1base_dir      = .
2certificate   = $base_dir/cacert.pem   # The CA certifcate
3private_key   = $base_dir/cakey.pem    # The CA private key
4new_certs_dir = $base_dir              # Location for new certs after signing
5database      = $base_dir/index.txt    # Database index file
6serial        = $base_dir/serial.txt   # The current serial number
7
8unique_subject = no  # Set to 'no' to allow creation of
9                     # several certificates with same subject.
10
11HOME            = .
12RANDFILE        = $ENV::HOME/.rnd
13
14####################################################################
15[ ca ]
16default_ca    = CA_default      # The default ca section
17
18[ CA_default ]
19
20default_days     = 10000         # How long to certify for
21default_crl_days = 30           # How long before next CRL
22default_md       = sha256       # Use public key default MD
23preserve         = no           # Keep passed DN ordering
24
25x509_extensions = ca_extensions # The extensions to add to the cert
26
27email_in_dn     = no            # Don't concat the email in the DN
28copy_extensions = copy          # Required to copy SANs from CSR to cert
29
30####################################################################
31[ req ]
32default_bits       = 4096
33default_keyfile    = cakey.pem
34distinguished_name = ca_distinguished_name
35x509_extensions    = ca_extensions
36string_mask        = utf8only
37
38####################################################################
39[ ca_distinguished_name ]
40countryName         = Country Name (2 letter code)
41countryName_default = US
42
43stateOrProvinceName         = State or Province Name (full name)
44stateOrProvinceName_default = Maryland
45
46localityName                = Locality Name (eg, city)
47localityName_default        = Baltimore
48
49organizationName            = Organization Name (eg, company)
50organizationName_default    = Test CA, Limited
51
52organizationalUnitName         = Organizational Unit (eg, division)
53organizationalUnitName_default = Server Research Department
54
55commonName         = Common Name (e.g. server FQDN or YOUR name)
56commonName_default = Test CA
57
58emailAddress         = Email Address
59emailAddress_default = test@example.com
60
61####################################################################
62[ ca_extensions ]
63
64subjectKeyIdentifier   = hash
65authorityKeyIdentifier = keyid:always, issuer
66basicConstraints       = critical, CA:true
67keyUsage               = keyCertSign, cRLSign
68
69
70
71
72####################################################################
73[ signing_policy ]
74countryName            = optional
75stateOrProvinceName    = optional
76localityName           = optional
77organizationName       = optional
78organizationalUnitName = optional
79commonName             = supplied
80emailAddress           = optional
81
82####################################################################
83[ signing_req ]
84subjectKeyIdentifier   = hash
85authorityKeyIdentifier = keyid,issuer
86basicConstraints       = CA:FALSE
87keyUsage               = digitalSignature, keyEncipherment
88