HOME				= .
RANDFILE			= $ENV::HOME/.rnd
oid_section			= new_oids

#[ CA_default ]
dir				= ./CA
certs				= $dir/certs
crl_dir				= $dir/crl
database			= $dir/index.txt
unique_subject			= yes
new_certs_dir			= $dir/newcerts
certificate			= $dir/cacert.pem
serial				= $dir/serial
crlnumber			= $crl_dir/crlnumber
crl				= $crl_dir/crl.pem
private_key			= $dir/private/cakey.pem
RANDFILE			= $dir/private/.rand
default_days			= 825
default_crl_days		= 30
default_md			= sha256
preserve			= no
policy				= policy_match

[ ca ]
default_ca			= CA_default 

[ new_oids ]
tsa_policy1			= 1.2.3.4.1
tsa_policy2			= 1.2.3.4.5.6
tsa_policy3			= 1.2.3.4.5.7
iKEIntermediate			= 1.3.6.1.5.5.8.2.2

[ policy_match ]
countryName			= match
stateOrProvinceName		= match
organizationName		= match
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional

[ policy_anything ]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional

[ CA_default ]
certs				= $dir/certs
crl_dir				= $dir/crl
database			= $dir/index.txt
unique_subject			= yes
new_certs_dir			= $dir/newcerts
certificate			= $dir/cacert.pem
serial				= $dir/serial
crlnumber			= $crl_dir/crlnumber
crl				= $crl_dir/crl.pem
private_key			= $dir/private/cakey.pem
RANDFILE			= $dir/private/.rand
default_days			= 825
default_crl_days		= 30
default_md			= sha256
preserve			= no
policy				= policy_match

[ CA_root ]
x509_extensions			= root_extensions

[ root_extensions ]
basicConstraints		= critical, CA:TRUE, pathlen:1
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always, issuer:always
keyUsage			= critical, cRLSign, keyCertSign

[ CA_VPN ]
dir				= ./rootCA
x509_extensions			= intermediate_extensions
copy_extensions			= copy

[ CA_intermediate ]
x509_extensions			= intermediate_extensions
copy_extensions			= copy

[ intermediate_extensions ]
basicConstraints		= critical, CA:TRUE, pathlen:0
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always, issuer:always
keyUsage			= critical, cRLSign, keyCertSign

[ req ]
default_bits			= 4096
default_keyfile			= privkey.pem
distinguished_name		= req_distinguished_name
attributes			= req_attributes
x509_extensions			= v3_ca
string_mask			= utf8only

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= NL
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Noord-Brabant
localityName			= Locality Name (eg, city)
localityName_default		= Veldhoven
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Dierkse DataManagement
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Secure Digital Certificate Signing
commonName			= Common Name (e.g. server FQDN or YOUR name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_default		= certification@dierkse.nl
emailAddress_max		= 64

[ req_attributes ]
#challengePassword		= A challenge password
#challengePassword_min		= 4
#challengePassword_max		= 20
#unstructuredName		= An optional company name

[ v3_ca ]
basicConstraints= CA:TRUE
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always,issuer:always

[ server_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid,issuer
keyUsage= nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage= critical, serverAuth

[ client_cert ]
basicConstraints		= CA:FALSE
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer
keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage		= critical, clientAuth

[ email_cert ]
basicConstraints		= CA:FALSE
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer
keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage		= critial, emailProtection

[ application_cert ]
basicConstraints		= CA:FALSE
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer
keyUsage			= nonRepudiation, digitalSignature, keyEncipherment

[ vpn_cert ]
basicConstraints		= CA:FALSE
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid,issuer
extendedKeyUsage		= critical, iKEIntermediate
#extendedKeyUsage		= critical, serverAuth, iKEIntermediate

# [ vpn_req_extensions ]
# subjectAltName		= @vpn_san

# [ vpn_san ]
# #DNS.1			= vpn.dierkse.nl
# DNS.1				= iphone6plus