RANDFILE = ${ENV::CAROOT}/.random [ ca ] default_ca = CA_default [ CA_default ] dir = ${ENV::CAROOT} certs = $dir/public/certs crl_dir = $dir/public/crl crl = $dir/public/crl.pem crlnumber = $dir/crlnumber database = $dir/index serial = $dir/serial new_certs_dir = $dir/newcerts certificate = $dir/public/ca.pem private_key = $dir/private/ca.key x509_extensions = certificate_extensions email_in_dn = no default_days = %(default_days)s default_crl_days = 31 default_md = sha1 preserve = yes policy = policy_match [ policy_match ] countryName = supplied organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = %(bits)s default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name countryName_default = "%(country)s" countryName_min = 2 countryName_max = 2 0.organizationName = Organization Name 0.organizationName_default = "%(org)s" organizationalUnitName = Organizational Unit Name organizationalUnitName_default = "%(ou)s" commonName = Common Name commonName_max = 64 commonName_default = "%(cn)s" SET-ex3 = SET extension number 3 [ req_attributes ] [ certificate_extensions ] [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = critical, CA:true keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA nsComment = "%(cn)s" subjectAltName = @ca_alt_name issuerAltName = issuer:copy [ ca_alt_name ] email = "%(email)s"