Commit e82a7348 authored by SZ Lin (林上智)'s avatar SZ Lin (林上智)

Import debian repo.

parent 4b5c186b
OpenVAS in Debian
+---------------+
How to use OpenVAS?
-------------------
As the root user:
* Check that you have proper SSL certificates at /var/lib/openvas/CA,
if the directory is empty set up the server certificate with
`openvas-mkcert'. (Note: certificates are generated automatically
when the openvas-scanner package is installed)
* Set up a user with `openvas-adduser'.
- If you wish to setup certificate-based authentication: set up the client
certificate with `openvas-mkcert-client' and save the private key.
* Run either '/etc/init.d/openvas-scanner start' or `openvassd' in order to
* start the daemon.
As a normal user in either the system were OpenVAS (the server) is installed:
* If using certificates for authentication, copy over the private
key generated before to your HOME directory.
* In an X session start the OpenVAS-Client program (you need to have the
`openvas-client' package installed the system you are workin on)
by executing `openvas-client' from a shell or from your Desktop's
menu (it should be available at Applications --> System tools)
* Setup a connection to the machine where OpenVAS (the server) is
running. If you are running both in the same machine select 'localhost'. If
you are running the server in a different system:
- verify that there are no firewall rules blocking the client from
connecting to the OpenVAS server (TCP port 4391)
- verify that the TCP wrappers configuration (/etc/hosts.{allow,deny})
allow the client to connect to the server (be careful if
'ALL: PARANOID' is defined in /etc/hosts.deny and the client has no
reverse name resolution)
* Depending on how you setup the user using `openvas-adduser' you have
to either use a username/password or select the private key of the
certificate generate using 'openvas-mkcert-client'
* Setup a test security analysis run against a server.
OpenVAS has a test to detect if the program itself is running, because it is a
potential security problem, so it wouldn't seem wise to automatically start it
on boot-up.
Remember to `killall openvassd' (as root) after you finish with `openvassd'.
The package installs an init script for openvassd at /etc/init.d/openvas-scanner,
courtesy of Luca Andreucci <andrew@andrew.org> and others. By default, this
init script will not be run when the system starts up, it is only configured
to stop openvassd when the system stops (to prevent it from being killed and
give it a chance to stop graciously)
If you want to use that init script to start up openvassd you just have to
execute '/etc/init.d/openvas-scanner start' and you are done.
If you want to have the init-scripts run on system startup then either run:
# update-rc.d -f remove openvas-scanner
# update-rc.d openvas-scanner defaults
or run:
# for rc in 3 4 5 ; do cd /etc/rc${rc}.d/ && ln -s ../init.d/openvas-scanner S20openvas-scanner; done
to setup the symbolic links properly.
Debian defaults
---------------
Before you change Debian's openvassd.conf file (available at
/etc/openvas/) consider this:
0.- signature checks (nasl_no_signature_check) only apply to "trusted"
plugins, and those are the plugins that do remote local security checks
(through SSH connections that need to be preconfigured by the OpenVAS admin)
1.- you shouldn't give access to the OpenVAS daemon to users you don't trust,
or allow them to upload plugins. Giving access to users is equivalent to
allowing them to launch remote attacks to any system your OpenVAS server is
connected to. If you have local security checks it's equivalente to granting
them SSH access to the remote hosts you have configured (if any)
2.- The openvas-plugins package does _not_ automatically run
openvas-update-plugins, you have to do this manually. Review the plugins
retrieved by this before you run your OpenVAS server
3.- Be careful when setting up remote SSH access so that OpenVAS can run
local security checks since you are (effectively) given console access
to remote servers. Always use a non-root account for this.
4.- Also be aware that by default openvassd only listens on port 9390 on
127.0.0.1. If you wish to change this, then check out /etc/default/openvas-scanner.
-------------------------------
Sun, 12 Oct 2008 12:54:51 +0100
Tim Brown <timb@nth-dimension.org.uk>
We use dpatch for patch handling inside our package(s). Please see
/usr/share/doc/dpatch/README.source.gz (if you have installed dpatch) for
documentation about dpatch.
