The OpenSSL configuration file provides SSL defaults for items such
as:
- The location of your certificate files.
- Your Distinguished Name. This comprises the details of your site (your
Common Name, your locality and so on). Initially your Distinguished Name
comprises the details you entered during installation.
- Defaults for the openssl ca policy command, which specifies which
elements of the Distinguished Name are required.
The configuration file is called openssl.cnf by
default and belongs in the same directory as openssl.exe
by default. You can specify a different configuration file by using the
OPENSSL_CONF environment variable or you can specify alternative configurations
within one configuration file.
The configuration file is a text file and comprises several sections, such
as:
- The ca section, which configures the CA. You can
have several ca sections, each specifying a different configuration for a
different CA, and switch between them by changing the
default_ca option. You can also override this choice from
the command line, using the -name parameter. This is
useful in development and testing, enabling you to try out different
configurations.
- The policy section, which specifies how closely
the Distinguished Name in a certificate presented to SSL software must agree
with the Distinguished Name in an installed certificate, for the two
certificates to be considered to match.
- The req section, which configures the openssl req
command.
- The distinguished_name section, which specifies
the Distinguished Name fields required when the openssl req command is creating
a certificate request or a self-signed certificate. The actual name of this
section is specified in the distinguished_name entry in the req section. This
enables you to switch between different distinguished_name configurations, by
changing the entry in the req section.
- The attributes, which has attributes such as
challengePassword or unstructuredName. Like the distinguished_name section, the
actual name of the attributes section is specified in the req section, so that
you can have several attributes sections, and switch between them.
In the options in the configuration file, all filenames must be given
complete with absolute path.
For full details see
OpenSSL
CA function on the MKS Software site and page
down to the section on the Configuration File .