1CA_DIR=out
2CA_NAME=policy-root
3
4[ca]
5default_ca = CA_root
6preserve   = yes
7
8[CA_root]
9dir           = ${ENV::CA_DIR}
10key_size      = 2048
11algo          = sha1
12database      = $dir/${ENV::CA_NAME}-index.txt
13new_certs_dir = $dir
14serial        = $dir/${ENV::CA_NAME}-serial
15certificate   = $dir/${ENV::CA_NAME}.pem
16private_key   = $dir/${ENV::CA_NAME}.key
17RANDFILE      = $dir/.rand
18default_days     = 3650
19default_crl_days = 30
20default_md       = sha1
21policy           = policy_anything
22unique_subject   = no
23copy_extensions  = copy
24
25[user_cert]
26basicConstraints       = critical, CA:false
27extendedKeyUsage       = serverAuth, clientAuth
28certificatePolicies    = 1.2.3.4
29
30[ca_cert]
31basicConstraints       = critical, CA:true
32keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
33
34[intermediate_cert]
35basicConstraints       = critical, CA:true
36keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
37policyConstraints      = requireExplicitPolicy:0
38certificatePolicies    = 1.2.3.4, 1.2.3.4.5, 1.2.3.5
39
40[policy_anything]
41# Default signing policy
42countryName            = optional
43stateOrProvinceName    = optional
44localityName           = optional
45organizationName       = optional
46organizationalUnitName = optional
47commonName             = optional
48emailAddress           = optional
49
50[req]
51default_bits       = 2048
52default_md         = sha1
53string_mask        = utf8only
54prompt             = no
55encrypt_key        = no
56distinguished_name = req_env_dn
57
58[req_env_dn]
59CN = ${ENV::COMMON_NAME}
60
61