Sortix cross-nightly manual
This manual documents Sortix cross-nightly. You can instead view this document in the latest official manual.
NAME
openssl.cnf — OpenSSL configuration filesDESCRIPTION
The OpenSSL CONF library can be used to read configuration files; see CONF_modules_load_file(3). It is used for the OpenSSL master configuration file /etc/ssl/openssl.cnf and in a few other places like SPKAC files and certificate extension files for the openssl(1) x509 utility. OpenSSL applications can also use the CONF library for their own purposes.#
’ character..
’ ‘,
’ ‘;
’ and ‘_
’.=
’ character until the end of the line with any leading and trailing whitespace removed.\
’ character. By making the last character of a line a ‘\
’, a value string can be spread across multiple lines. In addition the sequences ‘\n
’, ‘\r
’, ‘\b
’, and ‘\t
’ are recognized.OPENSSL LIBRARY CONFIGURATION
Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The openssl(1) utility includes this functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file.# The following line must be in the default section. openssl_conf = openssl_init [openssl_init] oid_section = new_oids [new_oids] ... new oids here ...
ASN1 Object Configuration Module
This module has the name oid_section. The value of this variable points to a section containing name value pairs of OIDs: the name is the OID short and long name, and the value is the numerical form of the OID. Although some of the openssl(1) utility subcommands already have their own ASN1 OBJECT section functionality, not all do. By using the ASN1 OBJECT configuration module, all the openssl(1) utility subcommands can see the new objects as well as any compliant applications. For example:[new_oids] some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5
shortName = some object long name, 1.2.3.4
FILES
- /etc/ssl/openssl.cnf
- standard configuration file
EXAMPLES
Here is a sample configuration file using some of the features mentioned above:# This is the default section. HOME=/temp RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config [ section_one ] # We are now in section one. # Quotes permit leading and trailing whitespace any = " any variable name " other = A string that can \ cover several lines \ by including \\ characters message = Hello World\n [ section_two ] greeting = $section_one::message
TMP=/tmp # The above value is used if TMP isn't in the environment TEMP=$ENV::TMP # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename
# Default appname: should match "appname" parameter (if any) # supplied to CONF_modules_load_file et al. openssl_conf = openssl_conf_section [openssl_conf_section] # Configuration module list oid_section = new_oids [new_oids] # New OID, just short name newoid1 = 1.2.3.4.1 # New OID shortname and long name newoid2 = New OID 2 long name, 1.2.3.4.2
OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
0:d=0 hl=2 l= 4 prim: OBJECT :newoid1
CAVEATS
If a configuration file attempts to expand a variable that doesn't exist, then an error is flagged and the file will not load. This can also happen if an attempt is made to expand an environment variable that doesn't exist. For example, in a previous version of OpenSSL the default OpenSSL master configuration file used the value of HOME which may not be defined on non Unix systems and would cause an error..
’, for example:1.OU="My first OU" 2.OU="My Second OU"
BUGS
Currently there is no way to include characters using the octal \nnn form. Strings are all NUL terminated, so NUL bytes cannot form part of the value.\n
’, you can't use any quote escaping on the same line.