emailAddress = optional
[ req ]
-default_bits = 1024
+default_bits = 4096
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
+input_password = demo
+output_password = demo
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
#stateOrProvinceName = State or Province Name (full name)
#localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
-#organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
#stateOrProvinceName_default = Berlin
#localityName_default = Berlin
0.organizationName_default = Example
-#organizationalUnitName_default = Certificate Authorities
-commonName_default = Certificate Authority
+organizationalUnitName_default = Certificate Authorities
+commonName_default = Intermediate CA
[ req_attributes ]
#challengePassword = A challenge password
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical,CA:true
-# keyUsage = cRLSign, keyCertSign
-
-#subjectAltName=email:copy
-issuerAltName=issuer:copy
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
issuerAltName=issuer:copy