HOME = .
RANDFILE = $HOME/openssl.rnd
certs = $HOME/certs
new_certs_dir = $HOME/newcerts
crl_dir = $HOME/crl
certificate = $HOME/certs/ca.crt
private_key = $HOME/private/ca.key
database = $HOME/ca.db.index
serial = $HOME/ca.db.serial
crl = $HOME/crl/crl.crl
default_crl_days = 30
default_crl_hours = 12
default_md = md5
preserve = no

[ ca ]
default_ca = server

[ req ]
default_bits = 1024
distinguished_name = req_name
req_extensions = req_ext # extensions to add to request

[ req_name ]
countryName = Country name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Full state or province
localityName = Location (city)
organizationName = Organization Name (company)
organizationalUnitName = Organizational unit
commonName = Common name (hostname, email)
commonName_max = 64
emailAddress = Email address
emailAddress_max = 40

[ req_ext ]
basicConstraints = CA:false

[ root_ext ]
basicConstraints = CA:true, pathlen:1
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectKeyIdentifier = hash
nsComment = "OpenSSL-generated root certificate authority"

[ cacert ] 
x509_extensions = ca_ext
default_days = 1826
policy = root_policy
certificate = $HOME/certs/root.crt
private_key = $HOME/private/root.key

[ server ]
x509_extensions = server_ext
default_days = 365
policy = common_policy

[ client ]
x509_extensions = client_ext
default_days = 365
policy = common_policy

[ cliserv ]
x509_extensions = cliserv_ext
default_days = 365
policy = common_policy

[ email ]
x509_extensions = email_ext
default_days = 365
policy = common_policy

[ emailcli ]
x509_extensions = emailcli_ext
default_days = 365
policy = common_policy

[ objsign ]
x509_extensions = objsign_ext
default_days = 365
policy = objsign_policy

[ ca_ext ]
basicConstraints = CA:true, pathlen:0
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
nsComment = "OpenSSL-generated certificate authority"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy

[ server_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = server
extendedKeyUsage = serverAuth
nsComment = "OpenSSL-generated server certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ client_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth
nsComment = "OpenSSL-generated client authentication certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ cliserv_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = server, client
extendedKeyUsage = serverAuth, clientAuth
nsComment = "OpenSSL-generated client and server authentication certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ email_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = email
extendedKeyUsage = emailProtection
nsComment = "OpenSSL-generated email (S/MIME) certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ emailcli_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = email, client
extendedKeyUsage = emailProtection, clientAuth
nsComment = "OpenSSL-generated email (S/MIME) and client certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ objsign_ext ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
nsCertType = objsign
nsComment = "OpenSSL-generated object signing certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy

[ root_policy ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied

[ common_policy ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied

[ objsign_policy ]
countryName = match
stateOrProvinceName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied