# Example root CA configuration
# this CA should only be used to sign sub CAs
#
# Author: Jan Dittberner <jan@dittberner.info>
# Date:   2015-02-03

RANDFILE        = $ENV::HOME/rootca/.rnd

extensions      = v3_ext

[ ca ]
default_ca      = EXAMPLEROOT     # name of the default CA section

[ EXAMPLEROOT ]
dir             = $ENV::HOME/rootca
certs           = $dir/certs
crl_dir         = $dir/crl
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts

certificate     = $dir/ca.crt.pem
serial          = $dir/serial
crl             = $dir/crl.pem
private_key     = $dir/private/ca.key.pem
RANDFILE        = $dir/private/.rand
unique_subject  = no

email_in_dn     = no
policy          = policy_exampleroot
x509_extensions = subca_cert

# certificates are valid for 5 years
default_days    = 1825
default_crl_days= 30
default_md      = sha256

copy_extensions = copy

[ policy_exampleroot ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = supplied
commonName             = supplied
emailAddress           = optional

[ subca_cert ]
basicConstraints       = critical, CA:true, pathlen:0
keyUsage               = critical, keyCertSign,cRLSign
nsComment              = "Example Root CA signed Sub CA certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always

# Include email address in subject alt name: another PKIX recommendation
subjectAltName         = email:copy
issuerAltName          = issuer:copy

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always