1CA_DIR=out 2CA_NAME=policy-root 3 4[ca] 5default_ca = CA_root 6preserve = yes 7 8[CA_root] 9dir = ${ENV::CA_DIR} 10key_size = 2048 11algo = sha1 12database = $dir/${ENV::CA_NAME}-index.txt 13new_certs_dir = $dir 14serial = $dir/${ENV::CA_NAME}-serial 15certificate = $dir/${ENV::CA_NAME}.pem 16private_key = $dir/${ENV::CA_NAME}.key 17RANDFILE = $dir/.rand 18default_days = 3650 19default_crl_days = 30 20default_md = sha1 21policy = policy_anything 22unique_subject = no 23copy_extensions = copy 24 25[user_cert] 26basicConstraints = critical, CA:false 27extendedKeyUsage = serverAuth, clientAuth 28certificatePolicies = 1.2.3.4 29 30[ca_cert] 31basicConstraints = critical, CA:true 32keyUsage = critical, digitalSignature, keyCertSign, cRLSign 33 34[intermediate_cert] 35basicConstraints = critical, CA:true 36keyUsage = critical, digitalSignature, keyCertSign, cRLSign 37policyConstraints = requireExplicitPolicy:0 38certificatePolicies = 1.2.3.4, 1.2.3.4.5, 1.2.3.5 39 40[policy_anything] 41# Default signing policy 42countryName = optional 43stateOrProvinceName = optional 44localityName = optional 45organizationName = optional 46organizationalUnitName = optional 47commonName = optional 48emailAddress = optional 49 50[req] 51default_bits = 2048 52default_md = sha1 53string_mask = utf8only 54prompt = no 55encrypt_key = no 56distinguished_name = req_env_dn 57 58[req_env_dn] 59CN = ${ENV::COMMON_NAME} 60 61