src/net/data/ssl/scripts/aia-test.cnf - cobalt - Git at Google

 CA_DIR=out
 CA_NAME=aia-test-root
 AIA_URL=http://aia-test.invalid
 HOST_NAME=aia-host.invalid

 [ca]
 default_ca = CA_root
 preserve   = yes

 [CA_root]
 dir           = ${ENV::CA_DIR}
 key_size      = 2048
 algo          = sha256
 database      = $dir/${ENV::CA_NAME}-index.txt
 new_certs_dir = $dir
 serial        = $dir/${ENV::CA_NAME}-serial
 certificate   = $dir/${ENV::CA_NAME}.pem
 private_key   = $dir/${ENV::CA_NAME}.key
 RANDFILE      = $dir/.rand
 default_days     = 3650
 default_crl_days = 30
 default_md       = sha256
 policy           = policy_anything
 unique_subject   = no
 copy_extensions  = copy

 [user_cert]
 basicConstraints       = critical, CA:false
 extendedKeyUsage       = serverAuth, clientAuth
 authorityInfoAccess    = caIssuers;URI:${ENV::AIA_URL}
 subjectAltName         = DNS:${ENV::HOST_NAME}

 [ca_cert]
 basicConstraints       = critical, CA:true
 keyUsage               = critical, keyCertSign, cRLSign

 [policy_anything]
 # Default signing policy
 countryName            = optional
 stateOrProvinceName    = optional
 localityName           = optional
 organizationName       = optional
 organizationalUnitName = optional
 commonName             = optional
 emailAddress           = optional

 [req]
 default_bits       = 2048
 default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
 distinguished_name = req_env_dn

 [req_env_dn]
 CN = ${ENV::CA_COMMON_NAME}
	CA_DIR=out
	CA_NAME=aia-test-root
	AIA_URL=http://aia-test.invalid
	HOST_NAME=aia-host.invalid

	[ca]
	default_ca = CA_root
	preserve = yes

	[CA_root]
	dir = ${ENV::CA_DIR}
	key_size = 2048
	algo = sha256
	database = $dir/${ENV::CA_NAME}-index.txt
	new_certs_dir = $dir
	serial = $dir/${ENV::CA_NAME}-serial
	certificate = $dir/${ENV::CA_NAME}.pem
	private_key = $dir/${ENV::CA_NAME}.key
	RANDFILE = $dir/.rand
	default_days = 3650
	default_crl_days = 30
	default_md = sha256
	policy = policy_anything
	unique_subject = no
	copy_extensions = copy

	[user_cert]
	basicConstraints = critical, CA:false
	extendedKeyUsage = serverAuth, clientAuth
	authorityInfoAccess = caIssuers;URI:${ENV::AIA_URL}
	subjectAltName = DNS:${ENV::HOST_NAME}

	[ca_cert]
	basicConstraints = critical, CA:true
	keyUsage = critical, keyCertSign, cRLSign

	[policy_anything]
	# Default signing policy
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional

	[req]
	default_bits = 2048
	default_md = sha256
	string_mask = utf8only
	prompt = no
	encrypt_key = no
	distinguished_name = req_env_dn

	[req_env_dn]
	CN = ${ENV::CA_COMMON_NAME}