- Log directory in /var/log/openvas/ is also used by other packages
(openvas-manager) we should not remove it on postrm
- Openvas-manager uses /var/lib/openvas/mgr/ we should not remove this
content if we find it
- Just in case, if upgrading from openvas-server, copy over the contents
from old configuration files:
- /etc/default/openvas-server to /etc/default/openvas-scanner
- /etc/logrotate.d/openvas-server to /etc/logrotate.d/openvas-scanner
- /etc/openvas/openvasd.conf to /etc/openvas/openvassd.conf
in the preinst
This diff is collapsed.
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
db_input high openvas-scanner/enable_redis || true
db_go
exit 0
Source: openvas-scanner
Section: admin
Priority: optional
Maintainer: Debian OpenVAS Maintainers <openvas-distro-deb@wald.intevation.org>
Uploaders: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Build-Depends: debhelper (>= 5), libgcrypt11-dev, libglib2.0-dev, libgnutls-dev, libopenvas4-dev (>= 4.0.0), libpcap-dev, libwrap0-dev, pkg-config, po-debconf, devscripts, dpatch, hardening-wrapper, cmake, doxygen
Maintainer: Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
Uploaders: Stephan Kleine <bitshuffler@opensuse.org>,
ChangZhuo Chen (陳昌倬) <czchen@debian.org>,
SZ Lin (林上智) <szlin@cs.nctu.edu.tw>
Build-Depends: debhelper (>= 9.20151219),
dh-systemd,
cmake (>= 2.6),
pkg-config,
libglib2.0-dev,
libgcrypt11-dev,
libgnutls28-dev,
libpcap-dev,
libopenvas-dev (>= 8.0.2),
po-debconf,
doxygen
Standards-Version: 3.9.8
Homepage: http://www.openvas.org/
Vcs-Browser: https://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-packaging/openvas-scanner/debian/trunk/debian/?root=openvas
Vcs-Svn: https://svn.wald.intevation.org/svn/openvas/trunk/openvas-packaging/openvas-scanner/debian/trunk/debian/
Standards-Version: 3.8.3
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-security/openvas-scanner.git
Vcs-Git: https://anonscm.debian.org/cgit/pkg-security/openvas-scanner.git
Package: openvas-scanner
Section: net
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
Pre-Depends: redis-server (>= 2.4.0)
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, redis-server (>= 2.4.0)
Replaces: openvas-server, openvas-plugins
Conflicts: openvas-server, openvas-plugins, openvas-plugins-base, openvas-plugins-dfsg (<= 1.0.7-6+svn20100320)
Recommends: rsync, nmap, openvas-administator
Suggests: openvas-cli, snmp, pnscan, netdiag, ike-scan
Conflicts: openvas-server, openvas-plugins
Recommends: rsync, nmap
Suggests: openvas-client, snmp, pnscan, strobe, ike-scan
Description: remote network security auditor - scanner
The Open Vulnerability Assessment System is a modular security auditing
tool, used for testing remote systems for security vulnerabilities that should
be fixed.
tool, used for testing remote systems for vulnerabilities that should be
fixed.
.
It is made up of several parts: a scan server, a manager, an adminsitrator and
a client. The scanner/daemon, openvassd, is in charge of the attacks, whereas
the clients, such as openvas-cli or gsad provide a user interface.
It is made up of two parts: a scan server, and a client. The scanner/daemon,
openvassd, is in charge of the attacks, whereas the client,
OpenVAS-Client, provides an X11/GTK+ user interface.
.
This package provides the scanner.
This is the prepackaged version of the Open Vulnerability Assessment
System server for Debian GNU/Linux from sources obtained from:
http://www.openvas.org/
This software has been packaged for Debian by
* Tim Brown <timb@nth-dimension.org.uk>
* Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
* Joey Schulze <joey@infodrom.org>
Copyright:
- OpenVAS server:
* Portions Copyright (C) 2006 Software in the Public Interest, Inc.
* Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
* Copyright (C) 1998 - 2004 Renaud Deraison <deraison@nessus.org>
* Based on work Copyright (C) 2001 Michel Arboi [ssl]
* Portions Copyright (C) 2007, 2008, 2009 Greenbone Networks GmbH
- OpenVAS documentation:
* Copyright (C) 2004 Tenable Network Security
* Copyright (C) mjh-EDV Beratung, 1996-1999
- Include files
* Portions Copyright (C) 2006 Software in the Public Interest, Inc.
* Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
- Translations
* Boris Wolf
* Miroslav Kure
* Matthias Julius
* Javier Fernandez-Sanguino
* Christophe Masson
* Jacobo Tarrio
* Kurt De Bree
* Pedro Ribeiro
* Eder L. Marques
* Daniel Nylander
* Martin Bagge
Other copyrights:
- Autoconf:
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
Inc.
Authors:
- OpenVAS server:
* Renaud Deraison
* Michael Arboi [ssl]
* Alexis de Bernis
* Axel Nennker
* Beirne Kornarksi
* Benoit Brodard
* Boris Wolf
* Brian
* Christoph Puppe
* Cyril Leclerc
* Devin Kowatch
* Dion Stempfley
* Erik Anderson
* Frank Migge
* Gabriel L. Somlo
* Georges Dagousset
* Guillaume Valadon
* H D Moore
* Iouri Pletnev
* Isaac Dawson
* Javier Fernandez-Sanguino
* Jay
* Jenni Scott
* Jordan Hrycaj
* Julien Bordet
* Laurent FACQ
* Loren Bandiera
* Michael Scheidell
* Michael Slifcak
* Michel Arboi
* Michel Scheidell
* Nicolas Dubee
* Nicolas Pouvesle
* Pasi Eronen
* Pavel Kankovky
* Pavel Kankovsky
* Peter Gr�ndl
* Renaud Deraison
* Rodolfo Baader
* Simon Law
* Stephen Friedl
* Xueyong Zhi
* Zorgon
License:
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2,
as published by the Free Software Foundation
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
The Debian packaging is licensed under the GPL-3, and
(c) 2008, Tim Brown <timb@nth-dimension.org.uk>
(c) 2008, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
(c) 2008, Joey Schulze <joey@infodrom.org>
(c) 2008, 2009 Jan Wagner <waja@cyconet.org>
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in `/usr/share/common-licenses/GPL-3'.
Portions of the Debian packing are heavily based on the packaging of
nessusd which includes scripts which is licensed under the GPL written
by
* Miquel van Smoorenburg <miquels@drinkel.ow.org>
* Ian Murdock <imurdock@gnu.ai.mit.edu>
* Luca Andreucci <andrew@andrew.org>
* Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: openvas-scanner
Source: https://wald.intevation.org/scm/viewvc.php/branches/?root=openvas
Files: *
Copyright: 2009-2016 Greenbone Networks GmbH
2006 Software in the Public Interest, Inc.
1998-2006 Tenable Network Security, Inc.
and others
License: GPL-2
Files: tools/greenbone-nvt-sync tools/openvas-mkcert-client.in
tools/openvas-mkcert.in tools/openvas-nvt-sync.in
src/otp.*
Copyright: 2009-2016 Greenbone Networks GmbH
License: GPL-2+
Files: debian/*
Copyright: 2016 ChangZhuo Chen (陳昌倬) <czchen@debian.org>
2016 SZ Lin (林上智) <szlin@cs.nctu.edu.tw>
License: GPL-2
License: GPL-2
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License version 2, as published by the Free Software Foundation.
.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.
.
You should have received a copy of the GNU General Public
License along with this package; if not, write to the Free
Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
.
On Debian systems, the full text of the GNU General Public
License version 2 can be found in the file
`/usr/share/common-licenses/GPL-2'.
License: GPL-2+
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later
version.
.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.
.
You should have received a copy of the GNU General Public
License along with this package; if not, write to the Free
Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
.
On Debian systems, the full text of the GNU General Public
License version 2 can be found in the file
`/usr/share/common-licenses/GPL-2'.
