[ ca ]
default_ca              = defaultCA

[ defaultCA ]
dir                     = .                     # Where everything is kept
new_certs_dir           = $ENV::BIN             # Default place for new certs
certificate             = $ENV::BIN/ca.crt      # The CA certificate
database                = $ENV::BIN/ca.db       # Database index file
serial                  = $ENV::BIN/ca.srl      # The current serial number
private_key             = $ENV::BIN/ca.key      # The private key
default_crl_days        = 7                     # How long before next CRL
default_days            = 3650                  # How long to certify for
default_md              = default               # Which md to use
policy                  = policyMatch
x509_extensions         = client
copy_extensions         = copy
name_opt                = ca_default
cert_opt                = ca_default


[ policyMatch ]
countryName             = supplied
stateOrProvinceName     = supplied
organizationName        = supplied
organizationalUnitName  = supplied
commonName              = supplied
emailAddress            = supplied


# Keygen, requests and self-signed certs
[ req ]
default_bits            = 2048
default_keyfile         = $ENV::BIN/ca.key
default_md              = default
prompt                  = no
distinguished_name      = distinguishedName
x509_extensions         = selfExtensions        # Extensions to add to self-signed cert
req_extensions          = reqExtensions         # Extensions for certificate request


# [ reqAttributes ]


[ distinguishedName ]
countryName             = US
stateOrProvinceName     = Washington
localityName            = Seattle
0.organizationName      = Example.com
organizationalUnitName  = Licensing
commonName              = example.com
emailAddress            = licensing@example.com


[ caExtensions ]
basicConstraints        = CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = cRLSign, keyCertSign, digitalSignature, keyEncipherment

[ selfExtensions ]
basicConstraints        = CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always

[ client ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid, issuer:always
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth


[ server ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "device"
#nsCertType

[ reqExtensions ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment