[ ca ]
default_ca             = CA_default               # The default ca section

[ CA_default ]
dir                    = /srv/ca/class3           # Where everything is kept
certs                  = $dir/certs               # Where the issued certs are kept
crl_dir                = $dir/crl                 # Where the issued crl are kept
database               = $dir/index.txt           # database index file.
new_certs_dir          = $dir/newcerts            # default place for new certs.
certificate            = $dir/ca.crt.pem          # The CA certificate
serial                 = $dir/serial              # The current serial number
crl                    = $dir/crl.pem             # The current CRL
private_key            = $dir/private/ca.key.pem  # The private key
RANDFILE               = $dir/private/.rand       # private random number file
x509_extensions        = usr_cert                 # The extentions to add to the cert
default_days           = 180                      # how long to certify for
default_crl_days       = 30                       # how long before next CRL
default_md             = sha512                   # which md to use.
preserve               = no                       # keep passed DN ordering
policy                 = policy_anything

[ policy_anything ]
commonName             = optional
subjectAltName         = optional

[ usr_cert ]
basicConstraints       = critical,CA:TRUE
extendedKeyUsage       = clientAuth,serverAuth,nsSGC,msSGC
keyUsage               = digitalSignature,keyEncipherment
authorityInfoAccess    = OCSP;URI:http://ocsp.cacert.localhost
crlDistributionPoints  = URI:http://crl.cacert.localhost/class3-revoke.crl

[ crl_ext ]