected_requests =
75
76[verification]
77#expect_sender =
78srvcert =
79trusted =
80untrusted =
81#unprotected_errors =
82extracertsout =
83
84[commands]
85cmd =
86certout =
87cacertsout =
88infotype =
89oldcert =
90revreason =
91geninfo =
92
93[enrollment]
94cmd =
95newkey =
96newkeypass =
97#subject =
98issuer =
99days =
100reqexts =
101sans =
102san_nodefault = 0
103#popo =
104implicit_confirm = 0
105disable_confirm = 0
106certout =
107out_trusted =
108oldcert =
109csr =
110
111############################# extra cert template contents
112
113[certificatePolicies]
114certificatePolicies = "critical, @pkiPolicy"
115
116[pkiPolicy]
117policyIdentifier = 1.2.3.4
118
119[reqexts]
120basicConstraints = CA:FALSE
121#basicConstraints = critical, CA:TRUE
122keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation
123extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning
124#crlDistributionPoints = URI:http:
125#authorityInfoAccess = URI:http:
126subjectAltName = @alt_names
127
128[alt_names]
129DNS.0 = localhost
130IP.0 = 127.0.0.1
131IP.1 = 192.168.1.1
132URI.0 = http://192.168.0.2
133
134[reqexts_invalidkey]
135subjectAltName = @alt_names_3
136
137[alt_names_3]
138DNS.0 = localhost
139DNS.1 = xn--rksmrgs-5wao1o.example.com
140DNS.2 = xn--rkmacka-5wa.example.com
141DNS__3 = xn--rksallad-0za.example.com
142