[ ca ]
default_ca = CA

[ CA ]
# Database
dir		= .
certs		= $dir/certs/
crl_dir		= $dir/crl
new_certs_dir	= $dir/newcerts
database	= $dir/index.txt
# Although we use $ openssl ca -rand_serial, this seems necessary.
serial		= $dir/serial
RANDFILE	= $dir/.rand

private_key	= $dir/ca.key
certificate	= $dir/ca.crt

# CRL
crlnumber	= $dir/crlnumber
crl		= $dir/ca.crl
crl_extensions	= crl_ext
# Root CA CRL: 1 year
default_crl_days	= 365

# Cryptography
default_md	= sha512

# Policy
name_opt	= ca_default
cert_opt	= ca_default
# Intermediate CA: 10 years
default_days	= 3650
preserve	= no
policy		= policy_ca

[ policy_ca ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 4096
distinguished_name	= req_dn
string_mask		= utf8only

# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
default_md		= sha256

x509_extensions		= extensions

[ req_dn ]
commonName		= Common Name
countryName		= Country Name (2 letter code)
# For simplicity
#stateOrProvinceName	= State or Province Name
#localityName		= Locality Name
#0.organizationName	= Organization Name
# CAB Baseline (BR) v2.0.0
# OU name must not present
# Email address is not recommended (as per Jimmy)
#organizationalUnitName	= Organizational Unit Name
#emailAddress		= Email Address

commonName_default		= Test Root CA
countryName_default		= CA
#stateOrProvinceName_default	= British Columbia
#localityName_default		= Vancouver
#0.organizationName_default	= Yuuta Home
#organizationalUnitName_default	= IT
#emailAddress_default		= yuuta@yuuta.moe

[ extensions ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
# Seems like it is completely unnecessary to put CRL and AIA in RootCA
# because they point to the issuer's info.
# crlDistributionPoints	= crldp
# Because I don't have a real OID
#certificatePolicies	= @polset
# Seems like it is unnecessary.
#authorityInfoAccess	= caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt

[ extensions_sub ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true, pathlen: 0
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints	= crldp
authorityInfoAccess	= caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt

#[ polset ]
#policyIdentifier	= 1.3.6.1.4.1.191981.5.1.1
#CPS.1			= "http://home.yuuta.moe/pki/policy"
#userNotice.1		= @polset_notice
#
#[ polset_notice ]
#explicitText	= "This certificate authority is for internal use only."

[ crldp ]
fullname	= URI:http://home.yuuta.moe/pki/rootca.crl

[ crl_ext ]
authorityKeyIdentifier	= keyid:always