The OpenSSL configuration file provides SSL defaults for items such as:
- The location of your certificate files.
- Your Distinguished Name. This comprises the details of your site (your Common Name, your locality and so on). Initially your
Distinguished Name comprises the details you entered during installation.
- Defaults for the openssl ca policy command, which specifies which elements of the Distinguished Name are required.
The configuration file is called
openssl.cnf by default and belongs in the same directory as
openssl.exe by default. You can specify a different configuration file by using the OPENSSL_CONF environment variable or you can specify
alternative configurations within one configuration file.
The configuration file is a text file and comprises several sections, such as:
- The
ca section, which configures the CA. You can have several ca sections, each specifying a different configuration for a different
CA, and switch between them by changing the
default_ca option. You can also override this choice from the command line, using the
-name parameter. This is useful in development and testing, enabling you to try out different configurations.
- The
policy section, which specifies how closely the Distinguished Name in a certificate presented to SSL software must agree with the
Distinguished Name in an installed certificate, for the two certificates to be considered to match.
- The
req section, which configures the openssl req command.
- The
distinguished_name section, which specifies the Distinguished Name fields required when the openssl req command is creating a certificate request
or a self-signed certificate. The actual name of this section is specified in the distinguished_name entry in the req section.
This enables you to switch between different distinguished_name configurations, by changing the entry in the req section.
- The
attributes, which has attributes such as challengePassword or unstructuredName. Like the distinguished_name section, the actual name
of the attributes section is specified in the req section, so that you can have several attributes sections, and switch between
them.
In the options in the configuration file, all filenames must be given complete with absolute path.
For full details see
OpenSSL CA function on the
MKS Software site and page down to the section on the
Configuration File
.
If you receive a warning message like "WARNING: can't open config file: /usr/local/ssl/openssl.cnf" from the OpenSSL utility, set the environment variable OPENSSL_CONF to the location of a suitable
openssl.cnf file. One is included with the Micro Focus DemoCA, in the main directory of the DemoCA installation. For example:
Windows:
set OPENSSL_CONF=C:\Program Files (x86)\Micro Focus\DemoCA\openssl.cnf
UNIX:
export OPENSSL_CONF=$COBDIR/DemoCA
Note: This message is only a warning; the openssl command may still perform the function you requested. The
openssl.cnf file is primarily used to set default values for the CA function, key sizes for generating new key pairs, and similar configuration.
Consult the OpenSSL documentation available at
openssl.org for more information.
OpenSSL CA function
openssl.org