Configuration file for generating self-signed certificates and certificate requests

The CONFIG parameter on the ZPUBK REQCERT command specifies the file that contains configuration information for generating a certificate request or a self-signed certificate.

The configuration file consists of sections. Each section starts with a section name surrounded by square brackets ([section name]), and ends when a new section is started or the end of file is reached. A section name can consist of alphanumeric characters and underscores. Lines beginning with the pound sign (#) are comments.

Each section in a configuration file consists of a number of fields of the form name=value. The value string consists of the characters following the equal sign (=) until the end of line, with any leading or trailing whitespace removed.

The configuration file has the following syntax:

[req]
days                   = daystocertify
serial                 = serialnumber
#The following three values can be anything; they just need to 
#match a section name in the file.
distinguished_name     = req_distinguished_name
req_extensions         = v3_req
x509_extensions        = v3_ca


[req_distinguished_name]
countryName            = country
stateOrProvinceName    = stateorprov
localityName           = locality
organizationName       = organization
organizationalUnitName = organizationalunit
commonName             = commonname
emailAddress           = emailaddress


[v3_req]
basicConstraints       = CA:trueorfalse
keyUsage               = keyusage


[v3_ca]
subjectKeyIdentifier   = subjectkeyidentifier
authorityKeyIdentifier = authoritykeyidentifier
basicConstraints       = basicconstraints
keyUsage               = keyusage
subjectAltName         = subjectaltname
issuerAltName          = issueraltname

[req]

defines the sections in the certificate, along with the days and serial fields. This field is required, and must be exactly [req]. You can specify the following fields in this section:

days=daystocertify: specifies the number of days to certify a self-signed certificate, where daystocertify is an integer from 1–36500. If alphanumeric characters are specified, the number up to the first non-digit is accepted. (For example, 22FE is accepted as 22.) This field is required for both self-signed certificates and certificate requests, but has significance only for self-signed certificates.
serial=serialnumber: specifies the serial number to use when creating a self-signed certificate, where serialnumber is an integer value from 0–9999 or hexadecimal value from 0x0–0x270F. If alphanumeric characters are specified for the integer value, the number up to the first non-digit is accepted. (For example, 22FE is accepted as 22.) This field is optional. The default value is 0.
distinguished_name=req_distinguished_name: specifies the section that defines the information needed to generate a self-signed certificate or certificate request, where req_distinguished_name is the name of the section. At least one field must be specified in this section. See the following [req_distinguished_name] description for information about the fields that it can contain. This field is required for both self-signed certificates and certificate requests.
req_extensions=v3_req: specifies the section that defines extensions to add to a certificate request, where v3_req is the name of the section. See the following [v3_req] description for information about the fields that the section can contain. This field is optional.
x509_extensions=v3_ca: specifies the section that defines extensions to add to a self-signed certificate, where v3_ca is the name of the section. See the following [v3_ca] description for information about the fields that the section can contain. This field is optional.

[req_distinguished_name]

This is the value you specified on distinguished_name. You can specify more than one value for a field using the following syntax:

0.emailAddress=moe@curlyshouse
1.emailAddress=moe@larryshouse
2.emailAddress=moe@moeshouse

You can specify the following fields in this section:

countryName=country: specifies the two-character country name in ISO 3166 format.
stateOrProvinceName=stateorprov: specifies the state or province name, where stateorprov is 1–128 characters.
localityName=locality: specifies the locality name, where locality is 1–128 characters.
organizationName=organization: specifies the organization name, where organization is 1–64 characters.
organizationalUnitName=organizationalunit: specifies the organizational unit name, where organizationalunit is 1–64 characters.
commonName=commonname: specifies the common name, where commonname is 1–64 characters.
emailAddress=emailaddress: specifies the email address, where emailaddress is 1–64 characters.

[v3_req]

This is the value you specified on req_extensions. This section is optional. You can specify the following fields in this section:

basicConstraints=CA:trueorfalse

indicates whether a certificate is a certificate authority (CA), where trueorfalse is either TRUE or FALSE.

keyUsage=keyusage

specifies permitted key usages, where keyusage is a comma-separated list of any of the following:

digitalSignature
nonRepudiation
keyEncipherment
dataEncipherment
keyAgreement
keyCertSign
cRLSign
encipherOnly
decipherOnly.

[v3_ca]

This is the value you specified on x509_extensions. This section is optional. You can specify the following fields in this section:

subjectKeyIdentifier=subjectkeyidentifier

specifies how to identify the public key being certified. The only value supported for subjectkeyidentifier is hash. This field is required if x509_extensions is specified.

authorityKeyIdentifier=authoritykeyidentifier

specifies how to identify the public key being used to verify the signature on this certificate, and enables keys used by the same CA to be distinguished, where authoritykeyidentifier is one of the following:

keyid: indicates that the subject key identifier is copied from the parent certificate.
keyid:always: indicates that the subject key identifier is copied from the parent certificate and an error is returned if the copy fails.
issuer: indicates that the issuer and serial number is copied from the issuer certificate if the keyid option fails or is not specified.
issuer:always: indicates that the issuer and serial number is always copied from the issuer certificate.

basicConstraints=CA:trueorfalse

see basicConstraints description in the [v3_req] section.

keyUsage=keyusage

see keyUsage description in the [v3_req] section.

subjectAltName=subjectaltname

allows you to specify the following literal values in the configuration file:

email:email: specifies an email address. If copy is specified, all email addresses contained in the certificate are included.
URI:uri: specifies a uniform resource indicator.
DNS:dns: specifies a Domain Name System (DNS).
RID:rid: specifies a registered ID.
IP:IP: specifies an IP address in Internet Protocol version 4 (IPv4) format.
@dirname: specifies a section that contains a list of fields, where dirname is the section name and must be defined later in the configuration file (by placing it between square brackets).

issuerAltName=issueraltname

allows you to specify all literal values from subjectAltName except email:copy, including the following:

issuer:copy: all subject alternative name values from the issuer certificate are included.

Note:

For subjectAltName and issuerAltName, use a comma-separated list to specify more than one value. For example:
```
subjectAltName = DNS:moe.ibm.com, DNS:larry.ibm.com, email:curly@moe.org
```

The following is an example configuration file for creating a self-signed certificate:

#
#Creating a self-signed certificate
#

####################################################################
[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca


[req_distinguished_name]
countryName            = US
stateOrProvinceName    = NY
localityName           = POK
organizationName       = IBM
organizationalUnitName = TPF
commonName             = SSL_SERVER
0.emailAddress         = moe@curlyshouse.org
1.emailAddress         = moe@larryshouse.org
2.emailAddress         = moe@moeshouse.org


[ v3_ca ]
# The extentions to add to a self-signed cert
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:moe.ibm.com, DNS:larry.ibm.com, email:curly@moe.org
issuerAltName          = issuer:copy

The following is an example configuration file for creating a certificate request:

#
#Creating a certificate request
#

####################################################################
[req]
days                   = 180
distinguished_name     = req_distinguished_name
req_extensions         = v3_req


[req_distinguished_name]
countryName            = US
stateOrProvinceName    = NY
localityName           = POK
organizationName       = IBM
organizationalUnitName = TPF
commonName             = SSL_SERVER
0.emailAddress         = moe@curlyshouse.org
1.emailAddress         = moe@larryshouse.org
2.emailAddress         = moe@moeshouse.org


[ v3_req ]
# Extensions to add to a certificate request
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign