community-website/ca.cnf

extensions = v3_ext

[ca]
default_ca = sub_ca

[rootca]
dir              = ./example_ca/root
certs            = $dir/certs
crl_dir          = $dir/crl
database         = $dir/index.txt
serial           = $dir/serial
new_certs_dir    = $dir/newcerts

crl              = $dir/crl.pem
certificate      = $dir/ca.crt.pem
private_key      = $dir/private/ca.key.pem
RANDFILE         = $dir/private/.rand

policy           = policy_any
unique_subject   = no
email_in_dn      = no
copy_extensions  = none

default_md       = sha256
default_days     = 1825
default_crl_days = 30

[sub_ca]
dir              = ./example_ca/sub
certs            = $dir/certs
crl_dir          = $dir/crl
database         = $dir/index.txt
serial           = $dir/serial
new_certs_dir    = $dir/newcerts

crl              = $dir/crl.pem
certificate      = $dir/ca.crt.pem
private_key      = $dir/private/ca.key.pem
RANDFILE         = $dir/private/.rand
unique_subject   = no
email_in_dn      = no

default_md       = sha256
default_days     = 365
default_crl_days = 30

[email_ca]
dir              = ./example_ca/email
certs            = $dir/certs
crl_dir          = $dir/crl
database         = $dir/index.txt
serial           = $dir/serial
new_certs_dir    = $dir/newcerts

crl              = $dir/crl.pem
certificate      = $dir/ca.crt.pem
private_key      = $dir/private/ca.key.pem
RANDFILE         = $dir/private/.rand
unique_subject   = no
email_in_dn      = no

default_md       = sha256
default_days     = 365
default_crl_days = 30

[policy_any]
countryName            = match
stateOrProvinceName    = optional
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[policy_match]
commonName      = supplied

[email_ext]
basicConstraints       = critical,CA:false
keyUsage               = keyEncipherment,digitalSignature,nonRepudiation
extendedKeyUsage       = clientAuth,emailProtection
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints  = URI:http://crl.example.org/email.crl

[req]
default_bits       = 3072
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name
attributes         = req_attributes
x509_extensions    = root_ca

[req_distinguished_name]
countryName            = Country Name (2 letter code)
countryName_default    = CH
countryName_min        = 2
countryName_max        = 2

localityName           = Locality Name (eg, city)

organizationName       = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)

commonName             = Common Name (e.g. server FQDN or YOUR name)
commonName_max         = 64

[req_attributes]

[root_ca]
basicConstraints       = critical,CA:true
keyUsage               = critical,keyCertSign,cRLSign
subjectKeyIdentifier   = hash

[ext_sub_ca]
basicConstraints       = critical,CA:true,pathlen:0
keyUsage               = critical,keyCertSign,cRLSign
extendedKeyUsage       = serverAuth,clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints  = URI:http://crl.example.org/sub.crl
certificatePolicies    = @policy_sub_ca

[ext_email_ca]
basicConstraints       = critical,CA:true,pathlen:0
keyUsage               = critical,keyCertSign,cRLSign
extendedKeyUsage       = clientAuth,emailProtection
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints  = URI:http://crl.example.org/email.crl
certificatePolicies    = @policy_email_ca

[policy_sub_ca]
policyIdentifier       = 1.3.6.1.5.5.7.2.1
CPS                    = http://example.org/ca/sub/cps.html

[policy_email_ca]
policyIdentifier       = 1.3.6.1.5.5.7.2.1
CPS                    = http://example.org/ca/email/cps.html