1[ ca ]
2default_ca = CA_default
3
4[ CA_default ]
5new_certs_dir = .
6database = ./index.txt
7serial = ./serial
8default_md = sha256
9policy = policy_min
10
11[ req ]
12distinguished_name = def_distinguished_name
13
14[def_distinguished_name]
15
16# Extensions
17#   -addext " ... = ..."
18#
19[ v3_ca ]
20   # Extensions for a typical Root CA.
21   basicConstraints = critical,CA:TRUE
22   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
23   subjectKeyIdentifier = hash
24   authorityKeyIdentifier = keyid:always,issuer
25
26[ v3_int_ca ]
27   # Extensions for a typical intermediate CA.
28   basicConstraints = critical, CA:TRUE
29   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
30   subjectKeyIdentifier = hash
31   authorityKeyIdentifier = keyid:always,issuer
32
33[ usr_cert ]
34   # Extensions for user end certificates.
35   basicConstraints = CA:FALSE
36   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
37   extendedKeyUsage = clientAuth, emailProtection
38   subjectKeyIdentifier = hash
39   authorityKeyIdentifier = keyid,issuer
40
41[ policy_min ]
42   countryName		= optional
43   stateOrProvinceName	= optional
44   localityName		= optional
45   organizationName	= optional
46   organizationalUnitName = optional
47   commonName		= supplied
48   emailAddress		= optional
49