# Note: for this file to be working, an environment var CA_ROOT_DIR = directory 
# must be defined and pointing to the CA top-level directory.

HOME			= .
RANDFILE		= $ENV::HOME/.rnd

oid_section		= new_oids

[ new_oids ]


####################################################################
[ req ]
default_bits		= 1024
# default_keyfile 	= privkey.pem
string_mask 		= utf8only

distinguished_name	= req_distinguished_name
attributes		= req_attributes
req_extensions 		= v3_req    # overwrite with -reqexts
x509_extensions		= ca_cert   # overwrite with -extensions; used for self-signed keys only

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= JP
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Tokyo
localityName			= Locality Name (eg, city)
localityName_default		= Koganei
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= WIDE
1.organizationName		= Second Organization Name (eg, company)
1.organizationName_default	= NICT
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= AAA WG testbed

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 0
challengePassword_max		= 20
unstructuredName		= An optional company name

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_req_ca ]
# Extensions to add to a certificate request for CA
basicConstraints = CA:TRUE


####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= $ENV::CA_ROOT_DIR	# Where everything is kept
certs		= $dir/public		# Where the issued certs are kept
crl_dir		= $dir/public		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/public		# default place for new certs.

certificate	= $dir/public/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
crl		= $dir/public/local.pem 		# The current CRL
private_key	= $dir/private/cakey.pem	# The private key
x509_extensions	= usr_cert		# The extentions to add to the cert
					# overwrite with -extensions
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
crl_extensions	= crl_ext

default_days	= 3650			# how long to certify for
default_crl_days= 365			# how long before next CRL
default_md	= sha1			# which md to use.
preserve	= no			# keep passed DN ordering

# We accept to sign anything, but a real deployment would limit to proper domain etc...
policy			= policy_anything

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ usr_cert ]
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ ca_cert ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true  # Remove "critical," in case of problems
keyUsage = cRLSign, keyCertSign
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always