#!/bin/sh
set -e
test $DEBIAN_SCRIPT_DEBUG && set -v -x
# Only ask debconf questions if no certificate is present
if [ ! -f /var/lib/openvas/CA/cacert.pem ] || [ ! -f /var/lib/openvas/CA/servercert.pem ]; then
. /usr/share/debconf/confmodule
db_input low openvassd/certificate || true
# TODO: All these fields (specially numeric fields should be
# reviewed to make sure that the data is sane)
# Numeric:
db_input medium openvassd/califetime || true
db_input medium openvassd/srvlifetime || true
# Set a default
if [ ! -z "$LANG" ]; then
DC=`echo $LANG | sed -n 's/^..*_\(..\)$/\1/p'`
fi
[ -n "$DC" ] && db_set openvassd/country $DC
# Two letter code:
db_input medium openvassd/country || true
# Free text: (i.e. no validation needed) but might need
# to be limited to a given size
db_input medium openvassd/province || true
db_input medium openvassd/location || true
db_input medium openvassd/organization || true
db_go
fi
#DEBHELPER#
exit 0
# Additional options for the daemon
# -q prevents OpenVAS scanner from listing all the plugins it loads
DAEMONOPTS="-q -p 9391"
# NOTE: This file is not used if you are using systemd. The options are
# hardcoded in the openvas-scanner.service file. If you want to change
# them you should override the service file by creating a file
# /etc/systemd/system/openvas-scanner.service.d/local.conf like this:
# [Service]
# ExecStart=
# ExecStart=/usr/sbin/openvassd <your desired options>
# Time to wait for the daemon to die before restarting it
# (in seconds)
# DODTIME=5
# The address the OpenVAS Scanner is listening on.
SCANNER_ADDRESS=127.0.0.1
# The port the OpenVAS Scanner is listening on.
SCANNER_PORT=9391
usr/sbin
usr/share/man/man8
var/run
var/cache/openvas
var/lib/openvas
var/lib/openvas/CA
var/lib/openvas/private/CA
var/lib/openvas/plugins
var/log/openvas
etc/openvas
etc/openvas/gnupg
doc/kb_entries.txt
doc/nbe_file_format.txt
doc/nsr_file_format.txt
#!/bin/sh -e
#
# /etc/init.d/openvassd
# /etc/init.d/openvas-scanner
#
# Originally written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
......@@ -12,28 +12,31 @@
#
### BEGIN INIT INFO
# Provides: openvas-scanner
# Required-Start: $remote_fs $network $syslog
# Required-Stop: $remote_fs $network $syslog
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop: 0 6
# Default-Stop: 0 1 6
# Short-Description: Start and stop the OpenVAS daemon
# Description: Controls the main OpenVAS daemon "openvassd".
### END INIT INFO
# daemon options
DAEMONOPTS="-q"
# time to wait for daemons death, in seconds
# don't set it too low or you might not let openvassd die gracefully
DODTIME=5
DODTIME=25
[ -r /etc/default/openvas-scanner ] && . /etc/default/openvas-scanner
# daemon options
DAEMONOPTS=""
[ "$SCANNER_ADDRESS" ] && DAEMONOPTS="$DAEMONOPTS --listen=$SCANNER_ADDRESS"
[ "$SCANNER_PORT" ] && DAEMONOPTS="$DAEMONOPTS --port=$SCANNER_PORT"
DAEMON=/usr/sbin/openvassd
PIDFILE=/var/run/openvassd.pid
NAME=openvassd
LABEL="OpenVAS Scanner"
CONFIG=/etc/openvas/openvassd.conf
test -x $DAEMON || exit 0
......@@ -62,9 +65,6 @@ warn_cert_file() {
}
check_certs() {
if [ -z "`grep ^ca_file /etc/openvas/openvassd.conf`" ] ; then
echo -n "WARN: The openvassd configuration file does not contain certificate settings. Have you run openvas-mkcert? (openvassd might not start)" >&2
fi
CERTDIR=/var/lib/openvas/CA/
PRIVCERTDIR=/var/lib/openvas/private/CA/
for cert in cacert.pem servercert.pem; do
......@@ -76,17 +76,8 @@ check_certs() {
}
openvas_start() {
if [ ! -e "$CONFIG" ] ; then
echo -n "ERROR: Required configuration file $CONFIG does not exist" >&2;
return 1
else
if [ ! -r "$CONFIG" ] ; then
echo -n "ERROR: Cannot read configuration file $CONFIG, are you root?" >&2
return 1
fi
fi
check_certs
start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- $DAEMONOPTS 2>&1 >/dev/null
start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS 2>&1 >/dev/null
errcode=$?
# If we don't sleep then running() might not see the pidfile
sleep $DODTIME
......@@ -131,7 +122,7 @@ case "$1" in
force_stop
fi
echo "openvassd."
