ssl/scripts/redundant-ca.cnf

CA_DIR = out

[ca]
default_ca = CA_root
preserve   = yes

# The default test root, used to generate certificates and CRLs.
[CA_root]
dir           = ${ENV::CA_DIR}
database      = ${dir}/${ENV::CERTIFICATE}-index.txt
new_certs_dir = ${dir}
serial        = ${dir}/${ENV::CERTIFICATE}-serial
certificate   = ${dir}/${ENV::CERTIFICATE}.pem
private_key   = ${dir}/${ENV::CERTIFICATE}.key
RANDFILE      = ${dir}/rand
default_days     = 3650
default_crl_days = 30
default_md       = sha256
policy           = policy_anything
unique_subject   = no

[user_cert]
# Extensions to add when signing a request for an EE cert
basicConstraints       = critical, CA:false
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage       = serverAuth,clientAuth

[ca_cert]
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
#authorityKeyIdentifier = keyid:always
keyUsage               = critical, keyCertSign, cRLSign

[crl_extensions]
# Extensions to add when signing a CRL
authorityKeyIdentifier = keyid:always

[policy_anything]
# Default signing policy
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = optional
emailAddress           = optional

[req]
# The request section used to generate certificate requests.
default_bits       = 2048
default_md         = sha256
string_mask        = utf8only
prompt             = no
encrypt_key        = no
distinguished_name = req_env_dn

[req_env_dn]
CN = ${ENV::CA_COMMON_NAME}