src/net/data/ssl/scripts/redundant-ca.cnf - cobalt - Git at Google

 CA_DIR = out

 [ca]
 default_ca = CA_root
 preserve   = yes

 # The default test root, used to generate certificates and CRLs.
 [CA_root]
 dir           = ${ENV::CA_DIR}
 database      = ${dir}/${ENV::CERTIFICATE}-index.txt
 new_certs_dir = ${dir}
 serial        = ${dir}/${ENV::CERTIFICATE}-serial
 certificate   = ${dir}/${ENV::CERTIFICATE}.pem
 private_key   = ${dir}/${ENV::CERTIFICATE}.key
 RANDFILE      = ${dir}/rand
 default_days     = 3650
 default_crl_days = 30
 default_md       = sha256
 policy           = policy_anything
 unique_subject   = no

 [user_cert]
 # Extensions to add when signing a request for an EE cert
 basicConstraints       = critical, CA:false
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
 extendedKeyUsage       = serverAuth,clientAuth
 subjectAltName         = IP:127.0.0.1

 [ca_cert]
 # Extensions to add when signing a request for an intermediate/CA cert
 basicConstraints       = critical, CA:true
 subjectKeyIdentifier   = hash
 keyUsage               = critical, keyCertSign, cRLSign

 [ca_cert_with_aki]
 # Extensions to add when signing a request for an intermediate/CA cert
 basicConstraints       = critical, CA:true
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
 keyUsage               = critical, keyCertSign, cRLSign


 [crl_extensions]
 # Extensions to add when signing a CRL
 authorityKeyIdentifier = keyid:always

 [policy_anything]
 # Default signing policy
 countryName            = optional
 stateOrProvinceName    = optional
 localityName           = optional
 organizationName       = optional
 organizationalUnitName = optional
 commonName             = optional
 emailAddress           = optional

 [req]
 # The request section used to generate certificate requests.
 default_bits       = 2048
 default_md         = sha256
 string_mask        = utf8only
 prompt             = no
 encrypt_key        = no
 distinguished_name = req_env_dn

 [req_env_dn]
 CN = ${ENV::CA_COMMON_NAME}
	CA_DIR = out

	[ca]
	default_ca = CA_root
	preserve = yes

	# The default test root, used to generate certificates and CRLs.
	[CA_root]
	dir = ${ENV::CA_DIR}
	database = ${dir}/${ENV::CERTIFICATE}-index.txt
	new_certs_dir = ${dir}
	serial = ${dir}/${ENV::CERTIFICATE}-serial
	certificate = ${dir}/${ENV::CERTIFICATE}.pem
	private_key = ${dir}/${ENV::CERTIFICATE}.key
	RANDFILE = ${dir}/rand
	default_days = 3650
	default_crl_days = 30
	default_md = sha256
	policy = policy_anything
	unique_subject = no

	[user_cert]
	# Extensions to add when signing a request for an EE cert
	basicConstraints = critical, CA:false
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	extendedKeyUsage = serverAuth,clientAuth
	subjectAltName = IP:127.0.0.1

	[ca_cert]
	# Extensions to add when signing a request for an intermediate/CA cert
	basicConstraints = critical, CA:true
	subjectKeyIdentifier = hash
	keyUsage = critical, keyCertSign, cRLSign

	[ca_cert_with_aki]
	# Extensions to add when signing a request for an intermediate/CA cert
	basicConstraints = critical, CA:true
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always
	keyUsage = critical, keyCertSign, cRLSign


	[crl_extensions]
	# Extensions to add when signing a CRL
	authorityKeyIdentifier = keyid:always

	[policy_anything]
	# Default signing policy
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional

	[req]
	# The request section used to generate certificate requests.
	default_bits = 2048
	default_md = sha256
	string_mask = utf8only
	prompt = no
	encrypt_key = no
	distinguished_name = req_env_dn

	[req_env_dn]
	CN = ${ENV::CA_COMMON_NAME}