basicConstraints        = CA:false
nsCertType              = %(usage)s
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth, serverAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid, issuer:always
subjectAltName          = @subject_alt_name
issuerAltName           = issuer:copy
crlDistributionPoints   = @cdp_section

[ subject_alt_name ]
%(alt_names)s

[ cdp_section ]
URI.1 = %(crl_url)s