CA_DIR=out CA_NAME=policy-root [ca] default_ca = CA_root preserve = yes [CA_root] dir = ${ENV::CA_DIR} key_size = 2048 algo = sha256 database = $dir/${ENV::CA_NAME}-index.txt new_certs_dir = $dir serial = $dir/${ENV::CA_NAME}-serial certificate = $dir/${ENV::CA_NAME}.pem private_key = $dir/${ENV::CA_NAME}.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 30 default_md = sha256 policy = policy_anything unique_subject = no copy_extensions = copy [user_cert] basicConstraints = critical, CA:false extendedKeyUsage = serverAuth, clientAuth certificatePolicies = 1.2.3.4 [ca_cert] basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, keyCertSign, cRLSign [intermediate_cert] basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, keyCertSign, cRLSign policyConstraints = requireExplicitPolicy:0 certificatePolicies = 1.2.3.4, 1.2.3.4.5, 1.2.3.5 [policy_anything] # Default signing policy countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [req] default_bits = 2048 default_md = sha256 string_mask = utf8only prompt = no encrypt_key = no distinguished_name = req_env_dn [req_env_dn] CN = ${ENV::COMMON_NAME}