CA_DIR=out
CA_NAME=policy-root

[ca]
default_ca = CA_root
preserve   = yes

[CA_root]
dir           = ${ENV::CA_DIR}
key_size      = 2048
algo          = sha1
database      = $dir/${ENV::CA_NAME}-index.txt
new_certs_dir = $dir
serial        = $dir/${ENV::CA_NAME}-serial
certificate   = $dir/${ENV::CA_NAME}.pem
private_key   = $dir/${ENV::CA_NAME}.key
RANDFILE      = $dir/.rand
default_days     = 3650
default_crl_days = 30
default_md       = sha1
policy           = policy_anything
unique_subject   = no
copy_extensions  = copy

[user_cert]
basicConstraints       = critical, CA:false
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 1.2.3.4

[ca_cert]
basicConstraints       = critical, CA:true
keyUsage               = critical, digitalSignature, keyCertSign, cRLSign

[intermediate_cert]
basicConstraints       = critical, CA:true
keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
policyConstraints      = requireExplicitPolicy:0
certificatePolicies    = 1.2.3.4, 1.2.3.4.5, 1.2.3.5

[policy_anything]
# Default signing policy
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = optional
emailAddress           = optional

[req]
default_bits       = 2048
default_md         = sha1
string_mask        = utf8only
prompt             = no
encrypt_key        = no
distinguished_name = req_env_dn

[req_env_dn]
CN = ${ENV::COMMON_NAME}