The OpenSSL configuration file provides SSL defaults for items such as:
- The location of your certificate files.
- Your Distinguished Name. This comprises the details of your site (your Common Name, your locality and so on). Initially your Distinguished Name comprises the details you entered during installation.
- Defaults for the openssl ca policy command, which specifies which elements of the Distinguished Name are required.
The configuration file is called openssl.cnf by default and belongs in the same directory as openssl.exe by default. You can specify a different configuration file by using the OPENSSL_CONF environment variable or you can specify alternative configurations within one configuration file.
The configuration file is a text file and comprises several sections, such as:
- The ca section, which configures the CA. You can have several ca sections, each specifying a different configuration for a different CA, and switch between them by changing the default_ca option. You can also override this choice from the command line, using the -name parameter. This is useful in development and testing, enabling you to try out different configurations.
- The policy section, which specifies how closely the Distinguished Name in a certificate presented to SSL software must agree with the Distinguished Name in an installed certificate, for the two certificates to be considered to match.
- The req section, which configures the openssl req command.
- The distinguished_name section, which specifies the Distinguished Name fields required when the openssl req command is creating a certificate request or a self-signed certificate. The actual name of this section is specified in the distinguished_name entry in the req section. This enables you to switch between different distinguished_name configurations, by changing the entry in the req section.
- The attributes, which has attributes such as challengePassword or unstructuredName. Like the distinguished_name section, the actual name of the attributes section is specified in the req section, so that you can have several attributes sections, and switch between them.
In the options in the configuration file, all filenames must be given complete with absolute path.
For full details see OpenSSL CA function on the MKS Software site and page down to the section on the Configuration File .
