[ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /srv/ca/class3 # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca.crt.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 200 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha512 # which md to use. preserve = no # keep passed DN ordering policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ usr_cert ] basicConstraints = critical,CA:FALSE nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl subjectAltName = email:copy [ crl_ext ]