name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
crl_extensions = crl_ext
-default_days = 3650 # how long to certify for
+default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
organizationalUnitName = optional
-commonName = supplied
+commonName = optional
emailAddress = optional
[ policy_anything ]
localityName = optional
organizationName = optional
organizationalUnitName = optional
-commonName = supplied
+commonName = optional
emailAddress = optional
[ req ]
-default_bits = 1024
+default_bits = 4096
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
+input_password = demo
+output_password = demo
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
-stateOrProvinceName = State or Province Name (full name)
+#stateOrProvinceName = State or Province Name (full name)
#localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
## DEFAULT VALUES
##
countryName_default = DE
-stateOrProvinceName_default = Berlin
+#stateOrProvinceName_default = Berlin
#localityName_default = Berlin
0.organizationName_default = Example
-organizationalUnitName_default = People
+organizationalUnitName_default = Certificate Authorities
+commonName_default = Intermediate CA
[ req_attributes ]
#challengePassword = A challenge password
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical,CA:true
-# keyUsage = cRLSign, keyCertSign
-
-subjectAltName=email:copy
-issuerAltName=issuer:copy
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
issuerAltName=issuer:copy