;;
;;
restart)
echo -n "Restarting $LABEL: "
if running; then
......@@ -169,9 +160,10 @@ case "$1" in
fi
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}"
echo "Usage: /etc/init.d/openvas-scanner {start|stop|restart|reload|status}"
exit 1
;;
esac
exit 0
usr/sbin/*
etc/openvas/*
usr/share/man/man8/*
#openvas-scanner/usr/sbin/* usr/sbin/*
#openvas-scanner/usr/bin/*
#openvas-scanner/usr/share/man/man1/*
#openvas-scanner/usr/share/man/man8/*
usr/lib/openvas/plugins/find_service.nes var/lib/openvas/plugins/find_service.nes
usr/lib/openvas/plugins/openvas_tcp_scanner.nes var/lib/openvas/plugins/openvas_tcp_scanner.nes
usr/lib/openvas/plugins/ssl_ciphers.nes var/lib/openvas/plugins/ssl_ciphers.nes
usr/lib/openvas/plugins/synscan.nes var/lib/openvas/plugins/synscan.nes
......@@ -6,7 +6,6 @@
rotate 7
compress
postrotate
if [ -s /var/lib/openvas/openvassd.pid ]; then kill -1 `cat /var/lib/openvas/openvassd.pid`; fi
if [ -s /var/run/openvassd.pid ]; then kill -1 `cat /var/run/openvassd.pid`; fi
openvaslogs=`ls /var/log/openvas/openvassd.messages.*`
if [ -n "$openvaslogs" ]; then
......@@ -15,3 +14,4 @@
fi
endscript
}
#! /bin/bash
# Postinst script for OpenVAS, written by Javier Fernandez-Sanguino
# Uses code from openvas-mkcert, which was written by Renaud Deraison
# <deraison@cvs.nessus.org> and Michel Arboi <arboi@alussinan.org>
#
# This script is distributed under the Gnu General Public License (GPL)
#
set -e
. /usr/share/debconf/confmodule
test $DEBIAN_SCRIPT_DEBUG && set -v -x
# Location of the certificates
OPENVASPRIV="/var/lib/openvas/private/CA"
OPENVASPUB="/var/lib/openvas/CA"
CAKEY=$OPENVASPRIV/cakey.pem
CACERT=$OPENVASPUB/cacert.pem
#
SRVKEY=$OPENVASPRIV/serverkey.pem
SRVCERT=$OPENVASPUB/servercert.pem
# Our umask for all files
umask 077
openvas_mkcert ()
{
RANDFLAG=""
PATH=/usr/sbin:/usr/bin:/bin:/sbin
if [ ! -d "$OPENVASPRIV" ]; then
mkdir -p "$OPENVASPRIV"
chmod 0700 "$OPENVASPRIV"
echo "$OPENVASPRIV created"
fi
if [ ! -d "$OPENVASPUB" ]; then
mkdir -p "$OPENVASPUB"
chmod a+rx "$OPENVASPUB"
echo "$OPENVASPUB created"
fi
# Set environment
BASEDIR=`mktemp -d -t openvas-mkcert.XXXXXX` || { echo "$program: Cannot create temporary dir!" >&2 ; exit 1; }
trap " [ -d \"$BASEDIR\" ] && rm -rf -- \"$BASEDIR\"" 0 1 2 3 13 15
SRVREQ=$BASEDIR/serverreq.pem
# Defaults
[ -n "$CACERT_LIFETIME" ] && CACERT_LIFETIME=1460
[ -n "$SRVCERT_LIFETIME" ] && SRVCERT_LIFETIME=365
if [ ! -z "$LANG" ]; then
DC=`echo $LANG | sed -n 's/^..*_\(..\).*$/\1/p'`
fi
[ -z "$DC" ] && DC="??"
[ -z "$COUNTRY" ] && COUNTRY=$DC
[ -z "$PROVINCE" ] && PROVINCE=""
[ -z "$LOCATION" ] && LOCATION=""
[ -z "$ORGANIZATION" ] && ORGANIZATION="OpenVAS"
cat <<EOF>$BASEDIR/std000.cnf
RANDFILE = $HOME/.rnd
#
[ ca ]
default_ca = OpenVASCA
[ OpenVASCA ]
dir = $BASEDIR # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
emailAddress = Email Address
emailAddress_max = 255
# SET-ex3 = SET extension number 3
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType = NSCERTTYPE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
# Copy subject details
issuerAltName=issuer:copy