AutoSScep 1.0 - Configuration file manual page A...............Configuration file syntax B...............Configuration file structure B.1.............General Options B.2.............Certification Authority(s) data B.3.............Certificate(s) data B.3.1...........X.509v3 Extensions B.3.2...........Value for X.509v3 Extensions C...............Summary of main commands D...............Default Values E...............Configuration example A. Configuration file syntax A command has the following structure commandname = "value" The value MUST be written between "" quotation marks !! Only one command for line is allowed. Spaces are allowed after and before The # (sharp) indicates a comment line. Commands for Certification Authority ([CA] [/CA]), certificate ([Certificate] [/Certificate]) data and X.509v3 Extension session must be placed at the beginning of the line. A value must be on the same line of its command. Unrecognized commands are signaled in execution, but ignored. B. Configuration file structure There are three main parts: 1. General Option : all that concerns file locations and program executions 2. Certification Authority(s) data 3. Certificate(s) data B.1. General Options Requested values - CA directory and/or prefix of CA certificates CADir = "[]" - Certificate directory and/or prefix of certificates file CertDir = "[value]" - Private keys directory and/or prefix KeyDir = "[value] n.b. It's advisable to insert absolute paths Optionally you can indicate - number of days (before that the certificates expire) to start enrollment (default is 7) DaysBeforeExpire = "[value]" - number of bits for private keys (default = 1024) - signature algorithm (md5 o sha1) SigAlgo = "[value]" - executions modes ( values : yes or no ) - Verbose = "[value]" Shows details about execution - Debug = "[value]" Shows all the encrypted messages - An extracommand to be executed at the end if some certificate was enrolled ECommand = "[command]" N.B. General options must be placed before CAs and Certificates data !!! B.2. Certification Authority(s) data This part of file starts with [CA] and ends with [/CA] (these keywords must be placed at the beginning of line). Required values - Distinguished Name DN = "[value]" - Complete cgi scep url ( http://[:]/ ... ) URL = "[value]" if not specified the port-num is setted to 80 - CA certificate file name (for the sign check) CertFile = "[value]" - CA certificate file name used for encryption (in some cases it's the same CA certificate) EncCertFile = "[value]" Optionally values - CA encryption algorithm EncAlgo = "[value]" (des, blowfish e 3des (default des)) - Virtual-host hosting for the scep server (yes or no) VHost ="[value]" n.b. if any doubts yes value should be right B.3. Certificate(s) data This part starts with [Certificate] and ends with [/Certificate] (these keywords must be placed at the beginning of line). Required values - Certificate file name (also used as identifier) CertFile = "[value]" - Key file name KeyFile = "[value]" n.b. the name is relative to the paths specified in the general options - The DN (Distinguished name) of issuer CA (only an identifier) CADN = "[value]" - DN data for the certificate Email = "[value]" Country = "[value]" (the short identifier US, UK , IT etc...) State = "[value]" Location = "[value]" Organization = "[value]" OrgUnit = "[value]" CommonName = "[value]" (OrgUnit and Email are optional for AutoSscep) Optional values - Request command : an external command executed for new pending requests on CA. This option can be used to advice the CA administrator about your request for example with a sender mail script. ReqCommand = "[value]" (This command is executed only for the NEW pending requests and is otherwise ignored.) - Challenge Password: this parameter in a cert request allow the automatic authentication for the request using a pre-shared secret (it is also used for certificate revocation) . ChallengePassword="[valore]" B.3.1 X.509v3 Extensions Optionally it is possible to specify some X.509v3 Extension for the certificate requests. The extensions list start with [X509v3EXT] and