[ ca ]
default_ca = CA

[ CA ]
# Database
dir		= .
certs		= $dir/certs/
crl_dir		= $dir/crl
new_certs_dir	= $dir/newcerts
database	= $dir/index.txt
# Although we use $ openssl ca -rand_serial, this seems necessary.
serial		= $dir/serial
RANDFILE	= $dir/.rand

private_key	= $dir/ca.key
certificate	= $dir/ca.crt

# Cryptography
default_md	= sha512

# Policy
name_opt	= ca_default
cert_opt	= ca_default
# Intermediate CA: 10 years
default_days	= 3650
preserve	= no
policy		= policy_ca

[ policy_ca ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 4096
distinguished_name	= req_dn
string_mask		= utf8only

# s/sha512/sha256/, according to Jimmy (isrg uses sha256)
default_md		= sha256

x509_extensions		= extensions

[ req_dn ]
commonName		= Common Name
countryName		= Country Name (2 letter code)
commonName_default		= Test Root CA
countryName_default		= CA

[ extensions ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_normal ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_basic_constraints_no ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_basic_constraints_wrong ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:false
keyUsage		= critical, digitalSignature, cRLSign, keyCertSign

[ extensions_sub_key_usage_missing ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true

[ extensions_sub_key_usage_wrong_1 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No digitalSignature
keyUsage		= critical, cRLSign, keyCertSign

[ extensions_sub_key_usage_wrong_2 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No cRLSign
keyUsage		= critical, digitalSignature, keyCertSign

[ extensions_sub_key_usage_wrong_3 ]
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer
basicConstraints	= critical, CA:true
# No keyCertSign
keyUsage		= critical, digitalSignature, cRLSign