1CA_DIR = out 2 3[ca] 4default_ca = CA_root 5preserve = yes 6 7# The default test root, used to generate certificates and CRLs. 8[CA_root] 9dir = ${ENV::CA_DIR} 10database = ${dir}/${ENV::CERTIFICATE}-index.txt 11new_certs_dir = ${dir} 12serial = ${dir}/${ENV::CERTIFICATE}-serial 13certificate = ${dir}/${ENV::CERTIFICATE}.pem 14private_key = ${dir}/${ENV::CERTIFICATE}.key 15RANDFILE = ${dir}/rand 16default_days = 3650 17default_crl_days = 30 18default_md = sha256 19policy = policy_anything 20unique_subject = no 21 22[user_cert] 23# Extensions to add when signing a request for an EE cert 24basicConstraints = critical, CA:false 25subjectKeyIdentifier = hash 26authorityKeyIdentifier = keyid:always 27extendedKeyUsage = serverAuth,clientAuth 28 29[ca_cert] 30# Extensions to add when signing a request for an intermediate/CA cert 31basicConstraints = critical, CA:true 32subjectKeyIdentifier = hash 33#authorityKeyIdentifier = keyid:always 34keyUsage = critical, keyCertSign, cRLSign 35 36[crl_extensions] 37# Extensions to add when signing a CRL 38authorityKeyIdentifier = keyid:always 39 40[policy_anything] 41# Default signing policy 42countryName = optional 43stateOrProvinceName = optional 44localityName = optional 45organizationName = optional 46organizationalUnitName = optional 47commonName = optional 48emailAddress = optional 49 50[req] 51# The request section used to generate certificate requests. 52default_bits = 2048 53default_md = sha256 54string_mask = utf8only 55prompt = no 56encrypt_key = no 57distinguished_name = req_env_dn 58 59[req_env_dn] 60CN = ${ENV::CA_COMMON_NAME} 61