ends with [/X509v3EXT] (these keywords must be placed at the beginning of line). AutoSscep allows to insert only a few of all the extensions specified in RFC2459 and included in Openssl libraries. - Key Usage - Subject Alternative Name - Basic Constraint - Extended Key Usage - Netscape Comment - Netscape Certificate Type B.3.2 Value for X.509v3 Extensions If the extension is critical it must be indicated at the beginning of value followed from a comma Ex: key_usage = "critical, digitalSignature" More values for the same extension is indicated as a comma separated list Ex: key_usage = "digitalSignature,nonRepudiation" - Netscape Comment command: netscape_comment value: a string - Subject Alternative Name command: subject_alt_name value: a string - Basic Constraint command: basic_constraints value: request for a ca certificate ------ CA:true request for another entity of PKI ----- CA:false - Key Usage (comma list) command: key_usage values: USAGE ---- KEYWORD Digital Signature ---- digitalSignature Non Repudiation ---- nonRepudiation Key Encipherment ---- keyEncipherment Data Encipherment ---- dataEncipherment Key Agreement ---- keyAgreement Certificate Sign ---- keyCertSign CRL Sign ---- cRLSign Encipher Only ---- encipherOnly Decipher Only ----decipherOnly - Extended Key Usage command: extended_key_usage values: KEYWORD ---- EXTENDED KEY USAGE serverAuth ---- TLS Web Server Authentication clientAuth ---- TLS Web Client Authentication codeSigning ---- Code Signing emailProtection ---- E-mail Protection timeStamping ---- Time Stamping msCodeInd ---- Microsoft Individual Code Signing msCodeCom ---- Microsoft Commercial Code Signing msCTLSign ---- Microsoft Trust List Signing msSGC ---- Microsoft Server Gated Crypto msEFS ---- Microsoft Encrypted File System nsSGC ---- Netscape Server Gated Crypto - Netscape Certificate Type command: netscape_cert_type values: NS CERTIFICATE TYPER ---- KEYWORD SSL Client ---- client SSL Server ---- server S/MIME ---- email Object Signing ---- objsign Unused ---- reserved SSL CA ---- sslCA S/MIME CA ---- emailCA Object Signing CA ---- objCA C. Summary of main commands D. Default values If not specified the following values are so setted DaysBeforeExpire = "7" Verbose = "no" Debug = "no" KeyBits = "1024" SigAlgo = "md5" For the CA EncAlgo = "des" VHost = "no" E. Configuration example --------------Example------------------------------------------------------------------------------------------------ # Config file for autoScep ### General option # The directory that contains certificates CertDir = "/home/cert/" # The directory that contains the private keys KeyDir = "/home/keys/" # The number of expiration days before start enroll DaysBeforeExpire = "2" # The directory that contains the CA's certificates CADir = "/home/racerts/" ### Info e debug option # Possible values: yes or no. Verbose = "yes" Debug = "no" # The bits for the modules of private keys KeyBits = "2048" # Signature algorithm (md5 or sha1) SigAlgo = "md5" ### CAs' data # Define the CAs data [CA] DN = "C=IT, O=CA Organization, OU=Certification Authority, CN=myCA/Email=info@myCAdomain" URL = "http:///cgi-bin/scep/scep" CertFile = "ca.crt-0" EncCertFile = "ca.crt-0" # Encryption algorithm: des, 3des or blowfish. Default: des EncAlgo = "des" VHost = "yes" [/CA] [Certificate] CertFile = "mycertificate.crt" KeyFile = "mykey.key" # cert's CA Data CADN = "C=IT, O=CA Organization, OU=Certification Authority, CN=myCA/Email=info@myCAdomain" # DN Data Email = "mymail@mydomain" Country = "IT" State = "BS" Location = "Brescia" Organization = "My Organization" OrgUnit = "my unit" CommonName = "me" [X509v3EXT] key_usage = "digitalSignature,keyEncipherment,nonRepudiation" subject_alt_name = "mymail@mydomain" basic_constraints = "critical,CA:false" netscape_cert_type = "client,server" extended_key_usage = "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCodeInd,msCodeCom" netscape_comment = "VPN point to point" [/X509v3EXT] [/Certificate] --------------End-of-Example-------------------------------------------------------------------------------------------------