src/net/data/ssl/scripts/client-certs.cnf - cobalt - Git at Google

 ID=1
 CA_DIR=out

 [ca]
 default_ca = ca_settings
 preserve   = yes

 [ca_settings]
 dir             = ${ENV::CA_DIR}
 database        = $dir/${ENV::ID}-index.txt
 new_certs_dir   = $dir
 serial          = $dir/${ENV::ID}-serial
 certificate     = $dir/${ENV::ID}.pem
 private_key     = $dir/${ENV::ID}.key
 RANDFILE        = $dir/rand
 default_md      = sha256
 default_days    = 3650
 policy          = policy_anything
 unique_subject  = no
 copy_extensions = copy

 [policy_anything]
 # Default signing policy
 countryName            = optional
 stateOrProvinceName    = optional
 localityName           = optional
 organizationName       = optional
 organizationalUnitName = optional
 commonName             = optional
 emailAddress           = optional

 [req]
 default_bits       = 2048
 default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
 distinguished_name = req_env_dn

 [user_cert]
 # Extensions to add when signing a request for an EE cert
 basicConstraints = critical, CA:false
 extendedKeyUsage = serverAuth,clientAuth

 [san_user_cert]
 subjectAltName = email:santest@example.com,otherName:msUPN;UTF8:santest@ad.corp.example.com

 [ca_cert]
 # Extensions to add when signing a request for an intermediate/CA cert
 basicConstraints = critical, CA:true
 keyUsage         = critical, keyCertSign, cRLSign

 [req_env_dn]
 CN = ${ENV::COMMON_NAME}
	ID=1
	CA_DIR=out

	[ca]
	default_ca = ca_settings
	preserve = yes

	[ca_settings]
	dir = ${ENV::CA_DIR}
	database = $dir/${ENV::ID}-index.txt
	new_certs_dir = $dir
	serial = $dir/${ENV::ID}-serial
	certificate = $dir/${ENV::ID}.pem
	private_key = $dir/${ENV::ID}.key
	RANDFILE = $dir/rand
	default_md = sha256
	default_days = 3650
	policy = policy_anything
	unique_subject = no
	copy_extensions = copy

	[policy_anything]
	# Default signing policy
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional

	[req]
	default_bits = 2048
	default_md = sha256
	string_mask = utf8only
	prompt = no
	encrypt_key = no
	distinguished_name = req_env_dn

	[user_cert]
	# Extensions to add when signing a request for an EE cert
	basicConstraints = critical, CA:false
	extendedKeyUsage = serverAuth,clientAuth

	[san_user_cert]
	subjectAltName = email:santest@example.com,otherName:msUPN;UTF8:santest@ad.corp.example.com

	[ca_cert]
	# Extensions to add when signing a request for an intermediate/CA cert
	basicConstraints = critical, CA:true
	keyUsage = critical, keyCertSign, cRLSign

	[req_env_dn]
	CN = ${ENV::COMMON_NAME}