| CA_DIR=out |
| CA_NAME=policy-root |
| SAN=policy_test.example |
| |
| [ca] |
| default_ca = CA_root |
| preserve = yes |
| |
| [CA_root] |
| dir = ${ENV::CA_DIR} |
| key_size = 2048 |
| algo = sha256 |
| database = $dir/${ENV::CA_NAME}-index.txt |
| new_certs_dir = $dir |
| serial = $dir/${ENV::CA_NAME}-serial |
| certificate = $dir/${ENV::CA_NAME}.pem |
| private_key = $dir/${ENV::CA_NAME}.key |
| RANDFILE = $dir/.rand |
| default_days = 3650 |
| default_crl_days = 30 |
| default_md = sha256 |
| policy = policy_anything |
| unique_subject = no |
| copy_extensions = copy |
| |
| [user_cert] |
| basicConstraints = critical, CA:false |
| extendedKeyUsage = serverAuth, clientAuth |
| certificatePolicies = 1.2.3.4 |
| subjectAltName = DNS:${ENV::SAN} |
| |
| [ca_cert] |
| basicConstraints = critical, CA:true |
| keyUsage = critical, digitalSignature, keyCertSign, cRLSign |
| |
| [intermediate_cert] |
| basicConstraints = critical, CA:true |
| keyUsage = critical, digitalSignature, keyCertSign, cRLSign |
| policyConstraints = requireExplicitPolicy:0 |
| certificatePolicies = 1.2.3.4, 1.2.3.4.5, 1.2.3.5 |
| |
| [policy_anything] |
| # Default signing policy |
| countryName = optional |
| stateOrProvinceName = optional |
| localityName = optional |
| organizationName = optional |
| organizationalUnitName = optional |
| commonName = optional |
| emailAddress = optional |
| |
| [req] |
| default_bits = 2048 |
| default_md = sha256 |
| string_mask = utf8only |
| prompt = no |
| encrypt_key = no |
| distinguished_name = req_env_dn |
| |
| [req_env_dn] |
| CN = ${ENV::COMMON_NAME} |
| |