1CA_DIR = out 2 3[ca] 4default_ca = CA_root 5preserve = yes 6 7# The default test root, used to generate certificates and CRLs. 8[CA_root] 9dir = ${ENV::CA_DIR} 10database = ${dir}/${ENV::CERTIFICATE}-index.txt 11new_certs_dir = ${dir} 12serial = ${dir}/${ENV::CERTIFICATE}-serial 13certificate = ${dir}/${ENV::CERTIFICATE}.pem 14private_key = ${dir}/${ENV::CERTIFICATE}.key 15RANDFILE = ${dir}/rand 16default_days = 3650 17default_crl_days = 30 18default_md = sha256 19policy = policy_anything 20unique_subject = no 21 22[user_cert] 23# Extensions to add when signing a request for an EE cert 24basicConstraints = critical, CA:false 25subjectKeyIdentifier = hash 26authorityKeyIdentifier = keyid:always 27extendedKeyUsage = serverAuth,clientAuth 28subjectAltName = IP:127.0.0.1 29 30[ca_cert] 31# Extensions to add when signing a request for an intermediate/CA cert 32basicConstraints = critical, CA:true 33subjectKeyIdentifier = hash 34keyUsage = critical, keyCertSign, cRLSign 35 36[ca_cert_with_aki] 37# Extensions to add when signing a request for an intermediate/CA cert 38basicConstraints = critical, CA:true 39subjectKeyIdentifier = hash 40authorityKeyIdentifier = keyid:always 41keyUsage = critical, keyCertSign, cRLSign 42 43 44[crl_extensions] 45# Extensions to add when signing a CRL 46authorityKeyIdentifier = keyid:always 47 48[policy_anything] 49# Default signing policy 50countryName = optional 51stateOrProvinceName = optional 52localityName = optional 53organizationName = optional 54organizationalUnitName = optional 55commonName = optional 56emailAddress = optional 57 58[req] 59# The request section used to generate certificate requests. 60default_bits = 2048 61default_md = sha256 62string_mask = utf8only 63prompt = no 64encrypt_key = no 65distinguished_name = req_env_dn 66 67[req_env_dn] 68CN = ${ENV::CA_COMMON_NAME} 69