diff --git a/subca.conf b/subca.conf
new file mode 100644
index 0000000..fe77f52
--- /dev/null
+++ b/subca.conf
@@ -0,0 +1,80 @@
+# Example Sub CA configuration
+# this CA should be used to sign client and server certificates
+#
+# Author: Jan Dittberner <jan@dittberner.info>
+# Date:   2011-05-04
+
+RANDFILE        = $ENV::HOME/subca/.rnd
+
+extensions      = v3_ext 
+
+[ ca ]
+default_ca      = EXAMPLESUBCA     # name of the default CA section
+
+[ EXAMPLESUBCA ]
+dir             = $ENV::HOME/subca
+certs           = $dir/certs
+crl_dir         = $dir/crl
+database        = $dir/index.txt
+new_certs_dir   = $dir/newcerts
+
+certificate     = $dir/ca.crt.pem
+serial          = $dir/serial
+crl             = $dir/crl.pem
+private_key     = $dir/private/ca.key.pem
+RANDFILE        = $dir/private/.rand
+unique_subject  = no
+
+email_in_dn     = no
+policy          = policy_examplesub
+x509_extensions = client_cert
+
+# certificates are valid for 1 year
+default_days    = 365
+default_crl_days= 1
+default_md      = sha256
+
+copy_extensions = copy
+
+[ policy_examplesub ]
+countryName            = match
+stateOrProvinceName    = match
+organizationName       = match
+organizationalUnitName = supplied
+commonName             = supplied
+emailAddress           = optional
+
+[ client_cert ]
+basicConstraints       = critical, CA:false
+keyUsage               = keyEncipherment,digitalSignature
+extendedKeyUsage       = clientAuth
+nsComment              = "Example Sub CA signed client certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName         = email:copy
+issuerAltName          = issuer:copy
+
+[ server_cert ]
+basicConstraints       = critical, CA:false
+keyUsage               = keyEncipherment,digitalSignature
+extendedKeyUsage       = serverAuth
+nsComment              = "Example Sub CA signed server certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName         = email:copy
+issuerAltName          = issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier = keyid:always,issuer:always