extensions = v3_ext [ca] default_ca = sub_ca [rootca] dir = ./example_ca/root certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt serial = $dir/serial new_certs_dir = $dir/newcerts crl = $dir/crl.pem certificate = $dir/ca.crt.pem private_key = $dir/private/ca.key.pem RANDFILE = $dir/private/.rand policy = policy_any unique_subject = no email_in_dn = no copy_extensions = none default_md = sha256 default_days = 1825 default_crl_days = 30 [sub_ca] dir = ./example_ca/sub certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt serial = $dir/serial new_certs_dir = $dir/newcerts crl = $dir/crl.pem certificate = $dir/ca.crt.pem private_key = $dir/private/ca.key.pem RANDFILE = $dir/private/.rand unique_subject = no email_in_dn = no default_md = sha256 default_days = 365 default_crl_days = 30 [email_ca] dir = ./example_ca/email certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt serial = $dir/serial new_certs_dir = $dir/newcerts crl = $dir/crl.pem certificate = $dir/ca.crt.pem private_key = $dir/private/ca.key.pem RANDFILE = $dir/private/.rand unique_subject = no email_in_dn = no default_md = sha256 default_days = 365 default_crl_days = 30 [policy_any] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [policy_match] commonName = supplied [email_ext] basicConstraints = critical,CA:false keyUsage = keyEncipherment,digitalSignature,nonRepudiation extendedKeyUsage = clientAuth,emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ crlDistributionPoints = URI:http://crl.example.org/email.crl [req] default_bits = 3072 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = root_ca [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CH countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 [req_attributes] [root_ca] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash [ext_sub_ca] basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ crlDistributionPoints = URI:http://crl.example.org/sub.crl certificatePolicies = @policy_sub_ca [ext_email_ca] basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign extendedKeyUsage = clientAuth,emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/ crlDistributionPoints = URI:http://crl.example.org/email.crl certificatePolicies = @policy_email_ca [policy_sub_ca] policyIdentifier = 1.3.6.1.5.5.7.2.1 CPS = http://example.org/ca/sub/cps.html [policy_email_ca] policyIdentifier = 1.3.6.1.5.5.7.2.1 CPS = http://example.org/ca/email/cps.html